This is an old revision of the document!

ASP.NET MVC Security Check List

Threat: Cross-Site Scripting

Use the AntiXSS NuGet package - or not as it appears to be very broken and abandoned at the moment.
Review all views and ensure that content is correctly encoded. As the Razor engine HTML encodes by default, look for:
- Any use of @Html.Raw() and ensure that there is no possible way a malicious user could inject anything into it.
- Any use of @… in JavaScript code. This should be encoded with the @Encoder.JavaScriptEncode() method.

Review all views ensure that all <form> elements contain a @Html.AntiForgeryToken().
Review all POST controller actions and ensure that have the [ValidateAntiForgeryToken] (a standard filter attribute) and [IsPostedFromThisSite] (a custom filter attribute).
Review all GET controller actions and ensure that they are idempotent (i.e. have no side-effects).

Ensure that the Web.config file contains <httpCookies domain=“” httpOnlyCookies=“true” requireSSL=“false” /> (prevents JavaScript from accessing cookies).

(MVC 1 & 2) Review all controller action methods and ensure all return Redirect(url); method calls are preceded by a IsLocalUrl(url) check and failures are logged.
(MVC 3+) Either:
- (Preferred) Review all controller action methods and ensure all return Redirect(url); method calls are preceded by a IsLocalUrl(url) check and failures are logged.
- (Acceptable) Review all controller action methods and ensure no return Redirect(url); method calls exist (they should be replaced by return RedirectToLocal(url);).

Review all controller classes and ensure that only methods that are intended to be exposed as action methods are marked public - all others must be protected or private.