docs(security): rewamp and addjustments to the security section

Jekata · Jekata · commit f4f21dc45ff2 · 2024-10-18T11:21:48.000+03:00
diff --git a/getting-started/work-with-controls/security.md b/getting-started/work-with-controls/security.md
diff --git a/security/security-faq.md b/security/security-faq.md
@@ -1,11 +1,11 @@
 ---
-title: Security FAQ
-page_title: Security FAQ
+title: FAQ
+page_title: FAQ
 description: "Find answers to common questions about securing Telerik UI for ASP.NET AJAX controls, including how to report vulnerabilities, handle third-party dependencies, and receive security fixes."
 slug: security/security-faq
 tags: telerik, asp.net, ajax, security, web forms
 published: True
-position: 2
+position: 3
 ---
 
 # Frequently Asked Questions (FAQ)
diff --git a/security/security-information.md b/security/security-information.md
@@ -1,6 +1,6 @@
 ---
-title: Security Information
-page_title: Security Information
+title: Overview
+page_title: Overview
 description: "Learn how to secure Telerik UI for ASP.NET AJAX controls and your Web Forms app with best practices, vulnerability reporting, and control-specific security guidelines."
 slug: security/security-information
 tags: telerik, asp, net, ajax, asp.net, security, web forms, xss, owasp, csp
@@ -54,7 +54,6 @@ Our primary goal is to prevent security issues before product delivery. We use t
 - **Internal Logging**: Every potential security issue is logged, researched, tested, and verified. Issues deemed valid are assessed using a CVSS score, with critical issues prioritized.
 - **Third-Party Static Analysis Testing**: We utilize some of the leading security scanning tools in the market to scan for vulnerabilities in our software code. Regular scans are conducted, and results are reviewed to address vulnerabilities and mitigate false positives.
 
----
 
 ## Third-Party Dependencies Handling
 
@@ -80,8 +79,7 @@ We closely monitor the [OWASP Top 10](https://owasp.org/www-project-top-ten/) li
 
 Telerik UI for ASP.NET AJAX provides a variety of security-related articles for individual controls. These resources outline best practices and recommendations for securing each control and mitigating potential risks. Below is a list of available security articles for specific controls:
 
-- [General Security Best Practices for ASP.NET AJAX Controls](https://docs.telerik.com/devtools/aspnet-ajax/getting-started/work-with-controls/security)
-- [Useful Security Tips For Telerik ASP.NET Web Forms apps](https://docs.telerik.com/devtools/aspnet-ajax/getting-started/work-with-controls/security#useful-tips)
+- [General Security Best Practices and Useful Tips for ASP.NET AJAX Controls](https://docs.telerik.com/devtools/aspnet-ajax/getting-started/work-with-controls/security) - Comprehensive guidance on securing Telerik ASP.NET AJAX controls and your ASP.NET Web Forms applications, with practical tips focusing on file upload, editing, and management features.
 - [AsyncUpload Control - Security Guidelines](https://docs.telerik.com/devtools/aspnet-ajax/controls/asyncupload/security)
 - [CloudUpload Control - Security Guidelines](https://docs.telerik.com/devtools/aspnet-ajax/controls/cloudupload/security)
 - [Editor Control - Dialogs Security](https://docs.telerik.com/devtools/aspnet-ajax/controls/editor/functionality/dialogs/security)
diff --git a/security/security.md b/security/security.md
@@ -0,0 +1,82 @@
+---
+title: Useful Tips
+page_title: Useful Tips
+description: "Learn more about how to secure the Telerik UI for ASP.NET AJAX controls and your ASP.NET Web Forms app."
+slug: security/security
+previous_url: getting-started/work-with-controls/security
+tags: telerik, asp, net, ajax, security, microsoft
+published: True
+position: 2
+---
+
+# Useful Security Tips
+
+In this article, you will find helpful security tips and resources to strengthen the protection of your ASP.NET Web Forms app and Telerik ASP.NET AJAX controls, those offering editing, file upload, and file management features.
+
+## General Security Best Practices
+
+These tips apply across many Telerik controls and help secure your application holistically:
+
+* **Regular Upgrades**: Always perform regular upgrades to the latest version of Telerik UI for ASP.NET AJAX to ensure the highest levels of security, stability, and support for modern browsers. You can find upgrade instructions [here]({%slug introduction/installation/upgrading-instructions/upgrading-a-trial-to-a-developer-license-or-to-a-newer-version%}).
+
+* **Web.config Additions**: Ensure you configure the mandatory additions to your `web.config` file. This article provides guidance on the essential web.config settings for Telerik's AJAX suite: [Configure Mandatory Additions to web.config file]({%slug general-information/web-config-settings-overview%}#configuring-mandatory-additions).
+
+* **Encrypt appSettings Keys**: For better security, avoid storing sensitive information in plain text. Follow this guide to encrypt the `appSetting` section of your `web.config` using the `aspnet_regiis` tool: [How to Encrypt Telerik appSettings Keys]({%slug common-how-to-encrypt-the-telerik-appsettings-keys%}) 
+
+* **Encrypt ViewState** - If you're using a version earlier than ASP.NET 4.5, ensure ViewState encryption is enabled by setting the `ViewStateEncryptionMode` and `EnableViewStateMAC` attributes. Here's a sample configuration: 
+
+   ````XML
+   <configuration>
+      <system.web>
+         <pages viewStateEncryptionMode="Always" enableViewStateMac="true">
+   ````
+
+   The official recommendation by Microsoft is to upgrade to at least .NET 4.8 as noted at [.NET Release history](https://dotnet.microsoft.com/en-us/learn/dotnet/what-is-dotnet-framework). You can find more useful information at [Cryptographic Improvements in ASP.NET 4.5, pt. 2](https://devblogs.microsoft.com/dotnet/cryptographic-improvements-in-asp-net-4-5-pt-2/) and .
+
+* **Encrypt Telerik WebResource Querystring**: For extra security, encrypt the Telerik WebResource querystring by enabling the `Telerik.ScriptManager.EnableHandlerEncryption` setting. This hides product version information in the page markup. Follow the steps here: [Encrypt Telerik WebResource Querystring]({%slug scriptmanager/encrypt-telerik-webresource-querystring%}).
+
+* **Embedded jQuery Security**: Telerik ASP.NET AJAX components embed a custom, secure version of jQuery. Learn about the security enhancements and modifications made to ensure safe usage of jQuery within Telerik controls: [Embedded jQuery Security]({%slug introduction/radcontrols-for-asp.net-ajax-fundamentals/using-jquery/using-jquery%}#embedded-jquery-security). 
+
+
+## Control-Specific Security Guidelines
+
+### File Upload Security
+
+* [RadAsyncUpload]({%slug asyncupload-security%}) - This article explains how to ensure information about the RadAsyncUpload configuration is secure and non-readable. Its transmission between the client and the server must be encrypted and impossible to decode, so the data cannot be used by a malicious entity in an attack against the server. Also, go through the [FAQ section]({%slug asyncupload-security%}#frequently-asked-questions) where you can find useful information and tips for the AsyncUpload security.
+
+* [RadCloudUpload Security]({%slug cloudupload-security%}) - See how to ensure information about the RadCloudUpload configuration is secure and non-readable.
+
+### Editor Control Security
+
+* [RadEditor Security]({%slug editor/security%}) - learn how to ensure information about the RadEditor configuration is secure and non-readable. Its transmission between the client and the server must be encrypted and impossible to decode, so the data cannot be used by a malicious entity in an attack against the server.
+* [Prevent Cross-site Scripting (XSS)]({%slug editor/managing-content/prevent-cross-site-scripting-(xss)%}) - see how to enable the anti-XSS mechanism of RadEditor.
+
+### Grid Control Security
+
+* Security is a priority for RadGrid, especially when handling sensitive data. For a detailed guide on addressing potential security risks, visit the [Security]({%slug grid/security%}).
+
+### File Explorer Control Security
+
+* [Security]({%slug fileexplorer/security%}) - learn how to  secure the user actions invoked through RadFileExplorer.
+
+### Spell Control Security
+
+* [Security]({%slug spell/security%}) - the article shows how to ensure information about the RadSpell configuration is secure and non-readable
+
+
+## Content Security Policy (CSP)
+Content Security Policy (CSP) is an effective security layer against cross-site scripting (XSS) and data injection attacks. However, full CSP compliance without the use of `unsafe-inline` and `unsafe-eval` is challenging for ASP.NET Web Forms applications. This limitation arises due to the heavy reliance on the Microsoft AJAX client-side library, which makes extensive use of functions like setTimeout(), setInterval(), inline scripts, and eval().
+
+When integrating Telerik UI for ASP.NET AJAX with a CSP, it's necessary to include `unsafe-inline` and `unsafe-eval` directives for proper functionality.
+
+For more details on how to configure your Web Forms application to use CSP, refer to the following resource: [Content Security Policy Mode]({%slug general-information/content-security-policy%}).
+
+## Additional Resources
+
+* **Security FAQ**: For more answers to common security-related questions, visit our [Security FAQ]({%slug security/security-faq%}).
+* **Upgrade Recommendations**: Regularly updating to the latest version of Telerik UI for ASP.NET AJAX is one of the best ways to ensure security. You can find the necessary upgrade steps [here]({%slug introduction/installation/upgrading-instructions/upgrading-a-trial-to-a-developer-license-or-to-a-newer-version%}).
+* **Security Blog** For more expert tips, check out the following blog post [First 5 Tips for Building Secure (Web) Apps](https://www.telerik.com/blogs/first-5-tips-for-building-secure-web-apps).
+
+
+
+      
