Excerpted from Scott Hanselman's blog.
A must read for all web programmers...
(Original source: http://www.hanselman.com/blog/ChecklistWhatNOTToDoInASPNET.aspx)
----------------------------------------------------------------------------------------
- Standards Compliance
- Control Adapters - Control adapters were a good idea in .NET 2, but it's best to use solid adaptive CSS and HTML techniques today.
- Style Properties on Controls - Set CSS classes yourself, don't use inline styles.
- Page and Control Callbacks - Page Callbacks pre-date standard AJAX techniques, so today, stick with SignalR, Web API, and JavaScript.
- Browser Capability Detection - Check for features, not for browsers whenever possible.
- Security
- Request Validation - While Request Validation is useful, it's not focused and it doesn't know exactly what you app is doing. Be smart and validate inputs with the full knowledge of what your app is trying to accomplish. Don't trust user input.
- Cookieless Forms Authentication and Session - Don't pass anything auth related in the query string. Cookieless auth will never be secure. Don't do it.
- EnableViewStateMac - This should never be false. Ever.
- Medium Trust - Medium trust isn't a security boundary you should count on. Put apps in separate app pools.
- Don't disable security patches with appSettings. - UrlPathEncode - This doesn't do what you think it does. Use UrlEncode. This method was very specific, poorly named, and is now totally obsolete.
- Reliability and Performance
- PreSendRequestHeaders and PreSendRequestContext - Leave these alone making managed modules. These can be used with native modules, but not IHttpModules.
- Asynchronous Page Events with Web Forms - Use Page.RegisterAsyncTask instead.
- Fire-and-Forget Work - Avoid using ThreadPool.QueueUserWorkItem as your app pool could disappear at any time. Move this work outside or use WebBackgrounder if you must.
- Request Entity Body - Stay out of Request.Form and Request.InputStream before your handler's execute event. It may not be ready to go.
- Response.Redirect and Response.End - Be conscious of Thread.Aborts that will happen when you redirect.
- EnableViewState and ViewStateMode - There's no need to hate on ViewState. Turn it off everywhere, then turn it on only for the individual controls that need it.
- SqlMembershipProvider - Consider using ASP.NET User Providers, or better yet, the new ASP.NET Identity system.
- Long Running Requests (>110 seconds) - ASP.NET isn't meant to handle long running requests that are a minute (or two) long. Use WebSockets or SignalR for connected clients, and use asynchronous I/O operations.