Backend Framework15 Guides

ASP.NET Security Checklist

A comprehensive guide to securing your ASP.NET application. Covering 15 vulnerability categories with framework-specific code examples and best practices.

ASP.NET Security Best Practices

Razor syntax auto-encodes output by default. Never use `@Html.Raw()` with unsanitized user content.

Use Entity Framework with LINQ queries or parameterized SQL. Never use string interpolation in `FromSqlRaw()` calls.

ASP.NET includes anti-forgery token validation. Use `[ValidateAntiForgeryToken]` on all POST actions and include `@Html.AntiForgeryToken()` in forms.

Use Data Annotations (`[Required]`, `[StringLength]`, `[RegularExpression]`) and `ModelState.IsValid` for input validation.

Use ASP.NET Identity for authentication with proper password hashing (PBKDF2 by default). Never implement custom password storage.

Configure HTTPS redirection and HSTS in `Program.cs`. Use `app.UseHttpsRedirection()` and `app.UseHsts()` in production.

Use `[Authorize]` attributes and policy-based authorization for route-level and action-level access control.

Implement rate limiting using ASP.NET Core's built-in `RateLimiter` middleware (available from .NET 7+).

Vulnerability Guides for ASP.NET

Critical Severity

SQL Injection

A03:2021 - Injection · CWE-89

Broken Authentication

A07:2021 - Identification and Authentication Failures · CWE-287

Command Injection

A03:2021 - Injection · CWE-78

Insecure Deserialization

A08:2021 - Software and Data Integrity Failures · CWE-502

Row Level Security (RLS) Bypass

A01:2021 - Broken Access Control · CWE-863

High Severity

Cross-Site Scripting (XSS)

A03:2021 - Injection · CWE-79

Cross-Site Request Forgery (CSRF)

A01:2021 - Broken Access Control · CWE-352

Insecure Direct Object References (IDOR)

A01:2021 - Broken Access Control · CWE-639

Sensitive Data Exposure

A02:2021 - Cryptographic Failures · CWE-200

JWT Vulnerabilities

A07:2021 - Identification and Authentication Failures · CWE-347

Path Traversal

A01:2021 - Broken Access Control · CWE-22

Server-Side Request Forgery (SSRF)

A10:2021 - Server-Side Request Forgery · CWE-918

File Upload Vulnerabilities

A04:2021 - Insecure Design · CWE-434

Medium Severity

Security Misconfiguration

A05:2021 - Security Misconfiguration · CWE-16

Missing Rate Limiting

A04:2021 - Insecure Design · CWE-770

Other Framework Guides

Next.js React Vue Nuxt Svelte SvelteKit Remix Express FastAPI Django Ruby on Rails Laravel Spring Boot

Scan Your ASP.NET App

Automatically test your ASP.NET application for all 15 vulnerability categories. Get actionable results in minutes.

Start Free Scan