Best practices for developing customizations for the CRM web application and Microsoft Dynamics CRM for Microsoft Office Outlook include the following:
Use web resources instead of pages that require server-side processing whenever possible. If your requirements can only be achieved by using server-side processing, adhere to the requirement that your custom webpages are installed in a separate website from Microsoft Dynamics CRM. Set the trust level for your site appropriately, depending on your confidence level in the security of your code. This reduces the threat from cross-site scripting and other threats.
For improved security, make sure that your separate website runs on a different account from Microsoft Dynamics CRM. This account should have the minimum access possible and one that does not have direct access to the Microsoft databases. You can use a complex password that doesn’t expire because no person signs in to this account – only in to your application.
Avoid use of ActiveX controls because they have known security problems.
Be aware of the limitations of client scripting. More information: Write code for Microsoft Dynamics CRM forms
Use plug-ins to apply business logic regardless of how the data changes are made.
Always use a modal confirmation dialog box when you delete records or apply sensitive changes, such as adding a new user to a security role. This helps prevent techniques such as click-jacking or UI redressing where a malicious developer may embed your page in a seemingly innocuous page to trick a user into performing actions that may compromise security or perform unwanted actions on data.
Security best practices for your website include the following:
Don’t use anonymous access.
Use integrated Windows authentication, NTLM, or Basic authentication over Secure Sockets Layer (SSL).
Use SSL to avoid sending unencrypted data over the network if your website is on a different computer than Microsoft Dynamics CRM.