Security checklist - developing a website
This is a design checklist – things you should keep in mind while developing websites.
User inputs
|
Check |
Description |
|
User inputs are checked for type, length and content. |
|
|
User inputs with arithmetic operations are checked and validated for minimum and maximum values. |
|
|
All user inputs are validated on server side as well as on client side. |
|
|
Values stored in hidden form fields are validated properly. |
Attack prevention
|
Check |
Description |
|
Cross-site scripting |
|
|
User inputs are escaped and validated. |
|
|
Content is encoded before it is rendered on a page. |
|
|
Strings from external sources are encoded using the HTMLHelper.HTMLEncode() method. |
|
|
URL parameters are sanitized using the QueryHelper.GetText() method. |
|
|
Values from external sources rendered as part of JavaScript code are encoded using ScriptHelper.GetString(). |
|
|
Cookies are configured as http-only. |
|
|
SQL injection |
|
|
SQL parameters are used for dynamic parts of SELECT, INSERT, UPDATE and DELETE queries. |
|
|
The exec() function is not used in SQL code. |
|
|
Cross-site request forgery |
|
|
Actions are performed using POST requests, not GET. |
|
|
View state mac validation is enabled globally in the web.config file. |
|
|
LDAP injection |
|
|
User inputs for LDAP queries are sanitized before execution. |
|
Other issues
|
Check |
Description |
|
User accounts are secured against all types of attacks. |
|
|
Error messages in the UI are configured so that they show only basic information and the whole information is logged only into the Event log. |
|
|
File upload |
|
|
Name, length, type and content of files is checked upon file upload. |
|
|
Logging |
|
|
All critical activities in the website are logged. |
|
|
The website does not allow unhandled exceptions to occur. |
|