SharePoint 2010: Security Best Practices

Security Best Practices for Developers in SharePoint 2010 - some short highlights:

• Before rendering user data on the client, encode it by using the appropriate method from the SPHttpUtility class.  
•  Never Allow Contributor Users to Add Script to the Site (don't include "Add and Customize Pages" permission to their permission level)
• If the custom feature shows or downloads the user downloaded document - add to the header:X-Content-Type-Options: nosniff,X-Download-Options: noopen,Content-Disposition: attachment
• Always specify a charset in the Content-Type HTTP response header.(most common: Content-Type: text/html; charset=UTF-8)
• Validate the Form Digest Canary Before Processing a Postback (var canaryValue = document.getElementById('__REQUESTDIGEST').value;)
• Avoid AllowUnsafeUpdates where possible
• Use SPUtility to Redirect to a Different Page
• Check a SPSite created from user input URL with Microsoft.SharePoint.SPSite.ValidateDomainCompatibility
• Do not allow users to specify arbitrary URLs for SharePoint to connect to. Instead, allow farm administrators to configure a list of URLs that are safe.