IIS Web Application Security Checklist
- Add this to the web.config:
All data is transferred over https://
Applications with Users
Hashed (not encrypted) passwords. Hash with SHA-256.
If cookies are used, they must be secured.
Applications with Users creating, updating, or deleting data
SQL Injection is prevented
- Query parameterization
- Stored Procedures
- String parsing/replacing is not enough.
To Create, update, or delete data - use a <form> tag with a specified method [GET/POST].
- No GET forms update data
- If the GET request returns an HTML form that does a POST, provide an antiforgery token. (or some alternative to protect against CSRF.
- Validate the antiforgery token before doing any data processing.
Actively guard against XSS
- For example: All of bootstrap 3.x is vulnerable to XSS attack via data-target attribute it uses for some features. Luckily, you can use the jquery api to achieve the same affect. CTRL+F your project/solution for data-target. It should ONLY be found in Scripts\bootstrap.js and Scripts\bootstrap.min.js.
Last modified: 2018/11/28 16:19:26.091711 US/Eastern by
Created: 2018/11/28 15:51:40.741851 US/Eastern by seth.r.kania.1.
Type in a few keywords describing what information you are looking for in the text box below.