Security checklist - developing a website

This is a design checklist – things you should keep in mind while developing websites.

User inputs

Check

Description

User inputs are checked for type, length, and content.

User inputs with arithmetic operations are checked and validated for minimum and maximum values.

All user inputs are validated on the server-side as well as on the client-side.

Values stored in hidden form fields are validated properly.

Attack prevention

Check

Description

Cross-site scripting

User inputs are escaped and validated.

Content is encoded before it is rendered on a page.

Strings from external sources are encoded using the HTMLHelper.HTMLEncode() method.

URL parameters are sanitized using the QueryHelper.GetText() method.

Values from external sources rendered as part of JavaScript code are encoded using CMS.Base.Web.UI.ScriptHelper.GetString().

Cookies are configured as HTTP-only.

SQL injection

SQL parameters are used for dynamic parts of SELECT, INSERT, UPDATE, and DELETE queries.

The exec() function is not used in SQL code.

Cross-site request forgery

Actions are performed using POST requests, not GET.

The ValidateAntiForgeryToken attribute is added to your action methods, and security tokens are generated by calling the @Html.AntiForgeryToken() method in your views that post to the action methods.

LDAP injection

User inputs for LDAP queries are sanitized before execution.

Unvalidated redirects and forwards

Any custom redirects to URLs obtained from untrusted inputs are validated. The System.Web.MVC.UrlHelper.IsLocalUrl method is used to validate inputs before performing redirects.

Other issues

Check

Description

User accounts are secured against all types of attacks.

Error messages in the UI are configured so that they show only basic information and the whole information is logged only into the Event log.

File upload

Name, length, type, and content of files are checked upon file upload.

Logging

All critical activities on the website are logged.

The website does not allow unhandled exceptions to occur.