CRV2 SSL-TLS

From OWASP
Revision as of 06:07, 1 August 2013 by EoinKeary (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Ensuring SSL with MVC.NET When reviewing MVC .NET is is important to make suer the application transmitts and recieved over a secure link. It is not recommended to only have the login pages over SSL and then default to clear. We also need to protect our session cookie as it is pretty much as useful as a users credentials.

   public static void RegisterGlobalFilters(GlobalFilterCollection filters)
   {
       ......
       ......
       filters.Add(new RequireHttpsAttribute());    
   }


In the global.asax file we can review the RegisterGlobalFilters method. The attribute RequireHttpsAttribute() can be used to make sure the application runs over SSL/TLS It is recommended that this is enabled for SSL/TLS sites.