ViewState is not Encrypted

Impact: Informational


The ViewState is a hidden form input in ASP.NET pages which is used automatically to persist information such as non-default values of controls. It is also possible to store application data specific to a page in the ViewState. If the ViewState is not encrypted, anyone can see stored values in it.


Do not store sensitive values in the ViewState and enable encryption for it. To enable ViewState encryption for the whole application, add the below lines to the pages node under system.web of the Web.Config.

  <pages viewStateEncryptionMode="Always" />

To enable encryption for a specific page add the below line at the top of the page:

<%@Page ViewStateEncryptionMode="Always" %>


Last updated on July 07, 2021

Use SmartScanner Free version to test for this issue