Best practices to secure ASP.NET Core web applications

Best practices to secure ASP.NET Core web applications

Security is a critical part of web applications, and it must be at the center of attention from the first stages of the development process. Security means protecting your data from unauthorized actions. Here, it’s essential to fulfill some mechanisms, including user identification, restricting access rights, and protecting information stored on the server and transmitted over the network. Having these items handled by the technology chosen for the implementation of the web applications is definitely beneficial for the delivery timeline. ASP.NET Core is the right choice in terms of built-in tools that you can use to secure your applications properly.

Why ASP.NET Core?

ASP.NET Core allows developers to configure and manage security settings for applications easily. It contains features for managing authentication, authorization, data protection, HTTPS enforcement, XSRF/CSRF attack protection, and CORS management. These security features help to build robust and secure web applications.

Best practices

ASP.Net Core is considered to be one of the most secure platforms, but it’s still essential to monitor the activity in our applications and apply the best net framework security practices in case of any malicious activity.

Let’s start with some of the most common attacks and methods to secure our .Net Core applications:

  1. Cross-Site Scripting (XSS)

    In order to protect your application from Cross-Site Scripting Attacks first thing is to use regular expressions both on client-side and server-side of the application. It is also a good practice to store only validated data in your database and use HTML encryption with Razor to handle such scripts.

  2. Cross-Site Request Forgery (CSRF)

    This is a type of attack where a user is lured to visit a malicious website that is then sending requests to a target site on the user’s behalf. To prevent this attack, we need to use the well-known anti-forgery token Html.AntiForgeryToken () added before the controller action. The server sends a token to the user, and after the user makes a request, it sends the token back to the server for verification. Tokens can be stored both in the header and in the cookie.

  3. Always use SSL (Secure Socket Layer) and HTTPS

    Secure Socket Layer encrypts communication between client and server using a complex key. We also can apply  HTTPS (HyperText Transfer Protocol Secure) to protect the ASP.NET Core application.

  4. Protect from SQL Injection

    Hackers commonly use SQL Injections. Following principles or technologies when code doesn’t rely on direct SQL queries eliminates this thread. Such include Entity Framework Core, parameterized queries, validate the inputs on server-side, and apply stored procedures.

  5. Keep your framework and libraries updated

    While working on the project, avoid outdated libraries and frameworks. This prevents hackers from using well-known vulnerabilities.

  6. Track audit trails and logging

    Audit and logging allow administrators to see details of actions in unusual situations, monitor application health status, etc. For the development team, they provide important information when analyzing issues or defects highlighted by users. It’s important not to reinvent the wheel. Instead, utilize one of the available platforms.

  7. Come up with secure login

    Use complex login credentials

    • Prevent Brute Force Attack
    • Apply .NET Core identity feature
    • Block IP for some time after the failed login attempts
  8. XXE (XML External Entity) Attack

    XE (XML External Entity) can result in a denial-of-service attack by injecting entities within entities, which affects the server‘s utilization and a server shutdown. To protect the application from this attack, we need to use XmlTextReader to parse XML files and set the DtdProcessing property to Prohibit or Ignore.

  9. Don’t forget to clear сookies when logout.

    When we log out, we need to remove the cookies generated by our application from the browser, as hackers can use this information for an unauthorized login. It’s called a Session Fixation attack.

  10. Try to hide your .Net Core Version.

    Every HTTP response from the server that we receive to our request, there is always information about the version of the application. We should protect and hide the version information from end-users because if hackers find out about our version, then it will be possible to target an attack on that specific version based on a disclosed vulnerability. Try to remove X-Powered-By from your response header.

This is part of a series about our experiences with .Net. We hope you have found the answers to your questions. Also, we suggest reading the other article about web development costs and the right questions to hire a .NET developer.

If you have additional questions about our cases or have similar requests, please contact us. Leave your contact in the form below, and we will find the best solution for your project!