Tracing is not enabled on the production servers.
Request and response encoding is appropriately configured.
maxRequestLength is configured to prevent users from uploading very large files (optional).
Debug compiles are not enabled on the production servers by setting debug="false"
<compilation debug="false" . . ./>
If the application does not use view state, enableViewState is set to "false".
<pages enableViewState="false" . . ./>
If the application uses view state, enableViewState is set to "true" and enableViewStateMac is set to "true" to detect view state tampering.
<pages enableViewState="true" enableViewStateMac="true" ...