New to Telerik UI for ASP.NET AJAXStart a free 30-day trial

Useful Security Tips

In this article, you will find helpful security tips and resources to strengthen the protection of your ASP.NET Web Forms app and Telerik ASP.NET AJAX controls, those offering editing, file upload, and file management features.

General Security Best Practices

These tips apply across many Telerik controls and help secure your application holistically:

  • Regular Upgrades: Always perform regular upgrades to the latest version of Telerik UI for ASP.NET AJAX to ensure the highest levels of security, stability, and support for modern browsers. You can find upgrade instructions here.

  • Web.config Additions: Ensure you configure the mandatory additions to your web.config file. This article provides guidance on the essential web.config settings for Telerik's AJAX suite: Configure Mandatory Additions to web.config file.

  • Encrypt appSettings Keys: For better security, avoid storing sensitive information in plain text. Follow this guide to encrypt the appSetting section of your web.config using the aspnet_regiis tool: How to Encrypt Telerik appSettings Keys

  • Encrypt ViewState - If you're using a version earlier than ASP.NET 4.5, ensure ViewState encryption is enabled by setting the ViewStateEncryptionMode and EnableViewStateMAC attributes. Here's a sample configuration:

    XML
    <configuration>
       <system.web>
          <pages viewStateEncryptionMode="Always" enableViewStateMac="true">

    The official recommendation by Microsoft is to upgrade to at least .NET 4.8 as noted at .NET Release history. You can find more useful information at Cryptographic Improvements in ASP.NET 4.5, pt. 2.

  • Encrypt Telerik WebResource Querystring: For extra security, encrypt the Telerik WebResource querystring by enabling the Telerik.ScriptManager.EnableHandlerEncryption setting. This hides product version information in the page markup. Follow the steps here: Encrypt Telerik WebResource Querystring.

  • Regular Expression Timeout Settings: To mitigate potential performance issues or vulnerabilities in regular expressions, a default timeout of 3 seconds is applied. You can customize this timeout by adding the Telerik.RegexMatchTimeout setting in your web.config file. Specify the timeout duration (in seconds) to suit your application needs:

    XML
    <appSettings>
       <add key="Telerik.RegexMatchTimeout" value="5"/>
    </appSettings>

    This ensures that long-running regular expressions do not hang indefinitely, helping to protect your application from potential ReDoS (Regular Expression Denial of Service) attacks.

  • Document Format Provider Timeout Settings: Starting with the 2025 Q1 release, a default timeout of 10 seconds is applied to ensure consistent performance during import and export operations. You can customize this timeout by adding the Telerik.DplFormatProviderTimeout setting in your web.config file. Specify the timeout duration (in seconds) to suit your application needs:

    XML
     <appSettings>
        <add key="Telerik.DplFormatProviderTimeout" value="15"/>
     </appSettings>
  • Embedded jQuery Security: Telerik ASP.NET AJAX components embed a custom, secure version of jQuery. Learn about the security enhancements and modifications made to ensure safe usage of jQuery within Telerik controls: Embedded jQuery Security.

Control-Specific Security Guidelines

File Upload Security

  • RadAsyncUpload - This article explains how to ensure information about the RadAsyncUpload configuration is secure and non-readable. Its transmission between the client and the server must be encrypted and impossible to decode, so the data cannot be used by a malicious entity in an attack against the server. Also, go through the FAQ section where you can find useful information and tips for the AsyncUpload security.

  • RadCloudUpload Security - See how to ensure information about the RadCloudUpload configuration is secure and non-readable.

Editor Control Security

  • RadEditor Security - learn how to ensure information about the RadEditor configuration is secure and non-readable. Its transmission between the client and the server must be encrypted and impossible to decode, so the data cannot be used by a malicious entity in an attack against the server.
  • Prevent Cross-site Scripting (XSS) - see how to enable the anti-XSS mechanism of RadEditor.

Grid Control Security

  • Security is a priority for RadGrid, especially when handling sensitive data. For a detailed guide on addressing potential security risks, visit the Security.

File Explorer Control Security

  • Security - learn how to secure the user actions invoked through RadFileExplorer.

Spell Control Security

  • Security - the article shows how to ensure information about the RadSpell configuration is secure and non-readable

Content Security Policy (CSP)

Content Security Policy (CSP) is an effective security layer against cross-site scripting (XSS) and data injection attacks. However, full CSP compliance without the use of unsafe-inline and unsafe-eval is challenging for ASP.NET Web Forms applications. This limitation arises due to the heavy reliance on the Microsoft AJAX client-side library, which makes extensive use of functions like setTimeout(), setInterval(), inline scripts, and eval().

When integrating Telerik UI for ASP.NET AJAX with a CSP, it's necessary to include unsafe-inline and unsafe-eval directives for proper functionality.

For more details on how to configure your Web Forms application to use CSP, refer to the following resource: Content Security Policy Mode.

Additional Resources

  • Security FAQ: For more answers to common security-related questions, visit our Security FAQ.

  • Upgrade Recommendations: Regularly updating to the latest version of Telerik UI for ASP.NET AJAX is one of the best ways to ensure security. You can find the necessary upgrade steps here.

  • Security Blog For more expert tips, check out the following blog post First 5 Tips for Building Secure (Web) Apps.