• Install the latest security patches and updates to your Web server. Notify your site visitors of this practice as well.

• When you are configuring your form results to be saved to a file, it is best to keep the default folder that Microsoft FrontPage sets up for you, _private. The _private folder cannot be browsed on Web servers running FrontPage Server Extensions from Microsoft, SharePoint Team Services v1.0 from Microsoft, or Microsoft Windows SharePoint Services.

  Note  Web servers running other technologies might not recognize this folder as non-browsable. Use caution when publishing files by using File Transfer Protocol (FTP) or Web-based Distributed Authoring and Versioning (WebDAV), since the _private folder will not be recognized as non-browsable on the remote server.

• When you synchronize files by using Remote Web Site view, files on the remote Web site will be downloaded to the local site. If malicious files were placed on the remote Web site, the local Web site may be at risk. Be sure that only trusted users have access to the remote site before you attempt to synchronize files.

• Security vulnerabilities in external files or controls may extend to Web pages that use those items. For example, external cascading style sheets (files with a .css extension), script files (files with a .js extension), custom ASP.NET controls, or other items may pose a security risk. Be sure your style sheets, add-ins, themes, executable files, scripts, controls, and other files come from trusted sources.

• Files that pose a threat to your server, or to the computers of Web site visitors, may be uploaded intentionally (by malicious users) or unknowingly (by trusted users). Make sure your server is running up-to-date antivirus software and limit upload capability to trusted users. For more details, contact your Web server administrator or Web site hosting company.

• Make sure to use a trusted Web site hosting company. To host e-commerce solutions or SSL connections, a hosting service must possess a digital certificate, which is issued by a third-party certificate authority. If you can't verify the integrity of the server owner or hosting service, do not host your Web site there.

• Financial transactions require a reliable e-commerce solution hosted on a Web server configured with Secure Sockets Layer (SSL) technology. If you want to create an e-commerce solution, contact your Web server administrator or Web site hosting company for more information.

• Cross-site scripting is a security vulnerability that could affect many Web sites and Web users. The vulnerability is the result of coding mistakes in Web applications. For more information, visit the Microsoft Developer Network (MSDN) Web site.

• Identify the potential for SQL injection attacks when you process user input that forms part of a SQL command. SQL injection is the act of passing additional (malicious) SQL code into an application which is typically appended to the legitimate SQL code contained within the application. If your authentication scheme is based on validating users against a SQL database, for example, if you're using Forms authentication against Microsoft SQL Server, you must guard against SQL injection attacks. For more information, visit the Microsoft Developer Network (MSDN) Web site.

• Be sure to use proper security settings on your Web site and to grant access only to trusted users.

• Be sure that your password is not readable by others. For example, do not store it where it is readable as plain text, such as in a macro or the HTML or other code of a page or file in the site. Do not send a password on the Internet unless you use the SSL protocol, which encrypts data. You can tell when a Web address uses SSL because the address starts with "https" instead of "http."

• A Web site certificate is a verification, issued by an independent certification authority, that confirms the identity of a Web site. By using a Web site certificate in your site, you can help prevent unauthorized people from seeing the information that is sent to or from your site.

• Avoid using hard-coded passwords for pages in your site. If you must hard-code a password, store it in a folder that is not browsable by site visitors, such as _private.

• When you need to create passwords, use strong passwords. Strong passwords combine uppercase and lowercase letters, numbers, and symbols, and should not contain patterns, themes, or words found in a dictionary.

• Change your password frequently; for example, every one to three months. Notify your site visitors of this practice as well.

• When you connect to a data source, be sure that your password is not readable by others. For example, do not store it where it is readable as plain text, such as in a macro or the HTML or other code of a page or file in the site. Do not send a password on the Internet unless you use the Secure Sockets Layer (SSL) protocol, which encrypts data. You can tell when a Web address uses SSL because the address starts with "https" instead of "http."

If your Web site is located on a server running FrontPage Server Extensions from Microsoft, SharePoint Team Services v1.0 from Microsoft, or Microsoft Windows SharePoint Services, take the following precautions:

• Avoid adding Universal Data Connection (UDC) files to a Web package. A UDC file is an XML file, stored in the _fpdatasources folder, that contains configuration information for a data source. UDC files can contain passwords in plain text.

• Avoid packaging SharePoint document or picture libraries that contain files. When other users import the Web package, those files will be added to their Web site.

• Use HTTP-only cookies. To mitigate the risk of a third party accessing the data stored in cookies on your site visitors' computers, the HTTP-only attribute specifies that a cookie is not accessible through script. By using HTTP-only cookies in your site, you can help reduce the possibility that sensitive information contained in the cookie can be sent to a hacker's computer or Web site with script.

  Note  Microsoft Internet Explorer 6 Service Pack 1 (SP1) supports the HTTP-only attribute.