Secure Coding Practices in .NET Core Web API

Secure Coding Practices in .NET Core Web API

1. Prevent SQL Injection

Always use parameterized queries with EF Core or Dapper.

// EF Core

var user = await _context.Users.FirstOrDefaultAsync(u => u.Username == username);

 

// Dapper

var sql = "SELECT * FROM Users WHERE Username = @Username";

var user = connection.QueryFirstOrDefault<User>(sql, new { Username = username });

 

2. Prevent CSRF (When using cookies)

Apply the [ValidateAntiForgeryToken] attribute for form submissions.

[ValidateAntiForgeryToken]

[HttpPost]

public IActionResult SubmitForm([FromBody] FormModel model)

{

    // Handle securely

}

For JWT-based APIs, CSRF is less of a concern due to lack of cookie-based state.

 

3. Secure Authentication and Authorization

Use JWT or OAuth2 for token-based authentication. Secure sensitive endpoints:

[Authorize(Roles = "Admin")]

[HttpGet("admin/data")]

public IActionResult GetAdminData()

{

    return Ok("Admin access granted.");

}

Enforce role-based access control in your policies and services.

 

4. Secure Error Handling

Never return raw exception messages to the client. Log them internally and respond generically.

try

{

    // risky logic

}

catch (Exception ex)

{

    _logger.LogError(ex, "Unexpected error");

    return StatusCode(500, "An unexpected error occurred.");

}

Use global exception middleware for centralized error handling.

 

5. Enforce HTTPS

Redirect all HTTP traffic to HTTPS in production.

app.UseHttpsRedirection();

 

6. Add Security Headers

Protect your API with appropriate HTTP headers:

app.Use(async (context, next) =>

{

    context.Response.Headers.Add("X-Frame-Options", "DENY");

    context.Response.Headers.Add("X-Content-Type-Options", "nosniff");

    context.Response.Headers.Add("Content-Security-Policy", "default-src 'self'");

    await next();

});

 

7. Token Expiry and Refresh Support

  • Use short-lived JWT access tokens
  • Provide a refresh-token endpoint
  • Issue new tokens securely without re-authenticating

 

Summary

.NET Core Web API (Backend)

  • Use parameterized queries
  • Validate and authorize all requests
  • Handle errors securely
  • Apply HTTPS and security headers
  • Issue and manage tokens correctly

 


Comments

Post a Comment

Popular posts from this blog

Factory Method Design Pattern in .NET — Real-Time Finance Example

The Factory Method design pattern is a classic solution for a common software engineering challenge: how to create objects without tightly coupling the client code to their concrete types. Instead of instantiating classes directly using new, Factory Method defers object creation to subclasses or dedicated factory methods. In this blog post, we'll explore the Factory Method pattern in C# with a real-world banking transaction example and also discuss its benefits, drawbacks, and best practices.   💡 What Is the Factory Method Pattern? The Factory Method pattern provides an interface for creating objects in a superclass but allows subclasses or factory methods to alter the type of objects that will be created . This promotes: Loose coupling Polymorphism Improved testability and scalability   🎯 Purpose The key goal of Factory Method is to encapsulate object creation logic , so your business logic doesn’t depend on concrete classes. This becomes especially valuable...
Read more

Logging in .NET Core: Built-in Logging vs Serilog with Full Implementation Guide

Logging in .NET Core: Built-in Logging vs Serilog with Full Implementation Guide Logging is an essential aspect of application development. In .NET Core and beyond (.NET 5/6/7/8), Microsoft provides a built-in logging framework that is simple to use. However, when applications grow and logging needs become more advanced, third-party solutions like Serilog shine. In this blog, we will explore built-in logging, Serilog, their differences, and how to implement both in your .NET Core application.   1. .NET Core Built-in Logging Overview .NET Core uses Microsoft.Extensions.Logging as a base logging interface. This logging abstraction allows logging to multiple destinations, such as: Console Debug EventSource EventLog (Windows only) Azure Application Insights (via extensions) Files (through third-party integrations) Pros: Simple to use Built-in Fully integrated with Dependency Injection (DI) Cons: Limited formatting op...
Read more

Implementing Single Sign-On (SSO) in .NET Core and Angular

Implementing Single Sign-On (SSO) in .NET Core and Angular Introduction Single Sign-On (SSO) is a powerful authentication mechanism that enhances user experience and security by allowing users to log in once and access multiple applications without re-entering credentials. In this blog, we will walk through the implementation of SSO using OAuth 2.0 and OpenID Connect (OIDC) with IdentityServer4 in .NET Core and Angular. Why Use SSO? Improved User Experience : Users authenticate once and access multiple services without repeated logins. Centralized Authentication : Easier user management and security enforcement. Better Security : Reduces password fatigue and encourages strong authentication policies. Scalability : Works well across multiple applications, making it ideal for enterprise solutions. Step 1: Setting Up IdentityServer4 in .NET Core IdentityServer4 is an open-source framework that enables authentication and authorization using OpenID Connect and OAuth2. 1.1 Cr...
Read more