MVC: Security


Post site Scripting (XSS) Attacks

Adding <script/> tag in input and Submit

  • Always Html Encode the content entered by the User
  • validated the Request.Form by default and throws exception when some malicious script is being entered
  • input validation can be disabled by using [ValidateInput(False)] attribute

Cross site Request Forgery Attack (CSRF)

  • [ValidateAniFforgaryToken]
  • A cookie with a random encrypted code is send every time a page is requested.


  • BO or Entities for Forms over Data
  • DTOs for view specific models which are complex. It separates view logic from Business Rules.

Modal Binders

  • FormCollection: Key value pair with value as string.
  • UpdateModal() && TryUpdateModal()
    • If there are parsing errors then ViewState will be populated with the Errors which can be used on UI to display Error Messages.
    • Uses White list and Black list properties to decide which all properties will be mapped to the Modal and what properties will be left out during Translation.

Same-origin policy

All modern browsers implement some form of the Same-Origin Policy

Relaxing the same-origin policy

  • document.domain property
  • Cross-Origin Resource Sharing
  • Cross-document messaging
  • WebSockets

Cross-origin resource sharing

The CORS standard describes new HTTP headers which provide browsers and servers a way to request remote URLs only when they have permission.

For Ajax and HTTP request methods that can modify data:

  • the specification mandates that browsers "preflight" the request
  • solicit supported methods from the server with an HTTP OPTIONS request method
  • upon "approval" from the server, sending the actual request with the actual HTTP request method