Tag Archives: Security

Improving application security in an ASP.NET Core API using HTTP headers – Part 3

This article shows how to improve the security of an ASP.NET Core Web API application by adding security headers to all HTTP API responses. The security headers are added using the NetEscapades.AspNetCore.SecurityHeaders Nuget package from Andrew Lock. The headers are used to protect the session, not for authorization. The application uses Microsoft.Identity.Web to authorize the […]

Improving application security in Blazor using HTTP headers – Part 2

This article shows how to improve the security of an ASP.NET Core Blazor application by adding security headers to all HTTP Razor Page responses (Blazor WASM hosted in a ASP.NET Core hosted backend). The security headers are added using the NetEscapades.AspNetCore.SecurityHeaders Nuget package from Andrew Lock. The headers are used to protect the session, not […]

The authentication pyramid

This article looks at the authentication pyramid for signing into different applications. I only compare flows which have user interaction and only compare the 2FA, MFA differences. A lot of incorrect and aggressive marketing from large companies are blurring out the differences so that they can sell their products and so on. When you as […]

Require user password verification with ASP.NET Core Identity to access Razor Page

This post shows how an ASP.NET Core application which uses ASP.NET Core Identity to authenticate and authorize users of the application can be used to require user password verification to view specific Razor pages in the application. If the user opens one of the Razor pages which require a password verification to open the page, […]

Securing an ASP.NET Core API which uses multiple access tokens

This post shows how an ASP.NET Core API can authorize API calls which use different access tokens from different identity providers or different access tokens from the same identity provider but created for different clients and containing different claims. The access tokens are validated using JWT Bearer authentication as well as an authorization policy which […]

Using Microsoft Graph API in ASP.NET Core

This post shows how Microsoft Graph API can be used in both ASP.NET Core UI web applications and also ASP.NET Core APIs for delegated identity flows. The ASP.NET Core applications are secured using Microsoft.Identity.Web. In the API project, the Graph API client is used in a delegated flow with user access tokens getting an access […]

Securing Azure Key Vault inside a VNET and using from an Azure Function

This post shows how an Azure Key Vault can be protected inside an Azure virtual network. The deployment is setup so that only applications in the same VNET can access the Key Vault. To implement this, the access to the Key Vault is restricted to the VNET and secondly, the applications accessing the Key Vault […]

Securing Azure Functions using an Azure Virtual Network

In this post, an Azure Function is deployed in a Azure Virtual Network and the access to the Azure Function is restricted so that it cannot be reach from the Internet. Only Applications deployed in the same VNET can access the Azure Functions. Code: https://github.com/damienbod/AzureFunctionsSecurity Blogs in the series Securing Azure Functions using API Keys […]

Encrypting texts for an Identity in ASP.NET Core Razor Pages using AES and RSA

The article shows how encrypted texts can be created for specific users in an ASP.NET Core Razor page application. Symmetric encryption is used to encrypt the text or the payload. Asymmetric encryption is used to encrypt the AES key and the IV of the symmetric encryptions. Each ASP.NET Core Identity has an associated X509Certificate2 with […]

Securing Azure Functions using API Keys

This article shows how to secure Azure Functions using API Keys. This is useful, if you have no control over the API client implementation, the client code base cannot be easily changed or the client is not Azure hosted. This should only be used with trusted clients and is for machine to machine usage. Code: […]