Note: This guide describes Kentico CMS version 7. Unfortunately, we cannot support this guide from version 8 forward. Go to latest documentation

Skip to end of metadata
Go to start of metadata

This is a design checklist – things you should keep in mind while developing websites.

User inputs

  User inputs are checked for type, length and content.
  User inputs with arithmetic operations are checked and validated for minimum and maximum values.
  All user inputs are validated on server side as well as on client side.
  Values stored in hidden files are validated properly.

Attack preventions

Cross-site scripting
 User inputs are escaped and validated.
 Content is encoded before it is rendered on a page.
 Strings from external sources are encoded using the HTMLHelper.HTMLEncode() method.
 URL parameters are sanitized using the QueryHelper.GetText() method.
 Values from external sources rendered as part of JavaScript code are encoded using ScriptHelper.GetString().
 Cookies are configured as http-only.
SQL injection
 For dynamic parts of the SELECT, INSERT, UPDATE and DELETE queries are used SQL parameters.
 The exec() function is not used in the SQL code.
Cross-site request forgery
 Actions are not performed using GET requests but using POST.

View state mac validation is enabled globally in the web.config file.

<pages enableViewStateMac="true" />
LDAP injection
 User inputs for LDAP queries are sanitized before execution.

Other issues

 User accounts are secured against all types of attacks.
 Error messages in the UI are configured so that they show only basic information and the whole information is logged only into the Event log.
File upload
 Name, length, type and content of files is checked upon file upload.
 All critical activities within the application are logged.
 The web application does not allow unhandled exceptions to occur.
  • No labels