| title | author | description | ms.author | ms.date | uid |
|---|---|---|---|---|---|
Overview of ASP.NET Core Security |
tdykstra |
Learn about authentication, authorization, and security basics in ASP.NET Core. |
tdykstra |
11/01/2017 |
security/index |
ASP.NET Core enables developers to easily configure and manage security for their apps. ASP.NET Core contains features for managing authentication, authorization, data protection, SSL enforcement, app secrets, anti-request forgery protection, and CORS management. These security features allow you to build robust yet secure ASP.NET Core apps.
ASP.NET Core provides many tools and libraries to secure your apps including built-in Identity providers but you can use 3rd party identity services such as Facebook, Twitter, or LinkedIn. With ASP.NET Core, you can easily manage app secrets, which are a way to store and use confidential information without having to expose it in the code.
Authentication is a process in which a user provides credentials that are then compared to those stored in an operating system, database, app or resource. If they match, users authenticate successfully, and can then perform actions that they're authorized for, during an authorization process. The authorization refers to the process that determines what a user is allowed to do.
Another way to think of authentication is to consider it as a way to enter a space, such as a server, database, app or resource, while authorization is which actions the user can perform to which objects inside that space (server, database, or app).
ASP.NET Core and EF contain features that help you secure your apps and prevent security breaches. The following list of links takes you to documentation detailing techniques to avoid the most common security vulnerabilities in web apps:
- Cross-site scripting attacks
- SQL injection attacks
- Cross-Site Request Forgery (CSRF)
- Open redirect attacks
There are more vulnerabilities that you should be aware of. For more information, see the section in this document on ASP.NET Core Security Documentation.
- Authentication
- Introduction to Identity
- Enable authentication using Facebook, Google, and other external providers
- Enable authentication with WS-Federation
- Configure Windows Authentication
- Account confirmation and password recovery
- Two-factor authentication with SMS
- Use cookie authentication without Identity
- Azure Active Directory
- Secure ASP.NET Core apps with IdentityServer4
- Authorization
- Introduction
- Create an app with user data protected by authorization
- Simple authorization
- Role-based authorization
- Claims-based authorization
- Policy-based authorization
- Dependency injection in requirement handlers
- Resource-based authorization
- View-based authorization
- Limit identity by scheme
- Data protection
- Introduction to data protection
- Get started with the Data Protection APIs
- Consumer APIs
- Consumer APIs Overview
- Purpose strings
- Purpose hierarchy and multi-tenancy
- Hash passwords
- Limit the lifetime of protected payloads
- Unprotect payloads whose keys have been revoked
- Configuration
- Configure data protection
- Default settings
- Machine-wide policy
- Non DI-aware scenarios
- Extensibility APIs
- Core cryptography extensibility
- Key management extensibility
- Miscellaneous APIs
- Implementation
- Authenticated encryption details
- Subkey derivation and authenticated encryption
- Context headers
- Key management
- Key storage providers
- Key encryption at rest
- Key immutability and settings
- Key storage format
- Ephemeral data protection providers
- Compatibility
- Replace in ASP.NET
- Create an app with user data protected by authorization
- Safe storage of app secrets in development
- Azure Key Vault configuration provider
- Enforce SSL
- Anti-Request Forgery
- Prevent open redirect attacks
- Prevent Cross-Site Scripting
- Enable Cross-Origin Requests (CORS)
- Share cookies among apps
- IP safelist