Security Consideration Asp.net MVC4

Bible Links of Asp.net MVC 4
http://msdn.microsoft.com/en-us/library/gg416514(v=vs.108).aspx

****Security Specific Applicable to MVC4
1. Safegaurd Controller and Action

• AllowAnonymous
• Authorize
• RequireHttpsAttribute

If you want to apply Authorize attribute to all actions of the controller then use this

[Authorize]
public static void RegisterGlobalFilters(GlobalFilterCollection filters)
{
    filters.Add(new HandleErrorAttribute());
    filters.Add(new System.Web.Mvc.AuthorizeAttribute());
}

Secure using Https: RequireHttpsAttribute

public static void RegisterGlobalFilters(GlobalFilterCollection filters)
{
    filters.Add(new HandleErrorAttribute());
    filters.Add(new System.Web.Mvc.AuthorizeAttribute());
    filters.Add(new RequireHttpsAttribute());
}

http://blogs.msdn.com/b/rickandy/archive/2012/03/23/securing-your-asp-net-mvc-4-app-and-the-new-allowanonymous-attribute.aspx

2. MVC Cross Site Request Forgery- Html.AntiForgeryToken() and ValidateAntiForgeryToken

• CSRF
• Html.AntiForgeryToken()
• ValidateAntiForgeryToken
• Salt base Html.AntiForgeryToken("SaltValue")

Using Salt with AntiForgeryToken() : To support multiple form independent from each other. A kind of isolation on AntiForgeryTokem()
Two way handshaking-ValidateAntiForgeryToken at action -controller level
http://blog.stevensanderson.com/2008/09/01/prevent-cross-site-request-forgery-csrf-using-aspnet-mvcs-antiforgerytoken-helper/

3 Preventing Javascript Injection Attack/cross-site scripting, or XSS attacks ASP.NET

HTML Encode
<%=Html.Encode(feedback.Message)%>

one can inject such javascript code in feedback text area . We can prevent this using Html.Encode
http://www.asp.net/mvc/tutorials/older-versions/security/preventing-javascript-injection-attacks-vb
AntiXss library
@Encoder.JavaScriptEncode
Javascript encoding Helper class
@Ajax.JavaScriptStringEncode
http://weblogs.asp.net/jongalloway//preventing-javascript-encoding-xss-attacks-in-asp-net-mvc