Collaborate Disseminate
I’m looking into upgrading a .NET software application that encrypts files. At the moment it is doing that by using a fixed key and a specific algorithm in the codebase. Moving the key to a safer place will be my first step.
However, I wan… Continue reading ASP.NET Core Data Protection for long term storage
I am building a web application in which a third party library is used, which transforms the user input into JSON and sends it to an controller action. In this action, we serialize the input using the standard Microsoft serialize from the … Continue reading Is unicode character encoding a safe alternative for html encoding when rendering unsafe user input to html?
I am developing an ASP.NET Core web api project whose only client will be a mobile app developed in Xamarin. There will be no web frontend for the application.
Can CSRF attacks be executed if the user can only login and consume the api f… Continue reading Is CSRF prevention logic required for api that is consumed only by mobile app?
By default, ASP.Net Core configures the login exercise with a couple of things that seem strange to me. I’d like someone who knows more about infosec than I to comment on these please.
First, it sends an email to a user upon registration … Continue reading A couple of questions about ASP.Net Core default implementation for login security
I have a simple code for an input model:
public class MyClass
{
[Required]
public MyEnum? Type { get; set; }
}
Now if I do not send Type as a part of json to the request, I get this error from Web.Api:
“The JSON value coul… Continue reading Does Asp.Net Core exposes too much information for required enums that were not supplied?
I am thinking of using IdentityServer4 for a new project. I am new to this and have done some reading and seen some of the demo clients in action.
Most of the clients in the samples allow login as a User and issue a token.
Requirement
I … Continue reading Using IdentityServer to call API on behalf of a Client not User?
After many years that accepted best practice was to never store keys in a database, but Microsoft now recommends storing the data protection key ring (encrypted with certificate) in the database using EFCore.
My question is, is this actua… Continue reading Why does Microsoft recommend storing the ASP.NET Core DataProtection Key Ring in EFCore?
I am creating a .NET core webapp in C# that takes in a user password and hashes it to be stored on a server. I’m using Rfc2898DeriveBytes along with a randomly generated salt. I’ve read, however, that I should avoid using str… Continue reading How to avoid using System.String with Rfc2898DeriveBytes in C#
I’m porting an app from Node to ASP.NET Core, and discovered that the .NET Core framework doesn’t have a bcrypt implementation. There are community supported bcrypt implementations but they are very old or have not undergone review, like t… Continue reading Alternative to bcrypt in .NET Core?
I am building an API driven application that will have a native login with username and password, and will also need to grant 3rd party access via OAuth/OpenID Connect in the near future.
A pattern I have used in the past is… Continue reading Architecting a solution with native login and 3rd party login via OAuth/OpenID Connect using dotnet core