Always identify any source of user input, including all references to the Request object.
Carefully identify other indirect or less obvious sources of input.
Always assign filtered user input to variables to distinguish it from the raw data.
When using VB.NET, use Option Explicit and Option Strict.
Use centralized filtering functions on all user input.
Never use the generic Request collection when gathering user input.
Use validator controls to validate form input if a page posts back to itself.
Never rely on client-side validation for security.
Use regular expressions either to block known bad data or allow only known good data.
Use regular expressions to identify malicious keywords or other patterns.
Reflect data using trusted system functions to prevent attacks such as directory traversal.
Always work with the reflected path in subsequent operations.
Use HtmlEncode to encode a string for browser output.
Use UrlEncode to encode a URL string for output.
Use UrlPathEncode to encode the path portion of a URL for output.
Use hashes to encapsulate data for safe handling.
Convert hashes to hex values to create safe alphanumeric strings.
Use parameterizing to fix the context and scope of user data.
Combine parameterization with other techniques to prevent directory traversal.
Use double decoding to detect multiple layers of encoding.
Reject all requests that contain more than one layer of encoding.
Check the final syntax of any string that is based on user input to be sure it matches the expected format.
Take advantage of the robust error handling features in ASP.NET.
Check return results to be sure they are consistent with what you expected.
Use honey drops in your database to detect SQL injection attacks.
Use honey drops in your file system to detect file system access.
Use honey drops in your source code to detect server-side code access.
Reduce the attack surface of the application to limit exposure to hackers.
Don’t show query string parameters if you do not use them in a particular context.
Remove testing, debug, and dead code from production applications.
If possible, use static content in application demos.
Limit access to administration or other private modules.
Remove sample code and programs from production servers.
Avoid or carefully audit third-party components.
Use the principle of least privilege to limit the access of Web users.
Avoid storing passwords, private comments, or other sensitive information in server-side code.
Use the MaxRequestEntityAllowed and AspMaxRequestEntityAllowed metabase settings to limit overall length of a request.
Use the MaxFieldLength, MaxRequestBytes, UrlSegmentMaxLength, and UrlSegmentMaxCount registry settings to limit the length of specific parts of a request.
Use the EnableNonUTF8 and PercentUAllowed registry keys to limit valid characters in a request.