I just have published a new release of the Ajax.NET Professional library including several new security features. Please check out ajaxpro.info [1] for further details.
In web.config you can configure different security related settings.
One of the most important is to set a Content-Security-Policy [2] HTTP response header to ensure to trust only JavaScript and other resources that are coming from your web server or trusted locations. As AjaxPro [1] is generating some JavaScript files on-the-fly you can set the JavaScript nonce in your web.config:
<configuration> <ajaxNet> <ajaxSettings> <contentSecurityPolicy nonce="abcdefghijklmnopqrstuvwxyz" /> </ajaxSettings> </ajaxNet> <system.webServer> <httpProtocol> <customHeaders> <add name="Content-Security-Policy" value="frame-ancestors www.mydomain.com; script-src 'self' https://www.mydomain.com 'unsafe-eval' 'unsafe-hashes' 'nonce-abcdefghijklmnopqrstuvwxyz';" /> </customHeaders> </httpProtocol> </system.webServer> </configuration>