http://blogs.msdn.com/b/sfaust/archive/2008/09/25/checking-for-viewstateuserkey-using-fxcop.aspxASP.NET has had a mitigation to prevent against CSRF/One-Click attacks since 1.1 with the use of Page.ViewStateUserKey property. I've implemented a basic FXCop rule to verify if this property is used on each page. The rule is basic so it doesn't looken-USTelligent Evolution Platform Developer Build (Build: 5.6.50428.7875)