How to build secure asp.net application, Asp.net security tips for designing secure web application

Asp.net web application security tips

Website security is the major concern for any online business, here are 10 tips that will help building secure web application using asp.net mvc framework!

asp.net security tips

How to build secure asp.net application security

Before I start talking about what are the points we should consider about asp.net web application security, let's split the application into 3 major layers! (there could be more) user interface (GUI), code behind or business logic layers and data access layer, as a web application developer most of us familiar with these three layers and application building process, and we need to make sure every layer is secure enough for end user to consume the application.

Here are some tasks that will help building secure asp.net application!

  1. Basic UI Form security

    Designing a good user form is the first level of security we can build for the application, so here are some points we should always consider.

    Form input field design: make sure each field accept exact data that we want user should enter, don’t allow user to put additional character or data type.

    If its registration form then first ask for valid email or mobile number and send them otp (one time password), to make sure the user is genuine.

    Set max length, format of data wherever possible, don’t allow them to post unnecessary data.

    Disable "copy paste" if possible, let user type manually in each field.

  2. Always set form method to post method="post", never reveal posted data on query string (unless the form is search box or anything similar).

    Do not allow user to click submit or post button multiple times, try to disable the submit button immediately after first submit, learn how to prevent multiple form submit in Asp.net MVC application.

  3. Implement anti forgery token to save the form from cross browser attack. the small one line implementation of anti forgery token really can help stopping cross browser attack, here is how you can implement anti forgery token in Asp.net mvc form

  4. If you are still working on earlier web form application, try not to depend on viewstate always, especially for sensitive data, it can increase the chance of CSRF (cross browser attack), still if you want , try to set ViewStateUserKey.

    protected override OnInit(EventArgs e) {
        base.OnInit(e);
        ViewStateUserKey = Session.SessionID;
    }
    
  5. Configuration Security

    Never deploy application with compilation debug set to true debug="true" in your web.config file, always make sure you have set the value to false like below example.

    <system.web>
        <compilation debug="false" targetFramework="4.5" />
    </system.web>
    
  6. Always make sure tracing is turned off in config file, Learn more about asp.net tracing to know what type of information tracing can reveal.

    <system.web>
    <trace enabled="true" />
    </system.web>
  7. Never reveal your application error to end user, always have your error handling mechanism to capture the actual error then display user-friendly error page to application users, in web.config set the customErrors mode="On" , then redirect to some standard pages.

    <customErrors mode="On" defaultRedirect="~/error">
      <error statusCode="404" redirect="~/error/page404" />
      <error statusCode="500" redirect="~/error/page500" />
    </customErrors>
    
  8. Never keep database configuration details in plain text in your web.config file, always use encrypted values, also make sure you use strong encryption keys, which is very different from any other application you deployed on same server.

    <add key="ServerName" value="207.547.125.13" />
    <add key="SchemaName" value="dbo" />
    <add key="DatabaseName" value="wbFHrLYy58wHLOabhVmkidr0w==" />
    <add key="UserId" value="qI9EbaAw3BJ3qgts3oP1hCB3A==" />
    <add key="Password" value="Dg8trtyu76vANgGgbgVgHT/x3lcg==" />
    
  9. Database query security consideration

    If you are using any ORM like nhibernate or entity framework, then you are in better shape compare to Ado.net usage, entity framework provides very effective SQL injection prevention mechanism, that does not mean Ado.net is bad, ado.net can give better performance, but here are few points you should consider while writing sql queries.

    • Avoid writing open sql query in SqlCommand object, like insert into table (field1, field2) values (rValue1, rValue 2)
    • Use stored procedure instead of sql query, that will make everything parameterised, reduce the chance of sql injection.

  10. If you are using asp.net core framework for application building, make sure you use asp.net core indentity, identity uses PBKDF2 hashing function for passwords, you can set secure password policy like example below.

    Learn more about Identity in ASP.NET Core

    services.Configure<IdentityOptions>(options =>
    {
        // Password settings
        options.Password.RequireDigit = true;
        options.Password.RequiredLength = 10;
        options.Password.RequireNonAlphanumeric = true;
        options.Password.RequireUppercase = true;
        options.Password.RequireLowercase = true;
        options.Password.RequiredUniqueChars = 6;
        options.Lockout.DefaultLockoutTimeSpan = TimeSpan.FromMinutes(20);
        options.Lockout.MaxFailedAccessAttempts = 3;
        options.SignIn.RequireConfirmedEmail = true;
        options.User.RequireUniqueEmail = true;
    });
    

You may be interested to read following posts:

Asp.Net MVC C# Examples | Join Asp.Net MVC Course | Asp.net Core Tutorial