Greetings:
I've been thinking about web security - and in particular, things that can be done with the web.config file in order to beef things up a bit. One of the things I've been pounding my head on for two days is setting <trust level="Medium"> but that isn't possible with the use of CSLA (Medium level doesn't allow for reflection). It has been an interesting two days.
Anyways, I'm putting together a little check list of helpful practices so that I don't get burned with anything obvious - I've been reading up on safe practices and I've come up with the following improvements:
1: My business library is now signed.
2: Turn off debugging before publishing the application to the web server.
3: <trace enabled="false" localonly="true">
4: The CustomErrors attribute is set to "RemoteOnly" and I've redirect page.
5: I've eliminated the serving of unnecessary files with System.Web.HttpForbbidenHandler.
6: All values returned by the web page are filtered and all of them that are saved to the database are handled through parameterized stored procedures.
Anyone else have any good security practices to include?
I'm really bummed about not getting Medium Trust - although, according to what I've read it really isn't practical but it would have been nice to have in place.
Copyright (c) Marimer LLC