Notes from WSV400: ASP.Net Security Best Practices to Protect Against Hacker Attacks..
This session covered security things that you can do right now in the v1.x framework, there were very little items about Whidbey in here. Some of the items were just common sense type things and items that have been talked about all this year if you have been paying attention to any security articles.
Here is a few items that I thought were good ideas.
- If your using Forms Authentication and SSL you can set the requireSSL field to true to have all your forms cookies to only transferred over SSL.
- if your in mixed ssl sites you can set the secure bit on the session cookie:
- Link to this app that will encrpyt credentials and connection strings.
Review list for the production config:
- Make sure <customErrors> is set to RemoteOnly or On
- <compilation> debug is set to false.
- of course trace is not enabled..
- you should review isapi filters installed on the server and enable only the ones you need
those are just a few of the many things that was covered in this session. I believe the slidedeck will be up on http://www.asp.net/whidbey/