Last few weeks we had some problems with some of our old web sites mostly developed using classic asp, and also somebody at the Ceviz.NET forums, asked how to develop a secure web site, what is our practices. Below is my practices for developing a secure web site. In the order of what comes to my mind first:

• I use client side UI validation (asp.net validators) only to respond the user quicker, i dont trust the client side UI validation but i am using it
• Every input: QueryString, Cookies, Form Elements arre validated at the server side
• Each layer has its own validation (UI,BAL,DAL)
• I try to use 1 validation class to handle the validations in the project
• I dont use direct sql commands, i try to use orms such as SubSonic, if i cant cause of the nature of the project, i create my db layer and always use stored procedures
• I never use dbo permission to access the db
• If there is membership involved in the project, i dont rewrite my own membership classes, i use the framework provided one
• i use health monitor to track the app
• i use certificate in the login page
• i encrypt personal info in the database
• i think that somebody can easily see my source code, so i try not to leave a back door in the code.

Any other ideas?