Additional measures
The measures in this section won't have a dramatic effect, especially if you use dynamic file compression. However, they don't take much time, so may still be worthwhile.
Event validation
If you take a page with input elements and look at its page source, you will probably come across a hidden form field called __EVENTVALIDATION
.
This is part of a security feature that was introduced in ASP.NET 2.0. It records all input elements in that hidden form field. This way, after a postback, the page can check whether all incoming data was generated by known input elements. That makes it a bit harder for malicious users to confuse your application with bogus data.
Note
For more information, visit http://www.gdssecurity.com/l/b/2009/03/19/when-aspnet-eventvalidation-doesnt-work/.
One issue with event validation is that it stops you from generating new input elements on the client using JavaScript. Another issue is that it can take a lot of space on the page, especially if you have long...