29 Improving your application’s security

 

This chapter covers

  • Defending against cross-site scripting attacks
  • Protecting from cross-site request forgery attacks
  • Allowing calls to your API from other apps using CORS
  • Avoiding attach vectors such as SQL injection attacks

In chapter 28 you learned how and why you should use HTTPS in your application: to protect your HTTP requests from attackers. In this chapter we look at more ways to protect your application and your application’s users from attackers. Because security is an extremely broad topic that covers lots of avenues, this chapter is by no means an exhaustive guide. It’s intended to make you aware of some of the most common threats to your app and how to counteract them, and also to highlight areas where you can inadvertently introduce vulnerabilities if you’re not careful.

Tip

I strongly advise exploring additional resources around security after you’ve read this chapter. The Open Web Application Security Project (OWASP) (www.owasp.org) is an excellent resource. Alternatively, Troy Hunt has some excellent courses and workshops on security, geared toward .NET developers (https://www.troyhunt.com).

29.1 Defending against cross-site scripting (XSS) attacks

29.2 Protecting from cross-site request forgery (CSRF) attacks

29.3 Calling your web APIs from other domains using CORS

29.3.1 Understanding CORS and how it works

29.3.2 Adding a global CORS policy to your whole app

29.3.3 Adding CORS to specific endpoints with EnableCors metadata

29.3.4 Configuring CORS policies

29.4 Exploring other attack vectors

29.4.1 Detecting and avoiding open redirect attacks

29.4.2 Avoiding SQL injection attacks with EF Core and parameterization

29.4.3 Preventing insecure direct object references

29.4.4 Protecting your users’ passwords and data

sitemap