Sensitive actions, such as editing or deleting content, or accessing admin pages, should have authentication checks to ensure that they cannot be used by arbitrary users.

Ensure that proper authorization checks are made for sensitive actions. For WebForms applications, the authorazation tag in Web.config XML files can be used to implement access control. The System.Web.UI.Page.User property can also be used to verify a user's roles. For MVC applications, the Authorize attribute can be used to require authorization on specific action methods.

In the following WebForms example, the case marked BAD has no authorization checks; whereas the case marked GOOD uses User.IsInRole to check for the user's role.

The following Web.config file uses the authorization tag to deny access to anonymous users, in a tag to have it apply to a specific path.

In the following MVC example, the case marked BAD has no authorization checks; whereas the case marked GOOD uses the Authorize attribute.

Page.User Property - Microsoft Learn

Control authorization permissions in an ASP.NET application - Microsoft Learn

Simple authorization in ASP.NET Core - Microsoft Learn