- Before rendering user data on the client, encode it by using the appropriate method from the SPHttpUtility class.
- Never Allow Contributor Users to Add Script to the Site (don't include "Add and Customize Pages" permission to their permission level)
- If the custom feature shows or downloads the user downloaded document - add to the header:X-Content-Type-Options: nosniff,X-Download-Options: noopen,Content-Disposition: attachment
- Always specify a charset in the Content-Type HTTP response header.(most common: Content-Type: text/html; charset=UTF-8)
- Validate the Form Digest Canary Before Processing a Postback (var canaryValue = document.getElementById('__REQUESTDIGEST').value;)
- Avoid AllowUnsafeUpdates where possible
- Use SPUtility to Redirect to a Different Page
- Check a SPSite created from user input URL with Microsoft.SharePoint.SPSite.ValidateDomainCompatibility
- Do not allow users to specify arbitrary URLs for SharePoint to connect to. Instead, allow farm administrators to configure a list of URLs that are safe.
Monday, June 27, 2011
SharePoint 2010: Security Best Practices
Security Best Practices for Developers in SharePoint 2010 - some short highlights: