Always encode any HTML output based on dynamic input.
Enforce a specific character set in the web.config file or on a per-page basis.
Use caution with the DHTML innerHTML property, insertAdjacentElement method, insertAdjacentHTML method TEXTAREA element and TextArea object. Use innerText rather than innerHTML whenever possible.
Set security restrictions on frame and iframe elements with the Security attribute.
Use POST on forms whenever possible.
Require multi-step transactions with user confirmation.
Verify referer headers on form POSTs.
Do not allow users to save credentials in cookies.
Use caution when allowing users to enter HTML such as IMG tags or hyperlinks.
Use aliases for e-mail links.
Avoid listing employee details such as e-mail addresses or phone extensions
Remove HTML meta tags that reveal unnecessary information.
Avoid HTML comments in a production system.
Use structured error handling to avoid the default ASP.NET error handler.
Always code error handlers to fail securely.
Carefully consider the execution order of exception filters and finally blocks.
Always provide users with generic messages that do not reveal too much information.
Configure generic error handlers in the web.config file or create global error handlers on the application or page level.
Do not log user passwords, credit card numbers, or other sensitive information in log files.
Turn off debugging, tracing, and detailed error messages in production applications.