ASP.NET MVC Security Check List

Use the AntiXSS NuGet package - or not as it appears to be very broken and abandoned at the moment.

Review all views ensure that all <form> elements contain a @Html.AntiForgeryToken().

Review all POST controller actions and ensure that have the [ValidateAntiForgeryToken] (a standard filter attribute) and [IsPostedFromThisSite] (a custom filter attribute).

Review all GET controller actions and ensure that they are idempotent (i.e. have no side-effects).

Ensure that the Web.config file contains <httpCookies domain=“” httpOnlyCookies=“true” requireSSL=“false” /> (prevents JavaScript from accessing cookies).

Review all models and ensure each has a [Bind(Include=“Foo, Bar”)] attribute.

(MVC 1 & 2) Review all controller action methods and ensure all return Redirect(url); method calls are preceded by a IsLocalUrl(url) check and failures are logged.

(Preferred) Use ELMAH and in the machine.config of the web server (found at %windir%\Microsoft\.NET\Framework\<frameworkversion>\Config), switch on 'retail':

<system.web>
  <deployment retail="true" />
</system.web>

This will set customErrors mode to On and disable trace output and debug. It can not be overridden by the Web.config.

(Acceptable) Use ELMAH and in the Web.config set customErrors mode to On:

<system.web>
  <customErrors defaultRedirect="GenericError.html" mode="On">
    <error statusCode="500" redirect="InternalError.html"/>
  </customErrors>
<system.web>

Review all controller classes and ensure that only methods that are intended to be exposed as action methods are marked public - all others must be protected or private.