.Net Core

A Complete Guide to Secure your Asp.Net Core Web Application & API

With the every new .Net Core Update, Microsoft proved the fact that .Net Core is the most powerful, versatile & complete framework available for developing Powerful Web, Desktop, Mobile & Cloud-based Applications. Unlike Desktop or Mobile Application, Web Application runs on a publicly available address that’s one of the reasons that Security of Web Application is more important. Although Asp.Net Core is developed with the best security practices, still there are some Vulnerabilities we need to fill before & after launching our Asp.Net Core Application.

In this Article, we’ll see some Security Holes in an Asp.Net Core Web Application & their possible solutions. Let’s start by list down some of the Important points for Securing our .Net Core Application.

  1. Make your Login more secure
  2. Always submit sensitive data using Encryption
  3. Don’t forget to clear Cookies when logout
  4. Always use SSL
  5. Never keep sensitive data in clear form in your Database
  6. Audit Trails or Logging is also Important
  7. Never display original Technical error to the End-User
  8. Cross-Site Scripting (XSS)
  9. Try to Hide your .Net Core Version
  10. Cross-Site Request Forgery (CSRF)
  11. LINQ can protect from SQL Injection
  12. Streams Deserialization can be tempered
  13. Always keep your Framework & Libraries Updated

1. Make your Login more secure

Login Page is like a door for any Application. Consider an Application like Admin Panel, If an unauthorized person gets access to your application, he can control the whole system. So, your first step always should be to make your Login secure.

Here’re some Tips to secure the entry point of your Application.

Use Complex Login Credentials

Never use Usernames Like admin & Passwords like 12345 or your name. Anyone can judge it & bots will be able to judge such types of credentials even in a shorter time than human.

Secure Your Login from Brute Force attacks

Brute Force Attacks are the most common type of Attacks that use different algorithms & try different Username or Passwords combinations to guess the login credentials. Also, so many login attempts can busy your server which can cause Denial of service (DoS) & downtime for the actual users of your Application.

Brute Force Attacks takes less time to guess simple Usernames & passwords but they can also guess complex combinations by trying every possibility.

So, How to Secure our Asp.Net Application from Brute Force Attacks?

Here’re some Tips to prevent Brute Force:

  • Use Captcha on your Login Page because bots cannot fill Captcha.
  • Block IP temporary after some failed login attempts.
  • Avoid using common usernames like admin or user because Brute Force Algorithms maintain a database & try common usernames & passwords first.
  • Make your password really difficult to guess by including Alphabets(A-Z & a-z), Digits(0-9) & Special Characters(!, @, ., #, $, %, ^, &,* and more).

How to Implement the above Suggestions?

Above Suggestions are looking really difficult to implement for beginners Asp.Net Core developers but don’t worry, there is a great Library(HackerSpray) is available which will do the Job for you to secure you from Brute Force Attacks. Just simple configuration is required.

Always use .Net Core Identity Feature

Asp.Net Core has many built-in libraries & tools to secure your applications. Authorization is also one of the great implementations by Microsoft which provides us with a complete Login & Signup setup following the best security practices.

2. Always submit sensitive data using Encryption

Never send your sensitive data like password or credit card credentials in the actual form to the server for validation. Hackers can steal your data by sniffing it before sending to the server.

Always use a Hashing algorithm like md5 or SHA256 for Password & Encryption algorithm like AES or DES on Client Side. e.g. using jQuery

3. Don’t forget to clear Cookies when logout

On login in an Asp.Net Core application, we keep some necessary data in Sessions for keeping user login until he logs out. In some apps, we set Session timeouts & sometimes we do not set Session timeout when user tick a checkbox on the login page that he wants to keep login.

At the same time, AspNetCore.Session cookie is added to the browser for keeping record of the Logged in user.

So, when we logout, we also need to remove the Cookies created by our application in the user’s browser because a Hacker can use that info for unauthorized login. This is also called a Session Fixation attack.

4. Always use SSL

SSL stands for Secure Socket Layer. It makes the communication between Client & Server Side Encrypted using a very strong Key.

So, in your Starup.cs of your Asp.Net Core Application, you can set to always use Secure Policy for Cookies.

5. Never keep sensitive data in clear form in your Database

Almost every web application must have a Database for storing users data, most of the times Hackers attack Server for stealing users’ data. So Let say that you have stored the credentials of your users, like Passwords & Payment methods detail in your database in clear form. So anyone who gets unauthorized access to your Database can misuse users’ data.

So, always keep your sensitive data using Hashing or Encryption in your Database.

6. Audit Trails or Logging is also Important

Audit Trails or Activity Logging is really important to be aware of what’s going on your Application. If someone is getting many failed login attempts then Admin must receive an Email about these failed login attempts.

let say a User creates new user or change the Roles of an Existing user, each & every activity should be logged in your Asp.net Core Application.

7. Never display original Technical error to the End User

Some Exceptions can disclose important information about our application or sometimes It can even show a few lines of code to the end-user. Attackers are smart guys, they can use the information provided by our exception to crack the security of our Application.

So, before deploying your application in production mode, make sure that you have set your Custom Error page for all kinds of Exceptions & have done proper Error Logging in your Application.

8. Cross-Site Scripting (XSS)

In XSS Attacks, Hackers submit malicious scripts via Input Fields for stealing user’s credentials & other Important Data.

Let say that we have an Add product Form in our Application. Attacker Add a new product & in the product description field, he simply inserts a JavaScript snippet. When our application will display that product on the product page with description, Hackers malicious script will also run & he’ll get data for what he planned.

I have found the below Image on Cloudflare’s article about XSS. This will help you to understand XSS easily.


So, How to Secure our Asp.Net Core Application from Cross-Site Scripting Attacks?

you can secure your web application by following these Tips:

  • Use Regular Expressions on both Client & Server Side & only store validated data in your Database.
  • HTML Encoding with Razor helps such scripts to execute.
  • XXS can also be done using URL Encoding, So validate & Encode URL parameters using UrlEncoder.

Here’s a great Article by Microsoft for Securing our app from XSS.

I’ll explain the remaining points in the Next Part of this Article, So please keep reading by clicking on the Next Part Button below.


I'm passionate about learning new technologies as well as mentoring and helping others get started with their programming career. This blog is my way of giving back to the Community.


  1. 1. Add, use a strong password hash algorithm like PBKDF2 or Rfc2898DeriveBytes to ensure a password hash is *slow* for a computer. e.g. 250ms. This kills bruite force attacks even if bad actors somehow get the password hashes.

    4. *no no no*!! SSL v1, v2 and v3 are *all now broken*. Use TLS 1.2 or later as a minimum. SSL should be disabled server wide. Stop reffering to HTTPS protocol as SSL. People will continue to configure insecure systems due to referring to the relevant techolnologies incorrectly.

    Other than that. good article.

    Please update your article as it is linked to via some decent .net must read lists.

  2. Extra addition.

    2. MD5 is also broken SHA512 if available in your situation (e.g. browser and backend). SHA256 otherwise. SHA512 (Don’t forget to mention salting, must salt all hashes) cannot have a dictionary constructed, ever! It has more numbers than atoms in the obvervable universe.

    No to DES (Broken wish hashcat easily), 3DES is also old. AES was designed to replace DES, so use that.

    Yes… AES256.

    N.B. Google an excryption strength calculator. Plug in your algorithms and bit sizes. It will tell you how long before computer power reaches the speed to break it. 30 Years is considered safe.

    This means that EC521, RSA4000 and SHA512 are about the only 3 that can reach that. All others will be breached prior for any long term encrypted data.

    AES256 is slightly problematic becuase you cannot feed a SHA512 hash in as the key. There isn’t a AES512 in .net Core yet, even though there is a standard.

  3. 5. Don’t encrypt password in yourbdatabase *ever*. Only ever use a strong salted hash (per user), e.g. a guid assigned to each user row.

    There is never a need to decrypt a password. If password verification is needed (say in a call centre), then the entry field should hash and then compare the hashes.

    If your app is compromised, and you used encryption, then every username and password is automatically recoverable through decryption.

    I think jail time for breached systems that are designed with encrypted passwords is warranted for the system designers.

    All of those breached systems you hear about happening…that’s a result of choosing encryption over salted hashing with sufficient strength.

Write A Comment