Make sure that you HtmlEncode fields that come from the DB or anything that was input by a user. Blackhat verison of this; try to save something malicious (ex <script>alert('hi');</script>) to the DB. This should fail on the way into the DB (get/post) if ValidateInput is on. If it is off (or a user finds a way (e.g., encoding) that ValidateInput does not catch, the HtmlEncode should prevent the script from executing when it is rendered. Don't ever just rely on ValidateInput.
Unless you're using them...remove the default controllers/actions from the MVC project (e.g., the account controller, etc)
Getting more general here, make sure httpOnly = true in your cookies. This will prevent any values in your cookies from being read via JavaScript.
When you're logging, log the exception but DO NOT log the user input to the DB.
http://blog.sanjayuttam.com
Unless you're using them...remove the default controllers/actions from the MVC project (e.g., the account controller, etc)
Getting more general here, make sure httpOnly = true in your cookies. This will prevent any values in your cookies from being read via JavaScript.
When you're logging, log the exception but DO NOT log the user input to the DB.
http://blog.sanjayuttam.com
