Security Improvement is always important and now the .NET 4.5 framework was launched a few months ago, it has a variety of improvements that’s included in the security area. For benefits from these improvements you'll need to do a few adjustments to your application configuration file.
Important Improvements in ASP.NET 4.5
- There are significant Cryptographic Improvements in ASP.NET 4.5.
- There are changes to the ASP.NET request validation; it now supports deferred (lazy) validation, as well as giving the option to fetch data invalidated.
- Windows Identity Foundation is now included in the framework, referred to as WIF 4.5.
- The AntiXSS library is included in the framework.
Switching to 4.5
Take into consideration that it’s not enough to install the 4.5 framework and modify the ‘Target framework’ accordingly. You will see that a comment will appear in the web.config file like as shown below:
NOTE: It’s very important to set the ‘targetframework’ in your configuration file, otherwise your application will run in ‘4.0’ mode.
Set the AntiXss library as the default encoder; this is easily done in the httpRuntime configuration element such as:
NOTE: There can be disadvantages of this; as AntiXss takes a white list approach to encoding, therefore meaning that there may be characters that weren’t encoded before, that will be encoded by AntiXss, so be aware.
Lazy validation was introduced in ASP.NET 4.5 and it’s enabled regardless of how you set the ‘requestValidationMode’ after you’ve installed the 4.5 framework. If you need access to any request parameters invalidated, you will have to set the validation mode to ‘4.5’ such as below:
This will enable access to the invalidated collections of parameters i.e.
This is actually a better approach rather than disabling the request validation altogether.
Windows Identify Foundation 4.5
There are several changes since WIF is part of the framework. It shouldn’t take long to upgrade, there’s excellent article on MSDN for Migrating an application built using WIF 3.5 – 4.5. There are two changes to the WIF, the first one is:
1. MachineKeySessionSecurityTokenHandler - WIF now includes a MachineKeySessionSecurityTokenHandler which encrypts & MAC’s WIF cookies based on the machine key.
2. requestValidationMode – You don’t have to set up the requestValidationMode to 2.0 to cope with the request validation exceptions on the SignInResponseMessage’s posted from an STS.
If you need a hosting to support ASP.NET 4.5, don't forget to use HostUCan ASP.NET Hosting Search Tool to find one.