Secure .NET 6/7 Applications with Built-In Security Features

To assist developers in designing safe applications, the most recent version of the.NET platform, .NET 6, has various built-in security capabilities. Security is a crucial component of software development.

In this post, we’ll examine some of .NET 6’s most critical security features and practical applications for them.

ASP.NET Core Identity

The integrated authentication and authorization mechanism known as ASP.NET Core Identity enables programmers to control user authentication and authorization in their applications. It provides options including role-based authorization, password management, two-factor authentication, and user registration.

As an illustration, consider the following application of ASP.NET Core identity:

public async Task<IActionResult> Login(LoginViewModel model)
{
    var result = await _signInManager.PasswordSignInAsync(model.UserName, model.Password, model.RememberMe, lockoutOnFailure: false);
    if (result.Succeeded)
    {
        return RedirectToAction("Index", "Home");
    }
    ModelState.AddModelError(string.Empty, "Invalid login attempt.");
    return View(model);
}

Cross-Site Request Forgery (CSRF) Protection

.NET 6’s built-in security protects Cross-Site Request Forgery () threats. This feature ensures that only people given permission may submit forms and take actions on the user’s behalf.

Please find below an illustration of CSRF protection in action on a Razor page:

<form method="post">
    @Html.AntiForgeryToken()
    <input type="text" name="username" />
    <input type="password" name="password" />
    <button type="submit">Login</button>
</form>

HTTPS Enforcement

Support for mandating HTTPS for all queries is incorporated into.NET 6. By ensuring that all connection between the client and server is encrypted, this feature lowers the possibility of data interception and manipulation.

Please find below an illustration of how to make an ASP.NET Core application need HTTPS:

public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
    // ...

    app.UseHttpsRedirection();

    // ...
}

Data Protection API (DPAPI)

It helps programmers prevent unauthorized access to sensitive data such as passwords and authentication tokens.

Please find below an example of how to use the DPAPI to protect data:

public string ProtectData(string dataToProtect)
{
    var dataBytes = Encoding.UTF8.GetBytes(dataToProtect);
    var protectedData = ProtectedData.Protect(dataBytes, null, DataProtectionScope.CurrentUser);
    return Convert.ToBase64String(protectedData);
}

Authorization Policies

In .NET 6, developers can determine what activities a user can take depending on their role or other criteria using authorization policies. For example, restrict access to specific pages or functionalities of your application based on the user’s role.

An example of using authorization policies in an ASP.NET Core application follows:

[Authorize(Policy = "AdminOnly")]
public IActionResult AdminPage()
{
    // ...
}

services.AddAuthorization(options =>
{
    options.AddPolicy("AdminOnly", policy =>
    {
        policy.RequireRole("Admin");
    });
});

SQL Injection Protection

SQL injection attacks are common attacks where malicious code is injected into an application’s SQL queries. .NET 6 protects against SQL injection attacks through parameterized queries. Here’s an example of how to use parameterized queries to protect against SQL injection attacks:

var sql = "SELECT * FROM Users WHERE UserName = @UserName";
using (var connection = new SqlConnection(connectionString))
{
    var command = new SqlCommand(sql, connection);
    command.Parameters.AddWithValue("@UserName", username);
    connection.Open();
    var reader = command.ExecuteReader();
    // ...
}

Secure Cookies

Cookies are frequently used for session management, authentication, and storing user data. To eliminate cookie-based threats like theft and tampering, .NET 6 offers secure cookie support. Please find below the code sample of a secure cookie being used in an ASP.NET Core application:

services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
    .AddCookie(options =>
    {
        options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
        options.Cookie.HttpOnly = true;
    });

Conclusion

To summarise, the framework contains several built-in security capabilities to assist developers in developing safe and secure applications. Use these features to defend their apps from typical security threats and vulnerabilities.