Documentation Center

JSP and ASP.NET security best practices

You should ensure your JSP or ASP.NET webpages do not compromise security.

Depending on your implementation of Content Delivery, it may be that your website has JSP or ASP.NET pages that access published content. Only make API calls through JSP or ASP.NET pages. Implement any business logic or processes that have security implications outside the JSP or ASP.NET pages. Implement such custom logic in addition to the API calls either as Java classes resident on the server, or as servlets. In a more dynamic implementation, interaction with content is done via the Web and application server.

Most application servers (such as WebLogic and WebSphere) provide vendor-specific security features. While such features can be valuable for security controls, they limit the portability of the complete application, so try and keep their usage to a minimum.

Your JSP or ASP.NET pages represent a business process. Malicious users who understand the structure of that business process can access a URL representing a specific stage in that business process and subvert it with malicious data or intent. To prevent malicious users from inferring the process from the URL, consider creating a single application URL which represents all of the application's pages. Such a URL processes application states and requests from the users, effectively hiding its internal state.