SECURITY METHODS FOR WEB APPLICATION DEVELOPMENT IN ASP.NET CORE

Abstract

The article presents methods and key aspects of security issues related to the development of web applications using ASP.NET Core technology. In general, these issues are considered from different points of view, namely access and trust management, protection against injections and cross-site attacks, architectural solutions and isolation.

In modern distributed systems, security is based on the principle of least privilege, which is ensured by the Claims-Based Authorisation method, which is scientifically more flexible and accurate than traditional role-based authorisation. Access is granted not on the basis of role definition, but on the basis of a set of requirements or assertions, which allows for the implementation of so-called fine-grained access control. In the context of an application programming interface, the user authentication key acts as a trust encapsulation mechanism. The token contains cryptographically signed assertions, allowing applications to be stateless. However, the scientific problem here is revoking tokens and ensuring a short lifetime for access tokens to minimise the risk of their compromise.

Combating OWASP Top 10 vulnerabilities is built into the framework through secure coding practices. ASP.NET Core uses context-sensitive encoding mechanisms, such as in Razor Pages, to automatically context-encode output (HTML encoding). This is the primary line of defence against XSS attacks by changing how the browser interprets data. The mechanism for protecting against CSRF attacks is based on the use of synchronised tokens, which are a cryptographic way of confirming that a request comes from a trusted source. It also uses request parameterisation through object-relational mapping, such as Entity Framework Core, and implements a secure data access pattern that minimises the attack surface for SQL injections by separating commands from data.

From a system architecture perspective, ASP.NET Core addresses security issues at the configuration and deployment level. The middleware system allows for the centralised implementation of security policies such as HTTPS redirection and CORS (Cross-Origin Resource Sharing) management, providing aggregated security control at the network level.

Secret management also plays a role in ensuring security, as the modern paradigm requires complete separation of key secrets and passwords from code and configuration files. ASP.NET Core supports integration with Key Vaults (secret storage), which is an implementation of the ‘do not store secrets in code’ principle, and this increases security by isolating sensitive information.