====== ASP.NET MVC Security Check List ======

===== Threat: Cross-Site Scripting =====

  * Use the [[http://wpl.codeplex.com|AntiXSS]] NuGet package - or not as it appears to be very broken and abandoned at the moment.
  * Review all views and ensure that content is correctly encoded. As the Razor engine HTML encodes by default, look for:
    * Any use of ''@Html.Raw()'' and ensure that there is no possible way a malicious user could inject anything into it.
    * Any use of ''@...'' in JavaScript code. This should be encoded with the ''@Encoder.JavaScriptEncode()'' method.

===== Threat: Cross-Site Request Forgery =====

  * Review all views ensure that all ''<form>'' elements contain a ''@Html.AntiForgeryToken()''.
  * Review all POST controller actions and ensure that have the ''[ValidateAntiForgeryToken]'' (a standard filter attribute) and ''[IsPostedFromThisSite]'' (a custom filter attribute).
  * Review all GET controller actions and ensure that they are //idempotent// (i.e. have no side-effects).

===== Threat: Cookie Theft =====

  * Ensure that the ''Web.config'' file contains ''<httpCookies domain="" httpOnlyCookies="true" requireSSL="false" />'' (prevents JavaScript from accessing cookies).

===== Threat: Over-Posting =====

  * Review all models and ensure each has a ''[Bind(Include="Foo, Bar")]'' attribute.

===== Threat: Open Redirection =====

  * (MVC 1 & 2) Review all controller action methods and ensure all ''return Redirect(url);'' method calls are preceded by a ''IsLocalUrl(url)'' check and failures are logged.
  * (MVC 3+) Either:
    * (Preferred) Review all controller action methods and ensure all ''return Redirect(url);'' method calls are preceded by a ''IsLocalUrl(url)'' check and failures are logged.
    * (Acceptable) Review all controller action methods and ensure no ''return Redirect(url);'' method calls exist (they should be replaced by ''return RedirectToLocal(url);'').

===== Threat: Stack Trace Leakage =====

  * (Preferred) Use [[http://code.google.com/p/elmah|ELMAH]] and in the ''machine.config'' of the web server (found at ''%windir%\Microsoft\.NET\Framework\<frameworkversion>\Config''), switch on 'retail':<code xml>
<system.web>
  <deployment retail="true" />
</system.web>
</code> This will set ''customErrors'' mode to On and disable trace output and debug. It can not be overridden by the ''Web.config''.   
  * (Acceptable) Use [[http://code.google.com/p/elmah|ELMAH]] and in the ''Web.config'' set ''customErrors'' mode to On:<code xml>
<system.web>
  <customErrors defaultRedirect="GenericError.html" mode="On">
    <error statusCode="500" redirect="InternalError.html"/>
  </customErrors>
<system.web>
</code>


===== General =====

  * Review all controller classes and ensure that only methods that are intended to be exposed as action methods are marked ''public'' - all others must be ''protected'' or ''private''.