Hello (cruel) World

The use of anti-forgery tokens is a necessary safeguard against cross-site request forgery attacks. The ASP.NET MVC framework provides easy-to-use security mechanisms right out of the box, but unfortunately these are opt-in rather than opt-out and are easy to miss/forget. For a non-trivial website it is difficult to guarantee tokens are supplied and checked in all form submissions and AJAX posts. This is how I do it. Note: Web security is a tricky business and I do not consider myself a security expert. Use the information in this post at your own risk. 1. Use the ValidateJsonAntiForgeryToken attribute for AJAX calls There's a nice post by Johan Driessen on anti-XSRF validation with newer versions of the .NET framework. I use Johan's ValidateJsonAntiForgeryToken attribute to great effect. In summary, Johan's attribute should be applied to actions invoked via AJAX calls. Check out his blog post - it explains everything in detail. 2. Ensure all AJAX posts conta...

Disclosure: I received a review copy of this title from O’Reilly   Oh, Cheryl, what a tangled web we weave when we something-something on Christmas Eve - According to Jim For obvious reasons the above quote came into my head every time I picked up The Tangled Web by Michal Zalewski . It always makes me smile… In The Tangled Web Mr. Zalewski paints a grim picture of web security, explaining in some detail the confluence of conflicting standards, incomplete RFCs, inconsistent browser behaviors and other anomolies that lead to today's current (spoiler alert: not good) state of web security. This title is different than any other I've read on web security. It isn't a web security handbook by any means - it is more a descriptive history of the evolution of web standards and languages, focusing on decisions made that impact web security to this day. The author delves into every aspect of the web - HTML, HTTP, CSS, scripting languages, browers, plugins, etc. in a...