How to secure an ASP.NET MVC app
This page is an experiment in a new approach to presenting links from the ASP.NET MVC 4 Content Map with more information. In particular, this page contains the Security links from the ASP.NET MVC 4 Content Map. Please add comments (or send me an email) indicating what you think of the content, the way it is presented, and how it compares to the previous approach.
Deploy a Secure ASP.NET MVC app with Membership, OAuth, and SQL Database to a Windows Azure Web Site
This feature article provides a step by step tutorial on developing and deploying a secure ASP.NET MVC 4 app to Windows Azure. This tutorial is especially helpful for those new to ASP.NET MVC membership and deployment and want a simple end to end tutorial. Topics include:- Authenticaion and Authorization.
- Using the built in OAuth templates to easily expose Facebook, Twitter, Google, Yahoo, and Microsoft as authentication providers.
- Securing the application with the membership database and adding admin users using the Authorize attribute.
| Level: Beginning | Author: Rick Anderson | Date: March 2013 | Content Type: Tutorial | Source: WindowsAzure.com |
Securing your ASP.NET MVC 4 App
This blog post provides an overview of ASP.NET MVC 4 security considerations. Topics include:- Discussion of why routing and web.config cannot secure an app.
- Using global filters as a best practice to secure an app.
- How to use the new AllowAnonymous attribute.
- SSL considerations.
- Over-Posting/Under-Posting Model Data
- Several good StackOverflow links to security questions.
| Level: Intermediate | Author: Rick Anderson | Date: March 2013 | Content Type: Tutorial | Source: Blog |
Pluralsight video overview of security practices
Created for ASP.NET MVC 3 in 2011, but still an excellent and relevant overview of security. Topics include:- Authenticaion and Authorization.
- The ASP.NET membership provider.
- XSS and CSRF.
| Level: Intro | Author: K. Scott Allen | Date: 2011 | Content Type: Video | Source: Pluralsight |
XSRF/CSRF Prevention in ASP.NET MVC and Web Pages
This feature article covers Cross-site request forgery (also known as XSRF or CSRF). This is an advanced tutorial that explains XSRF vunerabilities and how to protect against them.
| Level: Advanced | Author: Rick Anderson | Date: March 2013 | Content Type: Tutorial | Source: Microsoft |
OWASP Top 10 for .NET developers
Although written in 2010, this tutorial is considered essential reading for securing ASP.NET applications.
In this blog post, the top 10 Open Web Application Security Project (OWASP) security risks for .Net developers are detailed. Topic include:- Injection
- Cross-Site Scripting (XSS)
- Broken Authentication and Session Management
- Insecure Direct Object References
- Cross-Site Request Forgery (CSRF)
- Security Misconfiguration
- Insecure Cryptographic Storage
- Failure to Restrict URL Access
- Insufficient Transport Layer Protection
- Unvalidated Redirects and Forwards
| Level: Advanced | Author: Troy Hunt | Date: May 2010 | Content Type: Tutorial | Source: troyhunt.com |
Using OAuth Providers with MVC 4
This feature article shows you how to build an ASP.NET MVC 4 web application that enables users to log in with credentials from an external provider, such as Facebook, Twitter, Microsoft, or Google.| Level: Intermediate | Author: Tom FitzMacken | Date: November 2012 | Content Type: Tutorial | Source: Microsoft |
Hack-Proofing Your ASP.NET Applications
The article covers the following topics:
- SQL Injection
- Parameter Tampering
- MVC Model Binding and the [Bind(Exclude)] attribute.
| Level: Intermediate | Author: K. Adam Tuliper | Date: December 2011 | Content Type: MSDN Magazine | Source: MSDN Magazine |
Securing your ASP.NET MVC App
This article covers the following topics:
- Cross-Site Scripting (XSS)
- Cross-Site Request Forgery (CSRF)
| Level: Intermediate | Author: Adam Tuliper | Date: March 2013 | Content Type: MSDN Magazine | Source: MSDN Magazine |
How to Create an Intranet Site Using ASP.NET MVC
Created for ASP.NET MVC 3 in 2011, but still an excellent and applicable end to end tutorial on creating an MVC intranet site using windows authentication.- Domain membership.
- Authenticaion and Authorization.
- The ASP.NET membership provider.
- XSS and CSRF.
| Level: Intro | Author: Rick Anderson | Date: 2011 | Content Type: Tutorial | Source: MSDN |
ASP.NET MVC Value Provider for encrypted query string
The blog covers the following topics:- Avoiding manual query string decryption.
- Model binding with encrypted query strings.
- Forcing query strings to be encrypted.
| Level: Advanced | Author: Nandip Makwana | Date: December 2011 | Content Type: Blog | Source: Blog |
The HaaHa Show: Microsoft ASP.NET MVC Security with Haack and Hanselman
This article covers the following topics:
- Cross-Site Scripting (XSS)
- Cross-Site Request Forgery (CSRF)
- JSON Hijacking
| Level: Intermediate | Author: Phil Haack and Scott Hanselman | Date: November 2011 | Content Type: Video | Source: channel9.msdn.com |
Claims-aware user identity in ASP.NET
This blog post shows how to replace ASP.NET form authentication with Windows Identity Foundation (WIF) session authentication module (SAM) to enable a claims aware identity.| Level: Advanced | Author: Brock Allen | Date: Jan 2013 | Content Type: Blog | Source: brockallen.com/ |
Adding custom roles to windows roles in ASP.NET
This blog post shows how to add custom roles to windows roles.
| Level: Advanced | Author: Brock Allen | Date: Jan 2013 | Content Type: Blog | Source: brockallen.com/ |
Creating a Custom Route Constraint
This article shows how to reate a custom route constraint that prevents a route from being matched when a browser request is made from a remote computer. Although dated, the routing information is still relevant to ASP.NET MVC4.
| Level: Intermediate | Author: Stephen Walther | Date: February 2009 | Content Type: Tutorial | Source: www.asp.net |
By Rick Anderson, Rick Anderson works as a programmer writer for Microsoft, focusing on ASP.NET MVC, Windows Azure and Entity Framework. You can follow him on twitter via @RickAndMSFT.
Comments (0) RSS Feed