FxCop ASP.NET Security Rules release

The FxCop ASP.NET security rules have finally been released after being used for quite some time internally.  You can read more about it in this month MSDN magazine on http://msdn.microsoft.com/en-us/magazine/gg490350.aspx The rules are available on codeplex at http://fxcopaspnetsecurity.codeplex.com/


Strict Transport Security ASP.NET Module

I’ve been tackling the problem of users connecting to online services from untrusted network. At work we typically call this the “Startbucks” scenario where a user is connecting to a random wifi and accessing corporate data through online services. For the majority of the cases, the browser is used to connect to the services and…


Using ValidateRequest to detect when XSS is occuring

In a way to limit the risk of Cross-Site Scripting  (XSS) attacks, ASP.NET 2.0 introduced a way to detect such attack and automatically reject the request. This functionality is exposed by the PageSections.ValidationRequest and is turned on by default.  This should not be considered an s a full proof solution against XSS but a good…


Watch out for scheme relative urls

Doing my usual random code browsing yesterday I stumbled on a method that peaked my curiosity. The intent of the method is to only allow redirect to relative paths. If the redirect is not a relative path, it is rejected. Let’s look at the implementation. public static void SafeRedirect(HttpResponse response, string rawRelativeUrl) {     Uri…