Design Considerations
| Check | Description |
|---|---|
 | Consider security and performance. |
| Partition your application logically. |
| Evaluate affinity. |
| Reduce round trips. |
| Avoid blocking on long-running tasks. |
| Use caching. |
| Avoid unnecessary exceptions. |
Threading
| Check | Description |
|---|---|
| Tune the thread pool by using the formula to reduce contention. |
| Consider minIoThreads and minWorkerThreads for burst load. |
| Do not create threads on a per-request basis. |
| Avoid blocking threads. |
| Avoid asynchronous calls unless you have additional parallel work. |
Resource Management
| Check | Description |
|---|---|
| Pool resources. |
| Explicitly call Close or Dispose on resources you open. |
| Do not cache or block on pooled resources. |
| Know your application allocation pattern. |
| Obtain resources late and release them early. |
| Avoid per-request impersonation. |
Pages
| Check | Description |
|---|---|
| Trim your page size. |
| Enable buffering. |
| Use Page.IsPostBack to minimize redundant processing. |
| Partition page content to improve caching efficiency and reduce rendering. |
| Ensure pages are batch compiled. |
| Ensure debug is set to false. |
| Optimize expensive loops. |
| Consider using Server.Transfer instead of Response.Redirect. |
| Use client-side validation. |
Server Controls
| Check | Description |
|---|---|
| Identify the use of view state in your server controls. |
| Use server controls where appropriate. |
| Avoid creating deep hierarchies of controls. |
Data Binding
| Check | Description |
|---|---|
| Avoid using Page.DataBind. |
| Minimize calls to DataBinder.Eval. |
Caching
| Check | Description |
|---|---|
| Separate dynamic data from static data in your pages. |
| Configure the memory limit. |
| Cache the right data. |
| Refresh your cache appropriately. |
| Cache the appropriate form of data. |
| Use output caching to cache relatively static pages. |
| Choose the right cache location. |
| Use VaryBy attributes for selective caching. |
| Use kernel caching on Microsoft® Windows Server™ 2003. |
State Management
| Check | Description |
|---|---|
| Store simple state on the client where possible. |
| Consider serialization costs. |
Application State
| Check | Description |
|---|---|
| Use static properties instead of the Application object to store application state. |
| Use application state to share static, read-only data. |
| Do not store single-threaded apartment (STA) COM objects in application state. |
Session State
| Check | Description |
|---|---|
| Prefer basic types to reduce serialization costs. |
| Disable session state if you do not use it. |
| Avoid storing STA COM objects in session state. |
| Use the ReadOnly attribute when you can. |
View State
| Check | Description |
|---|---|
| Disable view state if you do not need it. |
| Minimize the number of objects you store in view state. |
| Determine the size of your view state. |
HTTP Modules
| Check | Description |
|---|---|
| Avoid long-running and blocking calls in pipeline code. |
| Consider asynchronous events. |
String Management
| Check | Description |
|---|---|
| Use Response.Write for formatting output. |
| Use StringBuilder for temporary buffers. |
| Use HtmlTextWriter when building custom controls. |
Exception Management
| Check | Description |
|---|---|
| Implement a Global.asax error handler. |
| Monitor application exceptions. |
| Use try/finally on disposable resources. |
| Write code that avoids exceptions. |
| Set timeouts aggressively. |
COM Interop
| Check | Description |
|---|---|
| Use ASPCOMPAT to call STA COM objects. |
| Avoid storing COM objects in session state or application state. |
| Avoid storing STA components in session state. |
| Do not create STA components in a page constructor. |
| Supplement classic ASP Server.CreateObject with early binding. |
Data Access
| Check | Description |
|---|---|
| Use paging for large result sets. |
| Use a DataReader for fast and efficient data binding. |
| Prevent users from requesting too much data. |
| Consider caching data. |
Security Considerations
| Check | Description |
|---|---|
| Constrain unwanted Web server traffic. |
| Turn off authentication for anonymous access. |
| Validate user input on the client. |
| Avoid per-request impersonation. |
| Avoid caching sensitive data. |
| Segregate secure and non-secure content. |
| Only use Secure Sockets Layer (SSL) for pages that require it. |
| Use absolute URLs for navigation. |
| Consider using SSL hardware to offload SSL processing. |
| Tune SSL timeout to avoid SSL session expiration. |
Deployment Considerations
| Check | Description |
|---|---|
| Avoid unnecessary process hops. |
| Understand the performance implications of a remote middle tier. |
| Short-circuit the HTTP pipeline. |
| Configure the memory limit. |
| Disable tracing and debugging. |
| Ensure content updates do not cause additional assemblies to be loaded. |
| Avoid XCOPY under heavy load. |
| Consider precompiling pages. |
| Consider Web garden configuration. |
| Consider using HTTP compression. |
| Consider using perimeter caching. |
