EP 33 : How can you avoid common security pitfalls in your .NET Web Application
Read Time : 4 Mins
If you find value in my newsletter and wish to offer support, consider becoming a Patreon
I've extensively covered over 150 .NET topics with accompanying code, consolidating valuable insights in one comprehensive resource.
Your contribution ensures the continued creation of high-quality content and access to a wealth of curated information.
In today’s newsletter we are going to discuss
10+ security measures for .NET Web App
How to avoid attacks by updating headers
Several Security Measures for .NET Web Application
Following are some security measures that every .NET APP should take
1/ Use HTTPs
Ensure that your API is only accessible over HTTPS. You can enforce this in your application or use server configurations to redirect HTTP traffic to HTTPS.
app.UseHttpsRedirection();2/ Authentication
Implement proper authentication mechanisms to verify the identity of users and systems accessing your API. JWT authentication could be one option.
Read about how to secure endpoints using JWT in .NET 6
3/ Authorization
Implement proper authorization to control access to different parts of your API based on the authenticated user's role or permissions.
Use attributes like [Authorize], [AllowAnonymous], and policy-based authorization.
4/ Input Validation
Validate and sanitize all input data to protect against SQL injection, cross-site scripting (XSS), and other injection attacks. Use parameter validation attributes and consider using libraries like FluentValidation.
Read about How to use Fluent Validation in .NET 6
5/ Token Management
If you're using tokens (e.g., JWT), manage them securely. Set appropriate expiration times, handle token refreshing, and store them securely. Rotate keys regularly.
6/ Cross-Origin Resource Sharing (CORS)
Configure CORS settings to control which domains can access your API. Only allow trusted domains to prevent unauthorized cross-origin requests.
Read about How to enable CORS in .NET 6
7/ Logging and Monitoring
Implement robust logging to track and monitor suspicious activities. Use tools like Application Insights or log analysis services to detect and respond to security incidents. Serilog is best option for logging.
Read about NLog and Health Checks in .NET 6
8/ Rate Limiting
Implement rate limiting to prevent abuse or denial-of-service attacks. Limit the number of requests from a single IP address within a specified time frame.
Read about How to implement Rate Limiting in .NET 6
9/ Content Security Policy (CSP)
Enforce a content security policy to mitigate the risk of XSS attacks. Specify trusted sources for scripts, styles, and other resources.
10/ Dependency Scanning
Regularly update and scan third-party dependencies for security vulnerabilities. Use tools like OWASP Dependency-Check to identify and mitigate risks.
NOTE : I personally have’t used OWASP yet, but majority there says good words about it
11/ Security Headers
Set security headers in your responses to enhance security. Headers like Strict-Transport-Security (HSTS) and X-Content-Type-Options can help protect against certain types of attacks.
How to update our response headers to avoid attacks
In this newsletter I would be using Middleware approach to add response headers.
If you don’t know how to create Middlewares read my newsletter issue about Multiple ways to create Middleware in .NET 6.
Supposing that you have learned to create the middleware, now start adding headers to avoid following attack’s
1/ Click jacking attack
We can avoid click jacking attack’s by adding following header in our response.
context.Response.Headers.Add("X-Frame-Options", "DENY");To make it fully work add anti forgery service as well and set following option to avoid click jacking.
services.AddAntiforgery(options => { options.SuppressXFrameOptionsHeader = true; });2/ MIME-type sniffing attack
We can avoid this attack by adding following header:
context.Response.Headers.Add("X-Content-Type-Options", "nosniff");3/ Cross site scripting attack
We can avoid this attack by adding following header:
context.Response.Headers.Add("X-Xss-Protection", "1; mode=block");4/ Referring to un wanted site and reading the data
We can avoid un wanted opening of other site when we open a link by setting this header.
context.Response.Headers.Add("Referrer-Policy", "no-referrer");5/ Code Injection Attacks either click jacking or cross site scripting
We can avoid this attack by adding following header:
context.Response.Headers.Add("Content-Security-Policy", "default-src 'self';");Finally our middleware would look like this :
Make sure that you call that middleware (app.Use) before calling endpoints and useMvc method.
Find code of this newsletter issue at my GitHub Repository
Whenever you’re ready, there are 2 ways I can help you
Promote yourself to 6000+ subscribers by Sponsoring my Newsletter
Download my free eBook of 30 Tips for .NET Developers with 3K+ downloads
Special Offers
Pragmatic Clean Architecture: Learn how to confidently ship well-architected production-ready apps using clean architecture. [ 10% discount with promo code MUWAS]
Ultimate ASP.NET Core Web API Second Edition - Premium Package [10% discount with promo code 9s6nuez]