Monday, June 27, 2011

SharePoint 2010: Security Best Practices

Security Best Practices for Developers in SharePoint 2010 - some short highlights:
  • Before rendering user data on the client, encode it by using the appropriate method from the SPHttpUtility class.  
  •  Never Allow Contributor Users to Add Script to the Site (don't include "Add and Customize Pages" permission to their permission level)
  • If the custom feature shows or downloads the user downloaded document - add to the header:X-Content-Type-Options: nosniff,X-Download-Options: noopen,Content-Disposition: attachment
  • Always specify a charset in the Content-Type HTTP response header.(most common: Content-Type: text/html; charset=UTF-8)
  • Validate the Form Digest Canary Before Processing a Postback (var canaryValue = document.getElementById('__REQUESTDIGEST').value;)
  • Avoid AllowUnsafeUpdates where possible
  • Use SPUtility to Redirect to a Different Page
  • Check a SPSite created from user input URL with Microsoft.SharePoint.SPSite.ValidateDomainCompatibility
  • Do not allow users to specify arbitrary URLs for SharePoint to connect to. Instead, allow farm administrators to configure a list of URLs that are safe