The topic you requested is included in another documentation set. For convenience, it's displayed below. Choose Switch to see the topic in its original location.

Security (C# Programming Guide)

Security is an indispensable aspect of every C# applications, and must be considered at every phase of development: not merely when design and implementation are complete.

This list is in not an exhaustive list of potential security problems. It highlights some common issues of which C# developers need to be aware.

  • Use the checked keyword to control the overflow-checking context for integral-type arithmetic operations and conversions.

  • Always use the most restrictive data type for parameters. For example, when passing a value into a method that describes the size of a data structure, use unsigned integer rather than integer.

  • Do not make decisions based on filenames. Filenames can be expressed in many different ways, and your test for a particular file may be bypassed.

  • Never, ever hardcode passwords or other sensitive information into your application.

  • Always validate input that is used to generate SQL queries.

  • Validate all inputs into your methods. The regular expression methods in System.Text.RegularExpressions namespace are useful for confirming input is of the correct form, such as an email address.

  • Don't display exception information: it provides any would-be attacker with valuable clues.

  • Ensure your application works while running with the least possible privileges. Few applications require a user to be logged in as an administrator.

  • Don't use your own encryption algorithms, use the System.Security.Cryptography classes.

  • Give your Assemblies strong names.

  • Don't store sensitive information in XML or other configuration files.

  • Check managed code that wraps native code carefully. Confirm the native code is secure, especially with regard to buffer overruns.

  • Use caution when using delegates passed from outside your application.

  • Run FxCop on your assemblies to ensure compliance with Microsoft .NET Framework Design Guidelines. FxCop can also find and warn against over 200 code defects.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

© 2015 Microsoft