This content cannot be displayed without JavaScript.
Please enable JavaScript and reload the page.

Security checklist - development phase

Concept| Copy page link | Get HelpService ID

Core
MVC 5

✖

General security recommendations

Protect your application against the OWASP top 10 most common web attacks.
For AI-based applications, make sure to protect them against the OWASP top 10 most common attacks for LLM applications.

Input validation and data handling

Validate all user input for type, length, format, and allowed characters.
Rely primarily on server-side validation. Use client-side validation only to improve UX.
Avoid relying on client-side data for security decisions.
Use the provided Xperience API (ObjectQuery API, Content item query API, ContentRetriever API and others) to prevent SQL injection and other data manipulation attacks.
Protect sensitive endpoints against CSRF attacks.

Authentication and authorization

Use modern authentication methods like single-sign-on or passwordless.
Enforce multi-factor authentication (MFA) for admin and other privileged accounts.
Define roles based on the least privilege principle and actual usage patterns. Scope permissions narrowly to what users truly need for their tasks and avoid granting overpowered or broad access rights.
Rotate and securely store API keys and secrets using Azure Key Vault or similar.

AI security

Strip sensitive data before sending it to external AI APIs.
Validate and sanitize AI-generated content before rendering it.
Implement prompt injection defenses by restricting user-controlled input in AI prompts.
Log AI interactions for auditing and anomaly detection.
Ensure compliance with data privacy laws when sending data to AI services.

File upload security

Validate file type, size and content upon upload.
Store uploaded files outside the web root.

Error handling and logging

Show generic error messages to users.
Avoid exposing stack traces and sensitive information in the production environment.
Log authentication attempts and critical actions.
Configure and use common logging logic across the whole application.
Avoid excessive logging of high-frequency events (e.g., public endpoints) to prevent log bloat.

Compliance and privacy

Implement GDPR / CCPA compliance for user data.
Encrypt sensitive data both at rest and in transit.
Provide clear privacy and AI usage policies.