Last few weeks we had some problems with some of our old web sites mostly developed using classic asp, and also somebody at the Ceviz.NET forums, asked how to develop a secure web site, what is our practices. Below is my practices for developing a secure web site. In the order of what comes to my mind first:
- I use client side UI validation (asp.net validators) only to respond the user quicker, i dont trust the client side UI validation but i am using it
- Every input: QueryString, Cookies, Form Elements arre validated at the server side
- Each layer has its own validation (UI,BAL,DAL)
- I try to use 1 validation class to handle the validations in the project
- I dont use direct sql commands, i try to use orms such as SubSonic, if i cant cause of the nature of the project, i create my db layer and always use stored procedures
- I never use dbo permission to access the db
- If there is membership involved in the project, i dont rewrite my own membership classes, i use the framework provided one
- i use health monitor to track the app
- i use certificate in the login page
- i encrypt personal info in the database
- i think that somebody can easily see my source code, so i try not to leave a back door in the code.
Any other ideas?