This month we published a white paper written by Stefan Schakow that describes changes to the request validation process in ASP.NET 4 and provides detailed guidance on several related security topics:

  • Encryption options and functionality in the <machineKey> element.
  • Interoperability of ASP.NET 4 forms authentication tickets with ASP.NET 2.0.
  • Configuration options to relax automatic security checks on inbound URLs.
  • Pluggable request validation.
  • Pluggable encoding for HTML elements, HTML attributes, HTTP headers, and URLs.

To get a copy of the white paper, download it from MSDN.  There is also a link to it from the the ASP.NET site in both the Web Forms Overview, Security chapter, and the MVC Overview, Security chapter.

-- Tom Dykstra
ASP.NET and Web Tools Developer Content