An extremely secure ASP.NET application is having to be written at my work and instead of trawling through the Internet looking for best practices I was wondering as to what considerations and generally what things should be done to ensure a public web application is safe.
一个非常安全的ASP。NET应用程序必须写在我的工作上,而不是在互联网上搜索最佳实践,我想知道应该做什么,以及应该做些什么来确保公共web应用程序是安全的。
Of course we've taken into consideration user/pass combinations but there needs to be a much deeper level than this. I'm talking about every single level and layer of the application i.e.
当然,我们已经考虑了用户/传递组合,但是需要有一个比这个更深的层次。我说的是应用程序的每一层。
- Using URL rewrites
- 使用URL重写
- Masterpages
- Masterpages
- SiteMaps
- 站点地图
- Connection pooling
- 连接池
- Session data
- 会话数据
- Encoding passwords.
- 编码的密码。
- Using stored procedures instead of direct SQL statements
- 使用存储过程而不是直接使用SQL语句
I'm making this a community wiki as there wouldn't be one sole answer which is correct as it's such a vast topic of discussion. I will point out also that this is not my forte by any means and previous security lockdown has been reached via non-public applications.
我把它作为一个社区的维基,因为没有一个唯一的答案是正确的,因为这是一个非常广泛的讨论话题。我还要指出的是,这不是我的任何手段,以前的安全*已经通过非公开的应用。
3 个解决方案
#1
2
That's a bigger toppic than I think you perhaps realise. The best advice is to get someone that already knows who can advise you. Failing that I would start by reading the Microsoft document "Improving Web Application Security: Threats and Countermeasures" but be warned that runs to 919 printed pages.
这幅图比我想象的要大。最好的建议是找一个已经知道谁能给你建议的人。如果做不到这一点,我将首先阅读Microsoft文档“改进Web应用程序安全性:威胁和对策”,但要注意的是,该文档运行到919个打印页面。
#2
2
You should refine the idea of "stored procedures" into just using parameterized queries. That will take care of most of your problems there. You can also restrict fields on the UI and strip out or encode damaging characters like the pesky ';'...
您应该将“存储过程”的概念细化为仅使用参数化查询。这将解决你在那里的大部分问题。你还可以限制用户界面上的字段,去掉或编码诸如“讨厌”之类的破坏性字符。
#3
1
- use forms authentication instead of storing authentication data in session.
- 使用表单身份验证而不是在会话中存储身份验证数据。
- Obviously: Hash passwords. If you want to be very cautious use SHA1 encryption instead of md5.
- 很明显:哈希密码。如果你想要非常小心,使用SHA1加密而不是md5。
#1
2
That's a bigger toppic than I think you perhaps realise. The best advice is to get someone that already knows who can advise you. Failing that I would start by reading the Microsoft document "Improving Web Application Security: Threats and Countermeasures" but be warned that runs to 919 printed pages.
这幅图比我想象的要大。最好的建议是找一个已经知道谁能给你建议的人。如果做不到这一点,我将首先阅读Microsoft文档“改进Web应用程序安全性:威胁和对策”,但要注意的是,该文档运行到919个打印页面。
#2
2
You should refine the idea of "stored procedures" into just using parameterized queries. That will take care of most of your problems there. You can also restrict fields on the UI and strip out or encode damaging characters like the pesky ';'...
您应该将“存储过程”的概念细化为仅使用参数化查询。这将解决你在那里的大部分问题。你还可以限制用户界面上的字段,去掉或编码诸如“讨厌”之类的破坏性字符。
#3
1
- use forms authentication instead of storing authentication data in session.
- 使用表单身份验证而不是在会话中存储身份验证数据。
- Obviously: Hash passwords. If you want to be very cautious use SHA1 encryption instead of md5.
- 很明显:哈希密码。如果你想要非常小心,使用SHA1加密而不是md5。