A production-grade, end-to-end encrypted real-time messaging application built with .NET 8 and Angular 18.
- 🔒 AES-256-GCM message encryption at rest — per-message nonce, tamper-evident
- 🛡️ JWT authentication with 15-minute access tokens and 30-day rotating refresh tokens
- ⚡ Real-time messaging via SignalR WebSockets with automatic reconnection
- 👤 BCrypt password hashing (work factor 12)
- 🚦 Rate limiting — 60 messages/min, 10 auth attempts per 5 min
- 📋 Audit trail — every login, connection, and message event logged
- 🔑 Zero-trust security headers (CSP, X-Frame-Options, X-Content-Type-Options)
- 📡 Redis backplane for multi-instance SignalR scaling
- 🔄 Silent JWT refresh with request queuing in Angular interceptor
- 💬 Typing indicators (ephemeral, not persisted)
┌─────────────────────────────────────────┐
│ Angular 18 Frontend │
│ Auth Guard · Chat · SignalR · JWT Int │
└────────────────┬────────────────────────┘
│ HTTPS + WSS (TLS 1.3)
┌────────────────▼────────────────────────┐
│ .NET 8 Web API │
│ Auth API · Messages API · SignalR Hub │
│ Rate Limiting · JWT · Security Headers │
└────┬──────────────┬──────────────┬──────┘
│ │ │
┌────▼────┐ ┌──────▼──────┐ ┌───▼────┐
│SQL Server│ │ Redis │ │ Blob │
│Users/Msgs│ │Cache/Backpl.│ │Storage │
└──────────┘ └─────────────┘ └────────┘
| Tool | Version |
|---|---|
| .NET SDK | 8.0+ |
| Node.js | 20+ |
| Angular CLI | 18+ |
| SQL Server | 2019+ |
| Redis | 7+ |
git clone https://github.com/naimulkarim/SecureChat.git
cd SecureChatGenerate required secrets:
# Generate a 256-bit encryption key (base64)
openssl rand -base64 32
# Generate a JWT signing key (64+ chars)
openssl rand -base64 64Configure appsettings.Development.json (never commit this file):
{
"ConnectionStrings": {
"DefaultConnection": "Server=localhost;Database=SecureChat;Trusted_Connection=True;",
"Redis": "localhost:6379"
},
"Jwt": {
"Key": "<your-64-char-secret>",
"Issuer": "SecureChat",
"Audience": "SecureChat"
},
"Encryption": {
"Key": "<your-base64-32-byte-key>"
},
"AllowedOrigins": "https://localhost:4200"
}Run migrations and start the API:
cd SecureChat.API
dotnet ef database update
dotnet runAPI will be available at https://localhost:7001.
cd secure-chat-ui
npm install
ng serveApp will be available at https://localhost:4200.
SecureChat/
├── SecureChat.API/
│ ├── Controllers/
│ │ ├── AuthController.cs
│ │ └── MessagesController.cs
│ ├── Hubs/
│ │ └── ChatHub.cs ← SignalR real-time hub
│ ├── Models/
│ │ ├── User.cs
│ │ ├── Message.cs
│ │ └── RefreshToken.cs
│ ├── Services/
│ │ ├── AuthService.cs ← JWT + BCrypt
│ │ ├── MessageService.cs
│ │ ├── EncryptionService.cs ← AES-256-GCM
│ │ └── AuditService.cs
│ ├── Data/
│ │ └── AppDbContext.cs
│ └── Program.cs ← App configuration
│
└── secure-chat-ui/
└── src/app/
├── auth/
│ ├── auth.service.ts
│ ├── auth.interceptor.ts ← Silent JWT refresh
│ └── auth.guard.ts
├── chat/
│ ├── chat.service.ts ← SignalR + REST
│ ├── chat.component.ts
│ └── chat.models.ts
└── shared/
| Layer | Mechanism |
|---|---|
| Transport | HTTPS + WSS, TLS 1.3 |
| Authentication | JWT (HS256, 15-min expiry) + rotating refresh tokens |
| Passwords | BCrypt, work factor 12 |
| Messages at rest | AES-256-GCM, per-message nonce |
| Authorization | Claim-based, hub access requires valid JWT |
| Rate limiting | Fixed window per endpoint |
| Headers | CSP, X-Frame-Options, X-XSS-Protection, Referrer-Policy |
| Audit | Append-only event log |
# Backend unit tests
cd SecureChat.API.Tests
dotnet test
# Frontend tests
cd secure-chat-ui
ng testdocker-compose up --buildA docker-compose.yml with SQL Server, Redis, API, and Angular containers can be added — open an issue if you'd like this included.
MIT — see LICENSE for details.
Naimul Karim — @naimulkarim