5 Simple Security Tips for Sitecore MVC Projects
#1 Prevent XSS attacks by setting requestValidationMode=”2.0” in web.config
Cross Site Scripting (XSS) attacks are when a user submits HTML, script or SQL code to your site via form fields. Client-side validation should prevent malicious data being entered, but remember that this relies on JavaScript, which is trivial to disable in the browser. Add the following attribute to the <httpRuntime>
element in your web.config file to enable request validation:
<system.web>
<httpRuntime requestValidationMode="2.0" />
</system.web>
If you need to allow HTML markup to be submitted you can decorate your controller actions with the attribute [ValidateInput(false)]
when necessary to override the web.config setting.
Note that you cannot change the setting <pages validateRequest=”true” />
as this breaks the content editor. In a content delivery environment where the sitecore client is not used, this could be viable option.
#2 Guard against CSRF attacks by using @Html.AntiForgeryToken() and [ValidateAntiForgeryToken]
Cross-Site Request Forgery (CSRF) attacks involve a malicious user creating a copy of one of your site’s forms, hosting it in a different domain allowing users to post data from the malicious site to yours. Luckily the solution is very simple: In your view, add @Html.AntiForgeryToken() within your form declaration as shown below:
@using(Html.BeginForm(“YourAction”, “YourController”))
{
@Html.AntiForgeryToken()
}
Then in your controller, simply add the [ValidateAntiForgeryToken] attribute as follows:
[ValidateAntiForgeryToken]
public ActionResult YourAction(YourViewModel viewModel)
{
}
#3 Use SSL encryption
Ensure that all form and user data is transmitted securely by using SSL encryption. This is simply a case of making sure your site is uses the https scheme in the URL. This can be easily set up using Sitecore’s SSL Redirector module from the marketplace. Once set up, there is nothing else you need to do differently as a developer to accommodate SSL.
Note that JavaScript/CSS resources should be referenced without a scheme (just use the relative path from the root (e.g. <script src="/Scripts/myScript.js">
) to ensure that they use http or https correctly according to what the page is using. If referencing external scripts e.g. jQuery use the “//” path prefix without the http/https e.g. “//ajax.googleapis.com/whatever.js”.
#4 Mark form actions with the [Authorize] attribute (where appropriate)
This prevents unauthenticated users accessing or submitting data. It is important to do this in addition to setting access rights on the Sitecore content items since some controller actions may be invoked outside of the Sitecore context and are therefore not protected by Sitecore security (an example is where you have AJAX forms where the Sitecore controller is bypassed).
Tip: Don’t do this on your login form ;-)
#5 Mark form submit actions with the [HttpPost] attribute
Another very simple measure. This prevents your action methods from being invoked with a GET request. While not a guarantee of security in itself, it prevents users from simply entering the path to your controller action in their browser address bar to retrieve data. This is also good practice in terms of semantics as it makes controller code clearer as to what actions are GET vs POST.
Conclusion
The tips presented here should be regarded as essential practices for any Sitecore MVC project involving custom built forms. While they will guard against many types of attack, there is no substitute for proper security testing and peer code review!