This post is relevant to Sitecore solutions where user should login before accessing of user data. Below described 5 simple but important steps that should be taken into consideration to improve application security.
Prevent XSS attacks
Cross Site Scripting (XSS) attacks are when a user submits HTML, script or SQL code to your site via form fields. Client-side validation should prevent malicious data being entered, but remember that this relies on JavaScript, which is trivial to disable in the browser. Add the following attribute to the <httpRuntime> element in your web.config file to enable request validation:
<system.web> <httpRuntime requestValidationMode="2.0" /> </system.web>
If there is a need to allow HTML markup to be submitted appropriate controller action should be decorated with the attribute [ValidateInput(false)] when necessary to override the web.config setting.
Note that you cannot change the setting <pages validateRequest=”true” /> as this breaks the content editor. In a content delivery environment where the sitecore client is not used, this could be a reasonable option.
Guard against CSRF attacks
Cross-Site Request Forgery (CSRF) attacks involve a malicious user creating a copy of one of your site’s forms, hosting it in a different domain allowing users to post data from the malicious site to yours. Luckily the solution is very simple: @Html.AntiForgeryToken() has to be added within the form’s declaration as shown below:
@using(Html.BeginForm(“SomeAction”, “SomeController”))
{
@Html.AntiForgeryToken()
}
And then controllr’s action should be marked wtih the [ValidateAntiForgeryToken] attribute as follows:
[ValidateAntiForgeryToken]
public ActionResult SomeAction(SomeViewModel viewModel)
{
}
Use SSL encryption
All forms and user data should be transmitted securely by using SSL encryption. This is simply a case of making sure the site is uses the https scheme in the URL. This can be easily set up using Sitecore’s SSL Redirector module from the marketplace. Once set up, there is nothing else needs to be done differently as a developer to accommodate SSL.
Important note: JavaScript/CSS resources should be referenced without a scheme (just the relative path should be used from the root (e.g. <script src="/Scripts/myScript.js">) to ensure that http or https has been used correctly according to what the page is using. In case of referencing external scripts e.g. jQuery the “//” path prefix has to be used without the http/https
e.g. “//ajax.googleapis.com/whatever.js”.
Authorization
Authorize attribute should be used to mark form actions where restriction by users has to be applied. This prevents unauthenticated users accessing or submitting data. It is important to do this in addition to setting access rights on the Sitecore content items since some controller actions may be invoked outside of the Sitecore context and are therefore not protected by Sitecore security (an example is where you have AJAX forms where the Sitecore controller is bypassed).
Important note: Don’t do this on the login form!
HttpPost
Submit form actions should be marked with the [HttpPost] attribute. This prevents the action methods from being invoked with a GET request. While not a guarantee of security in itself, it prevents users from simply entering the path to your controller action in their browser address bar to retrieve data. This is also good practice in terms of semantics as it makes controller code clearer as to what actions are GET vs POST.
Conclusion
The tips presented here should be regarded as essential practices for any Sitecore MVC project involving custom built forms. While they will guard against many types of attack, there is no substitute for proper security testing and peer code review!
Enjoy!
Andrey Vinda 