Writing Secure Code
This content is no longer actively maintained. It is provided as is, for anyone who may still be using these technologies, with no warranties or claims of accuracy with regard to the most recent product version or service release.
Use the following guidelines to understand security considerations when authoring speech-enabled ASP.NET Web applications.
Testing Applications
Developers should test their applications in server or network environments using varying levels of security to achieve a higher level of application security. Developers should also test their applications using the latest versions of Microsoft software to ensure that their applications are compatible with the most secure versions of Microsoft software.
Using Secure Hypertext Transfer Protocol (HTTPS)
When calling pages on other servers from an application using HTTPS, ensure that the following requirements are met:
- Ensure that pages on other servers are called using HTTPS. Otherwise, the call fails.
- Ensure that the Secure Sockets Layer (SSL) certificate for the server hosting the page is valid. Otherwise, the call fails.
- Ensure that the server referenced in the call is listed exactly as it appears on the SSL certificate. The client might call https://widgets/welcome.ssml, while the certificate is issued to widgets.msdn.microsoft.com. This call fails.
- Never issue a certificate to localhost or reference localhost while making an HTTP/HTTPS request.
- After receiving the SSL certificate, use Microsoft Internet Explorer to verify the connection to the server and verify that the certificate authority (CA) belongs to the certificate trust list. Use the Certificate Trust List Wizard in Microsoft Management Console (MMC) to edit the certificate trust list if needed.
For information about obtaining a certificate from a CA and about configuring Internet Information Services to use HTTPS and SSL certificates, see How to enable SSL for all customers who interact with your Web site in Internet Information Services.
Encrypting Audio Streams
By default, audio streams are not encrypted. To encrypt audio streams, use the IP Security Protocol (IPSec) or PPTP (Point-to-Point Tunneling Protocol) to establish a virtual private network (VPN) connection between the client and server. Typically, IPSec and PPTP are implemented and administered by system administrators. IPSec and PPTP settings cannot be controlled on a per-application basis.
- To control and configure IPSec, use the IP Security Policy Management snap-in within MMC.
- To control and configure PPTP, open Control Panel, and then click Network Connections.