ViewState is not Encrypted

Impact: Informational


The ViewState, a hidden form input in ASP.NET pages, automatically persists information and application data specific to a page. If the ViewState is not encrypted, its contents can be easily viewed by anyone, potentially exposing sensitive information.


To enhance security, avoid storing sensitive values in the ViewState and enable encryption for it. For the entire application, enable ViewState encryption by adding the specified configuration to the Web.Config file under the system.web node:

  <pages viewStateEncryptionMode="Always" />

Alternatively, for specific pages, enable encryption by adding the provided directive at the top of each page:

<%@Page ViewStateEncryptionMode="Always" %>


Last updated on May 13, 2024

Use SmartScanner Free version to test for this issue