This is the 2nd Part of my Article on 13 Tips to secure your Asp.Net Core Application. We have already explained 8 Tips from 13, we’ll see remaining in this part of the Article.
So, Let’s start from 9th Point to Secure your Asp.Net Core Application.
9. Try to Hide your .Net Core Version
In every HTTP response from the server that we receive in return of our request sent from a browser, there’s always the version information in which application is developed. Such information makes the Attacker’s Job easier by saving time & targeting the specific .Net Version.
So, It’s necessary to throw more hurdles for Hackers & make it more difficult for him by hiding .Net Framework Version Information.
Here’s how to Hide .Net Core Version:
- Remove X-Powered-By from your Response header.
- NWebsec.AspNetCore.Middleware is a great Library for Securing headers.
- Set
AddServerHeader = falsefor removing Server: Kestrel header.
You can remove X-Powered-By using this simple snippet in your web.config
<httpProtocol>
<customHeaders>
<remove name="X-Powered-By" />
</customHeaders>
</httpProtocol>
10. Cross-Site Request Forgery
Do you know the purpose of [ValidateAntiForgeryToken] Attribute in your .Net Core Web APIs & might be possible that you have seen this Code asp-antiforgery="true" in your cshtml File as well.
First, understand the CSRF then we’ll try to understand the purpose of the above tag & attribute.
Let say you are using the e-banking facility of your bank account for sending some money to your friend & suddenly you receive a link on FaceBook from a lady with a beautiful Display Picture. When you open that link It asks you to click here to earn $1000. You just click & because you are logged in & authorized to use your e-banking, that malicious link runs the script & send money from your account to Hacker’s Account.
The Below Image will help you to understand CSRF.
How to Secure your Application from CSRF?
asp-antiforgery="true"generates an anti-forgery token & [ValidateAntiForgeryToken] validates on the server-side that if the Token is valid or not & secure us from Cross-Site Request Forgery.
11. LINQ can protect from SQL Injection
SQL Injections are one of the most commonly used tricks to harm users’ data from years.
In this technique, the Attacker put some condition or special characters in the input field which cause to change the execution of the whole query.
Here’s an example to understand what is SQL Injection.
How to secure our Asp.Net Core Application from SQL Injections?
Here’re some Tips:
- Use Entity Framework Core.
- Always use parameterized queries.
- Must Validate your Inputs on Server Side.
- Use Stored Procedures.
12. Streams Deserialization can be tempered
Deserialization is the reverse of Serialization, which is the process of converting an object into streams of bytes. Serialization is always done on our server end for transferring or storing objects but we deserialize the data received in our application from different sources.
So, we can receive some harmful streams.
To protect our applications from such Attackers, we need to verify our data before & after deserialization.
13. Always keep your Framework & Libraries Updated
Always keep your Framework & Libraries used in your project Updated. Never use outdated Libraries in your Project because Hackers keeps finding the Vulnerabilities in Frameworks & Libraries.
Check for updates for the NuGet packages used in your project & keep all packages updated.
Conclusion
Nothing is 100% secure, we have to make our application secure by following the best security practices. Although .Net Core is considered to be one of the most secure Framework but still we have to keep an eye on the activities on our application & take quick action in case of any malicious activity.
Thank you for reading my Article, I hope it will help you to make your Asp.Net Core app more secure.
I’ll be happy If you would like to give your Feedback in the comment section below.
Here’re some more articles, you might be interested:
– TOP OPEN SOURCE ASP.NET CORE CONTENT MANAGEMENT SYSTEM (CMS)
– CREATING DYNAMIC USER-DEFINED DASHBOARDS USING ASP.NET CORE
