Pages

Tuesday, 7 August 2012

MVC - SSL, Testing and Production

I recently had a conversation with a colleague about SSL and how a login page for an MVC application could be forced over SSL, to ensure credentials supplied in the login form are sent over an encrypted channel.

The answer is quite easy: there is a flag that can be set for your controller method called RequireHttps

However..

During my time as a developer, one problem I have seen and witnessed many times is the one of development code being published to a production environment. The consequences of which can range from minor embarrassment (Response.Write() anyone?) to dangerous security holes.

When debugging an application, having the RequireSSL flag set for a controller method can cause all sorts of issues and the temptation is to comment out this flag for debugging. The danger here of course is that this flag is not then un-commented for deploying to a production environment.

There are several ways to ensure this doesn't happen:

1.You could use IIS and a self-signed certificate when testing locally, but this depends on the level of admin access you have to your development PC.
2. Use conditional compilation. For example:


#if !DEBUG
[RequireHttps] 
#endif


You could argue that this leads to messy code, however my main concern is that it doesn't mitigate against a debug version of a DLL making it's way to a product environment. Trust me, this is more common than you might think.

3. Use a derived flag from RequireHttpsAttribute. This last option is by far my favourite, and the safest option.


using System;
using System.Web.Mvc;


    public class RemoteRequireHttps : RequireHttpsAttribute
    {
        public override void OnAuthorization(AuthorizationContext filterContext)
        {
            if (filterContext == null)
            {
                throw new ArgumentNullException("filterContext");
            }
            if (filterContext.HttpContext != null && filterContext.HttpContext.Request.IsLocal)
            {
                return;
            }
            base.OnAuthorization(filterContext);
        }
    }

When you need to force a controller method over SSL, use the RemoteRequireHttps flag you have created above. When testing locally, the IsLocal flag will prevent SSL being required. When deployed to a production environment, the method will be forced over SSL.

With security, nothing can be left to chance and the mitigation of an accidental release of development code into a production environment needs to be considered at all times. 


1 comment:

  1. Capacitative: This touchscreen is a flat, hard pane of glass coated with an electrical onductor. The human body is also an electrical conductor, therefore when you touch the glass it creates an electrical connection which is your ‘selection’ just like clicking a mouse.
    cheap elo boost
    Cheap League of Legends Coaching

    ReplyDelete