{"id":12093,"date":"2025-12-18T10:16:47","date_gmt":"2025-12-18T10:16:47","guid":{"rendered":"https:\/\/putridparrot.com\/blog\/?p=12093"},"modified":"2025-12-18T10:16:47","modified_gmt":"2025-12-18T10:16:47","slug":"looking-at-security-features-and-the-web","status":"publish","type":"post","link":"https:\/\/putridparrot.com\/blog\/looking-at-security-features-and-the-web\/","title":{"rendered":"Looking at security features and the web"},"content":{"rendered":"<p>Let&#8217;s take a look at various security features around web technologies, although I&#8217;ll we concentrating on their use in ASP.NET, but the information should be valid for other frameworks etc.<\/p>\n<p><em>Note: We&#8217;ll look at some code for implementing this in a subsequent set of posts.<\/em><\/p>\n<p><strong>Authentication and Authorization<\/strong><\/p>\n<p>We&#8217;re talking Identity, JWT, OAuth, Open ID Connect. <\/p>\n<p>Obviously the use of proper authentication and authorisation ensure only legitimate users have access to resources and forcing a least privilege and role based access ensures authenticated users can only access resources befitting their privileges.<\/p>\n<p>OWASP risks mitigation:<\/p>\n<ul>\n<li><em>A01<\/em> Broken Access Control and improper enforcement of permissions<\/li>\n<li><em>A07<\/em> Identification and Authentication failures, weak of missing authentication flows<\/li>\n<ul>\n<\/p>\n<p><strong>Data protection API (DPAPI) \/ ASP.NET Core Data Protection<\/strong><\/p>\n<p>This is designed to protect &#8220;data at reset&#8221;, such as cookies, tokens CSRF keys etc. and providers key rotation and encryption services.<\/p>\n<p>OWASP risks mitigation:<\/p>\n<ul>\n<li><em>A02<\/em> Cryptographic failures, weak or missing encryption of sensitive data<\/li>\n<ul>\n<\/p>\n<p><strong>HTTPS Enforcement and HSTS<\/strong><\/p>\n<p>This forces encrypted transport layers and prevents protocol downgrade attacks.<\/p>\n<p>OWASP risks mitigation:<\/p>\n<ul>\n<li><em>A02<\/em> Cryptographic failures, sensitive data exposure<\/li>\n<li><em>A05<\/em> Security misconfigurations, missing TLS or insecure defaults<\/li>\n<ul>\n<\/p>\n<p><strong>Anti-Forgery Tokens (CSRF Protection)<\/strong><\/p>\n<p>This prevents cross site request forgery by validation of user intent.<\/p>\n<p>OWASP risks mitigation:<\/p>\n<ul>\n<li><em>A01<\/em> Broken access control<\/li>\n<li><em>A05<\/em> Security misconfigurations<\/li>\n<li><em>A08<\/em> Software and Data integrity failures such as session integrity<\/li>\n<ul>\n<\/p>\n<p><strong>Input Validation and Model Binding Validation<\/strong><\/p>\n<p>This prevents malformed or malicious input from reaching the business logic.<\/p>\n<p>OWASP risks mitigation:<\/p>\n<ul>\n<li><em>A03<\/em> Injection, such as SQL, NoSQL and command injections<\/li>\n<li><em>A04<\/em> Insecure design, lacking validation rules<\/li>\n<li><em>A05<\/em> Security misconfigurations<\/li>\n<ul>\n<\/p>\n<p><strong>Output Encoding<\/strong><\/p>\n<p>This prevents untrusted data from being rendered, for example covers things like Razor, Tag Helpers, HTML Encoders.<\/p>\n<p>OWASP risks mitigation:<\/p>\n<ul>\n<li><em>A03<\/em> Injection<\/li>\n<li><em>A05<\/em> Security misconfigurations<\/li>\n<li><em>A06<\/em> Vulnerable and outdated components<\/li>\n<ul>\n<\/p>\n<p><strong>Security Headers<\/strong><\/p>\n<p>Covers things such as CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy and mitigates XSS, click jacking, MIME sniffing and data leakage.<\/p>\n<p><em>OWASP providers explicit guidance on recommended headers.<\/em><\/p>\n<p>OWASP risks mitigation:<\/p>\n<ul>\n<li><em>A03<\/em> Injection, CSP reduces XSS<\/li>\n<li><em>A05<\/em> Security misconfigurations, missing headers<\/li>\n<li><em>A09<\/em> Security logging and monitoring failures, via reporting endpoints<\/li>\n<ul>\n<\/p>\n<p><strong>Rate limiting and throttling<\/strong><\/p>\n<p>This is included, but need to be enabled as ASP.NET built in middleware.<\/p>\n<p>This prevents brute force, credential stuffing and resource exhaustion attacks.<\/p>\n<p>OWASP risks mitigation:<\/p>\n<ul>\n<li><em>A07<\/em> Identification and Authentication failures<\/li>\n<li><em>A10<\/em> Server side request forgery (SSRF) limit abuse<\/li>\n<li><em>A04<\/em> Insecure design, lack of abuse protection<\/li>\n<ul>\n<\/p>\n<p><strong>CORS (Cross\u2011Origin Resource Sharing)<\/strong><\/p>\n<p>This controls which origins can access API&#8217;s and prevents unauthorized cross-site API calls.<\/p>\n<p>OWASP risks mitigation:<\/p>\n<ul>\n<li><em>A05<\/em> Security misconfiguration<\/li>\n<li><em>A01<\/em> Broken access control<\/li>\n<ul>\n<\/p>\n<p><strong>Cookie Security<\/strong><\/p>\n<p>Protects session cookies from theft or misuse.<\/p>\n<p>OWASP risks mitigation:<\/p>\n<ul>\n<li><em>A07<\/em> Identification and Authentication failures<\/li>\n<li><em>A02<\/em> Cryptographic Failures<\/li>\n<li><em>A01<\/em> Broken access control<\/li>\n<ul>\n<\/p>\n<p><strong>Dependency Management<\/strong><\/p>\n<p>When using third party dependencies via NuGet, NPM etc. we need to ensure libraries are patched and up to date.<\/p>\n<p>OWASP risks mitigation:<\/p>\n<ul>\n<li><em>A06<\/em> Vulnerable and outdated components<\/li>\n<ul>\n<\/p>\n<p><strong>Logging and Monitoring<\/strong><\/p>\n<p>This covers things like Serilog, Application Insights and built-in logging etc.<\/p>\n<p>Used to detect suspicious activites, as well as support incident response.<\/p>\n<p>OWASP risks mitigation:<\/p>\n<ul>\n<li><em>A09<\/em> Security Logging and monitoring failures<\/li>\n<ul>\n<\/p>\n<p><strong>Secure deployment and configuration<\/strong><\/p>\n<p>This covers all forms of configuration, including appsettings.json, key vault, environment seperation etc.<\/p>\n<p>Here we want to prevent secrets being exposed and enforce secure defaults.<\/p>\n<p>OWASP risks mitigation:<\/p>\n<ul>\n<li><em>A05<\/em> Security misconfiguration<\/li>\n<li><em>A02<\/em> Cryptographic Failures<\/li>\n<ul>\n","protected":false},"excerpt":{"rendered":"<p>Let&#8217;s take a look at various security features around web technologies, although I&#8217;ll we concentrating on their use in ASP.NET, but the information should be valid for other frameworks etc. Note: We&#8217;ll look at some code for implementing this in a subsequent set of posts. Authentication and Authorization We&#8217;re talking Identity, JWT, OAuth, Open ID [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[128,198,224,356],"tags":[],"class_list":["post-12093","post","type-post","status-publish","format-standard","hentry","category-asp-net","category-security","category-web","category-web-api"],"jetpack_sharing_enabled":true,"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/putridparrot.com\/blog\/wp-json\/wp\/v2\/posts\/12093","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/putridparrot.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/putridparrot.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/putridparrot.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/putridparrot.com\/blog\/wp-json\/wp\/v2\/comments?post=12093"}],"version-history":[{"count":5,"href":"https:\/\/putridparrot.com\/blog\/wp-json\/wp\/v2\/posts\/12093\/revisions"}],"predecessor-version":[{"id":12104,"href":"https:\/\/putridparrot.com\/blog\/wp-json\/wp\/v2\/posts\/12093\/revisions\/12104"}],"wp:attachment":[{"href":"https:\/\/putridparrot.com\/blog\/wp-json\/wp\/v2\/media?parent=12093"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/putridparrot.com\/blog\/wp-json\/wp\/v2\/categories?post=12093"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/putridparrot.com\/blog\/wp-json\/wp\/v2\/tags?post=12093"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}