什么功能我需要之前，我打开一个ASP.Net应用程序在互联网上？ [英] What features do I need to have before I open an ASP.Net app onto the internet?

问题描述

在我能够进入一个新的网站，应该做哪些措施来确保它的安全和生产就绪？

到目前为止，我有以下几点：

• 错误（通过ELMAH）的记录


• 启用SSL，我不得不从HTTP到HTTPS重定向


• ＆LT;的customErrors模式=仅限远程/＆GT;


• 无调试编译

我目前的技术堆栈IIS7和放大器; ASP.Net MVC3。

我敢肯定，我忘记了或者没有意识到许多其他项目。有什么建议？

解决方案

1. 防止SQL注入。使用存储过程或参数化的SQL语句。您可以使用动态SQL - 但要非常小心，如果你这样做 - 确保你使用参数化查询，并没有形成通过追加变量中的SQL语句内联




2. 通过防范跨站请求伪造（CSRF）确保您使用Html.AntiForgeryToken




3. 请确保跟踪已关闭




4. 确认自定义错误已开启的死亡让黄屏（即错误的详细信息）AR enot显示给客户端。




5. 防止交叉站点脚本通过确保在您的系统免受模型，数据库等显示任何输出连接codeD使用＆LT;％：语法上的aspx页面，简单地@XXXX在你的MVC 3页，为MVC3 EN codeS都默认这比过去的方法着增强。




6. 确认没有测试帐号在数据库中。




7. 确保没有任何动作可以仅仅通过查询字符串来执行 - 例如传入/ MyApp的/ DeleteUser / 10。要求后要执行的操作，而这些职位必须在控制器上使用Html.AntiForgeryToken和[ValidateAntiForgeryToken]




8. 确保所有用户编辑页面上的信息不能编辑（使用像小提琴手的工具）主键隐藏在页面上从而改变时，他们回来后的变化，他们正在编辑的内容记录。您可以哈希实例的客户ID在页面上插入一个隐藏字段和比较后时，以确保它匹配的是在模型中。




9. 看我在高科技版在亚特兰大下个月我的安全谈话：）

Before I enable access to a new site, what steps should be done to make sure it's secure and "production ready"?

So far I have the following:

• logging of errors (via ELMAH)
• SSL is enabled, and I have a redirect from HTTP to HTTPS
• <customErrors mode="RemoteOnly" />
• Compiled without Debug

My current tech stack is IIS7 & ASP.Net MVC3.

I'm sure I'm forgetting or not aware of many other items. Any advice?

解决方案

1. Protect against sql injection. Use stored procedures OR parameterized sql statements. You can use dynamic sql - but be very careful and if you do - make sure you use parameterized queries and do not form the sql statements 'inline' by appending variables.

2. Protect against cross site request forgery (CSRF) by making sure you use Html.AntiForgeryToken

3. Make sure tracing is turned off

4. Make sure custom errors is turned on so yellow screens of death (ie error details) ar enot displayed to the client.

5. Protect against cross site scripting by making sure any output you display in your system from your model, database, etc. is encoded by using <%: syntax on your aspx pages and simply @XXXX on your mvc 3 pages, as mvc3 encodes everything BY DEFAULT which is a great enhancement over past methods.

6. Make sure there are no test accounts in your database.

7. Ensure no actions can be performed just by the querystring - for instance passing in /MyApp/DeleteUser/10. Require a post to perform an action, and those posts must use Html.AntiForgeryToken and [ValidateAntiForgeryToken] on your controller

8. Ensure that any users editing information on your page cannot edit (using a tool like fiddler) a primary key hidden on the page thus changing what record they are editing when they post back the changes. You can hash for instance a CustomerId on the page into a hidden field and compare it upon post to make sure it matches what is in the model.

9. Visit me at tech ed in atlanta next month for my security talk : )

这篇关于什么功能我需要之前，我打开一个ASP.Net应用程序在互联网上？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！