Defensive techniques for ASP.MVC for internet facing site

I am workin开发者_高级运维g on my first asp MVC project that will ultimately end up on a publicly accessible web server (I have worked on some internal apps in MVC). What techniques, practices should I be thinking about (specific to MVC or otherwise) to improve security.

Off the top of my head obviously there is the AcceptVerb attribute for actions and Validation what else?

The Windows Live team has written a white-paper describing lessons learned using ASP.NET MVC on certain Windows Live properties. They do a lot of security analysis and present their security tips here:

http://www.microsoft.com/downloads/details.aspx?FamilyID=7606f801-70c5-49ca-a18c-91d4ed725833&displaylang=en

Anti Forgery Token :)

A couple of points:

• Encode every user input
• Use anti forgery tokens
• Use POST verbs for every request that modifies state