Chapter 9. Securing Your Application
Let's face it: Security isn't sexy. Most of the time when you read a chapter on security it's either underwritten or very, very overbearing. The good news for you is that we the authors read these books, too — a lot of them — and we're quite aware that we're lucky to have you as a reader, and we're not about to abuse that trust. In short, we really want this chapter to be informative because it's very important!
This chapter is one you absolutely must read, as ASP.NET MVC doesn't have as many automatic protections as ASP.NET Web Forms does to secure your page against malicious users. To be perfectly clear: ASP.NET Web Forms tries hard to protect you from a lot of things. For example:
Server Components HTML-encode displayed values and attributes to help prevent XSS attacks.
View State is encrypted and validated to help prevent tampering with form posts.
Request Validation (
@page validaterequest="true"
) intercepts malicious-looking data and offers a warning (this is something that is still turned on by default with ASP.NET MVC).Event Validation helps prevent against injection attacks and posting invalid values.
The transition to ASP.NET MVC means that handling some of these things falls to you — this is scary for some folks, a good thing for others.
If you're of the mind that a framework should "just handle this kind of thing" — well, we agree with you, and there is a framework that does just this: ASP.NET Web Forms, and it does it very well. It comes ...
Get Professional ASP.NET MVC 2 now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.