Next to performance, security should always be a top priority when building web applications. The ability to create secure web applications continues to be a problem with the evolving landscape of internet threats such as cross-site scripting (XSS) and injection techniques. While the best developer can safeguard an application against even the worst threat, most attacks succeed through human interaction and environmental issues. The best approach for developers to protect their applications is to start from the ground up and create as many roadblocks as possible to deter even the most vigilant attackers from gaining access to their systems.

First, we’ll learn how to identify highly sensitive data and how to secure access. We’ll then move on to common security practices and provide various ASP.NET Core features that you can apply to your applications. Finally, we’ll review the top three security threats according to the Open Worldwide...

While we will talk about security in this chapter, most of the discussion will contain small snippets of code that you can include in your projects. Access to a code editor isn’t necessary for this chapter to understand the essentials of security at a developer level.

The code files for this chapter can be found here: https://github.com/PacktPublishing/ASP.NET-Core-8-Best-Practices.

In this section, we’ll examine terms and concepts regarding how to identify the data you need to secure and explain three extremely important ways to secure your website.

Too often, when developers start to build an ASP.NET web project, security is usually applied at the end of a project as opposed to being proactive and aware of security measures. One approach for implementing security is to examine your applications and look for these types of highly sensitive data throughout:

• Name and location
• Usernames and passwords
• Contact information (phone number, email address, and so on)
• Social security number
• Financials (customer plans, credit cards, and so on)
• Database connections
• Custom settings

Depending on the intent of the web application, other types might be involved, such as specific access to a section where permissions are implied. Other types of data could be considered sensitive based on industry or even government...

As a developer, security seems to be a black box sometimes. You always hear about incidents where websites have been hacked, but you might think to yourself, “That couldn’t happen to me,” until it happens to you. When you witness a website you built being attacked first-hand, it’s a humbling experience.

While the techniques we’re about to cover only scratch the surface for ASP.NET websites, they encourage developers to become more proactive in their coding as opposed to finding out they were hacked and immediately becoming reactive.

In this section, we’ll review common security practices in the industry you can use to protect yourself so that you know what your system is doing and are not exposing too much to the world. We’ll learn about the different types of logs, how to update libraries and frameworks, and how to remove header information. We’ll finish this chapter by learning how to encrypt...

The Open Worldwide Application Security Project, or OWASP, is a non-profit foundation dedicated to improving the security of software. Since new threats are emerging all the time, they keep a list called the OWASP Top 10, which is meant to keep software developers up to date regarding the latest security threats and how to prevent them. The Top 10 list includes the following security threats:

1. Broken Access Control
2. Cryptographic Failures
3. Injection
4. Insecure Design
5. Security Misconfiguration
6. Vulnerable and Outdated Components
7. Identification and Authentication Failures
8. Software and Data Integrity Failures
9. Security Logging and Monitoring Failures
10. Server-Side Request Forgery (SSRF)

In this section, we’ll cover the top three threats and how to safeguard your ASP.NET Core application from these threats – that is, Broken Access Control, Cryptographic Failures, and Injection.

Broken...

In this chapter, we learned how to safeguard our code by understanding what sensitive data is and how to secure it using authentication, authorization, and SSL-enabled connections.

In the second part of this chapter, we reviewed some common standards in the industry, such as logging, keeping our frameworks and libraries up-to-date, and always redirecting to SSL-enabled sites. After that, we learned to never trust client data and that we should validate, filter, and sanitize it and always encode it, and not announce to the world what server and version we’re running by adding or removing security headers. We even created a reusable security middleware component.

We also touched on encrypting database columns with SQL Server and how it’s important to protect fields by being proactive, and why creating a custom encryption algorithm should be avoided.. We also learned how to avoid cross-site request forgery by using anti-forgery tokens.

Finally, we examined...