There are security considerations specific to the EntityDataSource control in addition to those of developing, deploying, and running Entity Framework applications. In addition to information in this topic, you should also follow recommendations for creating secure .NET Framework applications. For more information see, Security Considerations (Entity Framework).
The following list describes security considerations specific to the EntityDataSource control.
The component opens a connection using the connection string supplied. The privilege level of the connection depends on the connection and server configuration.
Pages that can produce queries of significant cost should be safeguarded under access control.
Unverified input of query fragments or complete queries should not be exposed to the client side. Applications should always use parameters as an input for queries.
The component is not thread safe because ASP.NET does not require it.
The Entity Framework exposes fragments of metadata information in exception messages. The EntityDataSource control does not try to safeguard metadata from being exposed this way.
Validation of post-back calls
By default, ASP.NET validates the possible arguments for post-back calls on the server. Turning off this feature may severely compromise security of any Web application.
By default, ASP.NET does not show the stack trace of exceptions in the error page. Turning on this feature may lead to disclosure of some metadata details, as some exception messages may contain fragments of metadata.