Asp.net core security
Enable SSL in ASP.Net Core
To enable SSL just add [RequireHttps] attribute on top of your controller or use the following code to secure your entire site with enableSSL.
if (!_env.IsDevelopment())
{
services.AddMvc(options =>
{
options.Filters.Add(typeof(RequireHttpsAttribute));
});
}
Reason we are defecting if environment is development is due to IISExpress who uses non standard https port for development purposes.
Redirection
According to OWASP, Unvalidated Redirects and Forwards are one of the most common attacks n real life.
With just a single line of code we're able to stop redirection (must always appear after UseStaticFiles. When we're creating an API, we don't redirect that often. By having this UseRedictValidation, we're able to monitor http redirection and throws an error if it arises.
First off, you need the following nuget packages :-
Install-Package NWebsec.AspNetCore.Middleware
When you don't have to rediect
public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory) {
app.UseStaticFiles();
app.UseRedirectValidation(); // No redirection
}
If you do need to do redirection, then maybe we want to set some restriction.public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory) { ... app.UseStaticFiles(); app.UseRedirectValidation(opts => { opts.AllowSameHostRedirectsToHttps(); //opts.AllowSameHostRedirectsToHttps(4430); Allow redirects to custom HTTPS port opts.AllowedDestinations("http://www.mysite.com/", "https://www.google.com/accounts/"); }); }
Click Jacking
X-Frame-Options - this is used to stop click jacking where by a user is trick into clicking. The attacker would somehow manipulate user to transfer money, click on certain ads to boost page view and other malicious act.
The following configure helps to prevent this.
X-Frame-Options : Deny
X-FrameOptions : SameOrigin.
Strict Transport Security also known as HTST control in .Net Core (You shall not pass if you're not on HTTPS)
Say you're trying to connect to your bank called StableBank.com and you're connected to some external wifi. Because you don't start up your web request on https, so there could be a chance that people might be able to hijack your request, redirect it an exact looking site and trick you into logging in.
HSTS will ensure that you're first request always be ssl.
First of all you need to install NWebsec.AspNetCore.Middleware package
Example Http Request :
Strict-Transport-Security : max-age=xxxxxxxx
Code to setup application :
app.UseHsts(options => options.MaxAge(days: 1000).IncludeSubdomains());
More configuration details can be found from this link here.
CSRF (Anti-request forgery)
You can easily achieve that using [AutoValidateAntiforgeryToken] in your controller and having the following markup in your @{ Html.AntiForgeryToken()}
What about protecting API based application?
The approach that we can use is check for custom header and add /change this value using a filter attribute. However, any XSS attack can potential set this value too. This approach is not safe from XSS + CSRF
XSS
The key thing to do here is basically to encode user input to prevent scripts attack. For example, a user entering ''
Comments