| Principle | Implementation |
| Never trust user input | Validate all textbox entries using validation controls, regular expressions, code, and so on |
| Never use dynamic SQL | Use parameterized SQL or stored procedures |
| Never connect to a database using an admin-level account | Use a limited access account to connect to the database |
| Don't store secrets in plain text | Encrypt or hash passwords and other sensitive data; you should also encrypt connection strings |
| Exceptions should divulge minimal information | Don't reveal too much information in error messages; use customErrors to display minimal information in the event of unhandled error; set debug to false |
