What is SQL injection and how do you prevent it?

SQL injection is an attack where untrusted input is concatenated into a SQL query, letting an attacker alter the query to read, modify, or destroy data or bypass authentication. Prevent it by never building SQL with string concatenation: use parameterized queries/commands, an ORM like EF Core (which parameterizes), and stored procedures with parameters. Add least-privilege database accounts and input validation as defense in depth.

Explain Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF)

XSS injects malicious scripts into pages that other users view, stealing cookies/tokens or performing actions as the victim; prevent it with output encoding (Razor encodes by default), input validation, and a Content Security Policy. CSRF tricks an authenticated user's browser into submitting unwanted requests; prevent it with anti-forgery tokens (`[ValidateAntiForgeryToken]`), SameSite cookies, and verifying the origin. Both exploit trust — XSS abuses the user's trust in a site, CSRF abuses the site's trust in the user's browser.

What are the best practices for storing passwords?

Never store passwords in plain text or with reversible encryption. Store a salted, slow cryptographic hash using a purpose-built algorithm (bcrypt, scrypt, Argon2, or PBKDF2), with a unique random salt per password and a high work factor. In .NET, prefer ASP.NET Core Identity, which handles hashing, salting, and verification correctly. Enforce strong passwords and consider MFA.

How do you implement OAuth 2.0 and OpenID Connect?

OAuth 2.0 is an authorization framework that issues access tokens so an app can act on a user's behalf without their credentials; OpenID Connect (OIDC) layers authentication on top, adding an ID token that proves who the user is. In ASP.NET Core you typically configure the OpenID Connect/JWT bearer middleware against an identity provider (Azure AD/Entra, IdentityServer, Auth0), using the authorization-code-with-PKCE flow for interactive apps.

What is the principle of least privilege?

The principle of least privilege grants every user, service, process, and credential only the minimum permissions needed to do its job — and nothing more. It limits the blast radius of compromised accounts or bugs. Apply it with role/policy-based authorization, scoped tokens, least-privileged database and cloud IAM accounts, and short-lived credentials, reviewing and revoking access regularly.

How do you secure sensitive data in configuration files?

Never commit secrets (connection strings, API keys) in plain text in source or config. In development use the Secret Manager (`dotnet user-secrets`); in production use a secure store such as Azure Key Vault, AWS Secrets Manager, or environment variables injected by the platform, accessed through the configuration system. Rotate secrets regularly and restrict access with least privilege.

Explain the importance of HTTPS and how to implement it

HTTPS encrypts traffic with TLS, protecting data in transit from eavesdropping, tampering, and man-in-the-middle attacks, and authenticating the server. In ASP.NET Core, enable it with `UseHttpsRedirection` and HSTS (`UseHsts`) in production, configure certificates (Kestrel/reverse proxy), and require secure cookies. Modern apps should serve all traffic over HTTPS by default.

What are the OWASP Top 10 security risks?

The OWASP Top 10 is a widely used list of the most critical web application security risks (e.g., Broken Access Control, Cryptographic Failures, Injection, Insecure Design, Security Misconfiguration, Vulnerable Components, Identification/Authentication Failures, SSRF). It guides where to focus defenses. In .NET, mitigations include proper authorization, parameterized queries/EF Core, output encoding, secure configuration, dependency scanning, and strong authentication.

Security

Application security for .NET: injection, XSS/CSRF, password storage, OAuth/OIDC, secret management, HTTPS, and the OWASP Top 10.

Open as page

SQL Injection is a code injection attack where malicious SQL statements are inserted into application queries, allowing attackers to manipulate database operations, access unauthorized data, or even destroy data.

Example of Vulnerable Code:

// VULNERABLE - Never do this!
string query = $"SELECT * FROM Users WHERE Username = '{username}' AND Password = '{password}'";
var result = context.Users.FromSqlRaw(query).ToList();

Prevention in .NET Core:

Use Parameterized Queries (Preferred Method):

var result = context.Users
    .FromSqlRaw("SELECT * FROM Users WHERE Username = {0} AND Password = {1}", username, password)
    .ToList();

Use LINQ and Entity Framework Core:

var user = context.Users
    .Where(u => u.Username == username && u.Password == password)
    .FirstOrDefault();

Use Stored Procedures:

var user = context.Users
    .FromSqlRaw("EXEC GetUserByCredentials @Username, @Password",
        new SqlParameter("@Username", username),
        new SqlParameter("@Password", password))
    .FirstOrDefault();

Input Validation:

public class LoginModel
{
    [Required]
    [StringLength(50, MinimumLength = 3)]
    [RegularExpression(@"^[a-zA-Z0-9_]+$")]
    public string Username { get; set; }
}

Related Resources

Prevent SQL injection (EF Core)

OWASP SQL Injection Prevention

Open as page

Cross-Site Scripting (XSS)

XSS allows attackers to inject malicious scripts into web pages viewed by other users, stealing cookies, session tokens, or other sensitive information.

Types of XSS:

Stored XSS: Malicious script stored in database
Reflected XSS: Script reflected off web server
DOM-based XSS: Vulnerability in client-side code

Prevention in .NET Core:

Use Razor Encoding (Automatic):

@Model.UserInput  // Automatically HTML encoded

For Raw HTML (Use with Caution):

@Html.Raw(Model.TrustedContent)  // Only for trusted content

Content Security Policy:

app.Use(async (context, next) =>
{
    context.Response.Headers.Add("Content-Security-Policy", 
        "default-src 'self'; script-src 'self' 'unsafe-inline'");
    await next();
});

Anti-XSS Library:

using Microsoft.Security.Application;
string safe = Encoder.HtmlEncode(userInput);

Cross-Site Request Forgery (CSRF)

CSRF forces authenticated users to execute unwanted actions on a web application by exploiting their active session.

Prevention in .NET Core:

Anti-Forgery Tokens (Built-in):

// In Startup.cs
services.AddControllersWithViews(options =>
{
    options.Filters.Add(new AutoValidateAntiforgeryTokenAttribute());
});

// In Razor view

    @Html.AntiForgeryToken()
    


// In Controller
[ValidateAntiForgeryToken]
public IActionResult SubmitForm(FormModel model)
{
    // Process form
}

For AJAX Requests:

// In _Layout.cshtml


// JavaScript
var token = document.querySelector('meta[name="csrf-token"]').content;
fetch('/api/data', {
    method: 'POST',
    headers: {
        'RequestVerificationToken': token
    }
});

SameSite Cookies:

services.ConfigureApplicationCookie(options =>
{
    options.Cookie.SameSite = SameSiteMode.Strict;
    options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
});

Related Resources

Prevent XSS in ASP.NET Core

Prevent CSRF attacks

Open as page

Never store passwords in plain text! Always use cryptographic hashing with salting.

Best Practices in .NET Core:

Use ASP.NET Core Identity (Recommended):

// Startup.cs
services.AddIdentity(options =>
{
    options.Password.RequireDigit = true;
    options.Password.RequiredLength = 12;
    options.Password.RequireNonAlphanumeric = true;
    options.Password.RequireUppercase = true;
    options.Password.RequireLowercase = true;
})
.AddEntityFrameworkStores();

// Usage
public class AccountController : Controller
{
    private readonly UserManager _userManager;
    
    public async Task Register(RegisterModel model)
    {
        var user = new ApplicationUser { UserName = model.Email };
        var result = await _userManager.CreateAsync(user, model.Password);
    }
}

Manual Implementation with BCrypt:

using BCrypt.Net;

public class PasswordHasher
{
    public string HashPassword(string password)
    {
        return BCrypt.HashPassword(password, BCrypt.GenerateSalt(12));
    }
    
    public bool VerifyPassword(string password, string hashedPassword)
    {
        return BCrypt.Verify(password, hashedPassword);
    }
}

Using PBKDF2 (Built-in .NET):

using System.Security.Cryptography;

public class PasswordHasher
{
    private const int SaltSize = 16;
    private const int HashSize = 20;
    private const int Iterations = 100000;
    
    public string HashPassword(string password)
    {
        byte[] salt = new byte[SaltSize];
        using (var rng = RandomNumberGenerator.Create())
        {
            rng.GetBytes(salt);
        }
        
        var pbkdf2 = new Rfc2898DeriveBytes(password, salt, Iterations, HashAlgorithmName.SHA256);
        byte[] hash = pbkdf2.GetBytes(HashSize);
        
        byte[] hashBytes = new byte[SaltSize + HashSize];
        Array.Copy(salt, 0, hashBytes, 0, SaltSize);
        Array.Copy(hash, 0, hashBytes, SaltSize, HashSize);
        
        return Convert.ToBase64String(hashBytes);
    }
    
    public bool VerifyPassword(string password, string hashedPassword)
    {
        byte[] hashBytes = Convert.FromBase64String(hashedPassword);
        byte[] salt = new byte[SaltSize];
        Array.Copy(hashBytes, 0, salt, 0, SaltSize);
        
        var pbkdf2 = new Rfc2898DeriveBytes(password, salt, Iterations, HashAlgorithmName.SHA256);
        byte[] hash = pbkdf2.GetBytes(HashSize);
        
        for (int i = 0; i < HashSize; i++)
        {
            if (hashBytes[i + SaltSize] != hash[i])
                return false;
        }
        return true;
    }
}

Key Principles:

Use adaptive hashing algorithms (BCrypt, Argon2, PBKDF2)
Always use unique salts per password
Use sufficient iteration counts (work factor)
Never store passwords reversibly

Related Resources

ASP.NET Core Identity

Password storage cheat sheet

Open as page

OAuth 2.0 provides authorization, while OpenID Connect adds authentication on top of OAuth 2.0.

Implementation in .NET Core:

Install Required Packages:

dotnet add package Microsoft.AspNetCore.Authentication.OpenIdConnect
dotnet add package Microsoft.AspNetCore.Authentication.JwtBearer

Configure Authentication (Startup.cs):

public void ConfigureServices(IServiceCollection services)
{
    services.AddAuthentication(options =>
    {
        options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
        options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
    })
    .AddCookie()
    .AddOpenIdConnect(options =>
    {
        options.Authority = "https://your-identity-provider.com";
        options.ClientId = "your-client-id";
        options.ClientSecret = "your-client-secret";
        options.ResponseType = "code";
        options.SaveTokens = true;
        options.GetClaimsFromUserInfoEndpoint = true;
        
        options.Scope.Add("openid");
        options.Scope.Add("profile");
        options.Scope.Add("email");
        
        options.TokenValidationParameters = new TokenValidationParameters
        {
            ValidateIssuer = true,
            ValidateAudience = true,
            ValidateLifetime = true
        };
    });
}

public void Configure(IApplicationBuilder app)
{
    app.UseAuthentication();
    app.UseAuthorization();
}

Protecting Endpoints:

[Authorize]
public class SecureController : Controller
{
    public IActionResult Index()
    {
        var userName = User.Identity.Name;
        var claims = User.Claims;
        return View();
    }
}

API Authentication with JWT:

services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
    .AddJwtBearer(options =>
    {
        options.Authority = "https://your-identity-provider.com";
        options.Audience = "your-api-resource";
        options.TokenValidationParameters = new TokenValidationParameters
        {
            ValidateIssuer = true,
            ValidateAudience = true,
            ValidateLifetime = true,
            ValidateIssuerSigningKey = true
        };
    });

Using Identity Server (Self-hosted):

// Install: dotnet add package IdentityServer4
services.AddIdentityServer()
    .AddInMemoryClients(Config.Clients)
    .AddInMemoryApiScopes(Config.ApiScopes)
    .AddInMemoryIdentityResources(Config.IdentityResources)
    .AddDeveloperSigningCredential();

Calling Protected APIs:

public class ApiClient
{
    private readonly HttpClient _httpClient;
    private readonly IHttpContextAccessor _httpContextAccessor;
    
    public async Task GetDataAsync()
    {
        var accessToken = await _httpContextAccessor.HttpContext
            .GetTokenAsync("access_token");
            
        _httpClient.DefaultRequestHeaders.Authorization = 
            new AuthenticationHeaderValue("Bearer", accessToken);
            
        var response = await _httpClient.GetAsync("https://api.example.com/data");
        return await response.Content.ReadAsStringAsync();
    }
}

Related Resources

Secure ASP.NET Core with OIDC

Open as page

Principle of Least Privilege means granting users, processes, or systems only the minimum permissions necessary to perform their functions.

Implementation in .NET Core:

Role-Based Access Control:

// Define roles in Startup.cs
services.AddAuthorization(options =>
{
    options.AddPolicy("AdminOnly", policy => 
        policy.RequireRole("Administrator"));
    options.AddPolicy("UserOrAdmin", policy => 
        policy.RequireRole("User", "Administrator"));
});

// Use in controllers
[Authorize(Roles = "Administrator")]
public class AdminController : Controller
{
    // Only administrators can access
}

[Authorize(Policy = "AdminOnly")]
public IActionResult DeleteUser(int id)
{
    // Sensitive operation
}

Claims-Based Authorization:

services.AddAuthorization(options =>
{
    options.AddPolicy("CanEditDocuments", policy =>
        policy.RequireClaim("Permission", "Document.Edit"));
    
    options.AddPolicy("SeniorEmployees", policy =>
        policy.RequireAssertion(context =>
            context.User.HasClaim(c => c.Type == "EmployeeLevel" 
                && int.Parse(c.Value) >= 5)));
});

[Authorize(Policy = "CanEditDocuments")]
public IActionResult EditDocument(int id)
{
    // Only users with Document.Edit claim
}

Resource-Based Authorization:

public class DocumentAuthorizationHandler : 
    AuthorizationHandler
{
    protected override Task HandleRequirementAsync(
        AuthorizationHandlerContext context,
        OperationAuthorizationRequirement requirement,
        Document resource)
    {
        if (resource.OwnerId == context.User.FindFirst(ClaimTypes.NameIdentifier)?.Value)
        {
            context.Succeed(requirement);
        }
        
        return Task.CompletedTask;
    }
}

// Usage in controller
public class DocumentController : Controller
{
    private readonly IAuthorizationService _authorizationService;
    
    public async Task Edit(int id)
    {
        var document = await _repository.GetAsync(id);
        var authResult = await _authorizationService.AuthorizeAsync(
            User, document, "EditPolicy");
            
        if (!authResult.Succeeded)
            return Forbid();
            
        return View(document);
    }
}

Database-Level Permissions:

// Connection string with limited permissions
"Server=myserver;Database=mydb;User Id=app_user;Password=***;"

// User 'app_user' should only have:
// - SELECT, INSERT, UPDATE on specific tables
// - EXECUTE on specific stored procedures
// - NO DROP, ALTER, or admin privileges

API Key Scoping:

public class ApiKeyAuthorizationHandler : AuthorizationHandler
{
    protected override Task HandleRequirementAsync(
        AuthorizationHandlerContext context,
        ApiKeyRequirement requirement)
    {
        var apiKey = context.User.FindFirst("ApiKey")?.Value;
        var scopes = GetApiKeyScopes(apiKey);
        
        if (scopes.Contains(requirement.RequiredScope))
        {
            context.Succeed(requirement);
        }
        
        return Task.CompletedTask;
    }
}

Related Resources

Authorization in ASP.NET Core

Open as page

Never store secrets in plain text! Use secure storage mechanisms.

Methods in .NET Core:

User Secrets (Development Only):

dotnet user-secrets init
dotnet user-secrets set "ConnectionStrings:DefaultConnection" "Server=..."
dotnet user-secrets set "ApiKeys:GoogleMaps" "AIza..."

// Access in code
public class Startup
{
    public Startup(IConfiguration configuration)
    {
        Configuration = configuration;
    }
    
    public IConfiguration Configuration { get; }
    
    public void ConfigureServices(IServiceCollection services)
    {
        var connectionString = Configuration["ConnectionStrings:DefaultConnection"];
        var apiKey = Configuration["ApiKeys:GoogleMaps"];
    }
}

Azure Key Vault (Production):

dotnet add package Azure.Extensions.AspNetCore.Configuration.Secrets
dotnet add package Azure.Identity

// Program.cs
public static IHostBuilder CreateHostBuilder(string[] args) =>
    Host.CreateDefaultBuilder(args)
        .ConfigureAppConfiguration((context, config) =>
        {
            if (context.HostingEnvironment.IsProduction())
            {
                var builtConfig = config.Build();
                var keyVaultEndpoint = builtConfig["KeyVault:Endpoint"];
                
                config.AddAzureKeyVault(
                    new Uri(keyVaultEndpoint),
                    new DefaultAzureCredential());
            }
        })
        .ConfigureWebHostDefaults(webBuilder =>
        {
            webBuilder.UseStartup();
        });

Environment Variables:

// launchSettings.json (Development)
{
  "profiles": {
    "MyApp": {
      "environmentVariables": {
        "ConnectionStrings__DefaultConnection": "Server=...",
        "ApiKeys__GoogleMaps": "AIza..."
      }
    }
  }
}

// Access in code
var connectionString = Configuration["ConnectionStrings:DefaultConnection"];

Encrypted Configuration:

using System.Security.Cryptography;

public class EncryptedConfigurationProvider : ConfigurationProvider
{
    private readonly string _encryptedFilePath;
    private readonly byte[] _key;
    
    public override void Load()
    {
        var encryptedData = File.ReadAllBytes(_encryptedFilePath);
        var decryptedData = Decrypt(encryptedData, _key);
        
        // Parse and load configuration
        Data = ParseConfiguration(decryptedData);
    }
    
    private byte[] Decrypt(byte[] data, byte[] key)
    {
        using var aes = Aes.Create();
        aes.Key = key;
        // Decryption logic
        return decryptedData;
    }
}

AWS Secrets Manager:

dotnet add package AWSSDK.SecretsManager
dotnet add package Amazon.Extensions.Configuration.SystemsManager

public static IHostBuilder CreateHostBuilder(string[] args) =>
    Host.CreateDefaultBuilder(args)
        .ConfigureAppConfiguration((context, config) =>
        {
            config.AddSystemsManager("/myapp/");
        });

Protected Configuration Sections:

public class SecureSettings
{
    public string ApiKey { get; set; }
    public string ConnectionString { get; set; }
}

// Startup.cs
services.Configure(Configuration.GetSection("SecureSettings"));

// Usage with IOptions
public class MyService
{
    private readonly SecureSettings _settings;
    
    public MyService(IOptions settings)
    {
        _settings = settings.Value;
    }
}

Best Practices:

Never commit secrets to source control
Use different secrets for each environment
Rotate secrets regularly
Audit secret access
Use managed identities when possible

Related Resources

Safe storage of app secrets in development

Azure Key Vault configuration provider

Open as page

HTTPS (HTTP Secure) encrypts data in transit using TLS/SSL, protecting against eavesdropping, tampering, and man-in-the-middle attacks.

Why HTTPS is Critical:

Encrypts sensitive data (passwords, credit cards, personal info)
Authenticates the server
Ensures data integrity
Required for modern features (geolocation, service workers, HTTP/2)
Improves SEO rankings
Builds user trust

Implementation in .NET Core:

Enable HTTPS Redirection:

// Startup.cs
public void ConfigureServices(IServiceCollection services)
{
    services.AddHttpsRedirection(options =>
    {
        options.RedirectStatusCode = StatusCodes.Status307TemporaryRedirect;
        options.HttpsPort = 443;
    });
    
    services.AddHsts(options =>
    {
        options.MaxAge = TimeSpan.FromDays(365);
        options.IncludeSubDomains = true;
        options.Preload = true;
    });
}

public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
    if (!env.IsDevelopment())
    {
        app.UseHsts();
    }
    
    app.UseHttpsRedirection();
    app.UseRouting();
    app.UseAuthentication();
    app.UseAuthorization();
}

Configure Kestrel with HTTPS:

// Program.cs
public static IHostBuilder CreateHostBuilder(string[] args) =>
    Host.CreateDefaultBuilder(args)
        .ConfigureWebHostDefaults(webBuilder =>
        {
            webBuilder.ConfigureKestrel(serverOptions =>
            {
                serverOptions.Listen(IPAddress.Any, 443, listenOptions =>
                {
                    listenOptions.UseHttps("certificate.pfx", "password");
                });
            })
            .UseStartup();
        });

Using appsettings.json:

{
  "Kestrel": {
    "Endpoints": {
      "Https": {
        "Url": "https://localhost:5001",
        "Certificate": {
          "Path": "certificate.pfx",
          "Password": "your-password"
        }
      }
    }
  }
}

Enforce HTTPS in Controllers:

[RequireHttps]
public class SecureController : Controller
{
    public IActionResult Index()
    {
        return View();
    }
}

// Or globally
services.AddControllers(options =>
{
    options.Filters.Add(new RequireHttpsAttribute());
});

Development Certificate:

# Generate development certificate
dotnet dev-certs https --trust

# Export certificate
dotnet dev-certs https -ep ${HOME}/.aspnet/https/aspnetapp.pfx -p YourPassword

Production SSL Configuration (IIS):

Security Headers:

app.Use(async (context, next) =>
{
    context.Response.Headers.Add("Strict-Transport-Security", 
        "max-age=31536000; includeSubDomains; preload");
    context.Response.Headers.Add("X-Content-Type-Options", "nosniff");
    context.Response.Headers.Add("X-Frame-Options", "DENY");
    context.Response.Headers.Add("X-XSS-Protection", "1; mode=block");
    await next();
});

Related Resources

Enforce HTTPS in ASP.NET Core

Open as page

The OWASP Top 10 represents the most critical web application security risks.

OWASP Top 10 (2021) and .NET Core Mitigations:

1. Broken Access Control

// Vulnerability: Users accessing unauthorized resources
// Mitigation:
[Authorize]
public async Task EditUser(int id)
{
    var user = await _userManager.GetUserAsync(User);
    if (user.Id != id && !User.IsInRole("Admin"))
        return Forbid();
    
    // Allow edit
}

2. Cryptographic Failures

// Vulnerability: Weak encryption or no encryption
// Mitigation:
using System.Security.Cryptography;

public class DataProtector
{
    public string Encrypt(string plainText, byte[] key)
    {
        using var aes = Aes.Create();
        aes.Key = key;
        aes.GenerateIV();
        
        using var encryptor = aes.CreateEncryptor();
        byte[] encrypted = encryptor.TransformFinalBlock(
            Encoding.UTF8.GetBytes(plainText), 0, plainText.Length);
            
        return Convert.ToBase64String(encrypted);
    }
}

// Use Data Protection API
services.AddDataProtection()
    .PersistKeysToFileSystem(new DirectoryInfo(@".\keys"))
    .SetApplicationName("MyApp");

3. Injection

// Vulnerability: SQL, NoSQL, LDAP injection
// Mitigation: Already covered in Question 103
var user = context.Users
    .Where(u => u.Email == email)  // Parameterized
    .FirstOrDefault();

4. Insecure Design

// Vulnerability: Lack of security controls in design
// Mitigation: Security by design
public class SecureTransactionService
{
    // Rate limiting
    private readonly IRateLimiter _rateLimiter;
    
    // Transaction limits
    private const decimal MaxDailyTransfer = 10000m;
    
    public async Task TransferFunds(decimal amount)
    {
        if (!await _rateLimiter.AllowRequest(User.Id))
            return Result.Fail("Rate limit exceeded");
            
        if (amount > MaxDailyTransfer)
            return Result.Fail("Exceeds daily limit");
            
        // Proceed with transfer
    }
}

5. Security Misconfiguration

// Vulnerability: Default configurations, unnecessary features
// Mitigation:
public void ConfigureServices(IServiceCollection services)
{
    // Remove unnecessary headers
    services.Configure(options =>
    {
        options.AddServerHeader = false;
    });
    
    // Disable detailed errors in production
    if (env.IsProduction())
    {
        app.UseExceptionHandler("/Error");
    }
    
    // Configure security headers
    app.Use(async (context, next) =>
    {
        context.Response.Headers.Remove("X-Powered-By");
        context.Response.Headers.Add("X-Content-Type-Options", "nosniff");
        await next();
    });
}

6. Vulnerable and Outdated Components

# Mitigation: Regular updates and audits
dotnet list package --vulnerable
dotnet list package --outdated

# Update packages
dotnet add package PackageName --version 2.0.0



  true
  all

7. Identification and Authentication Failures

// Vulnerability: Weak authentication, session management
// Mitigation:
services.AddIdentity(options =>
{
    // Password requirements
    options.Password.RequiredLength = 12;
    options.Password.RequireDigit = true;
    options.Password.RequireUppercase = true;
    
    // Lockout settings
    options.Lockout.DefaultLockoutTimeSpan = TimeSpan.FromMinutes(30);
    options.Lockout.MaxFailedAccessAttempts = 5;
    
    // User settings
    options.User.RequireUniqueEmail = true;
    
    // Sign-in settings
    options.SignIn.RequireConfirmedEmail = true;
})
.AddDefaultTokenProviders();

// Multi-factor authentication
services.Configure(options =>
{
    options.Tokens.AuthenticatorTokenProvider = 
        TokenOptions.DefaultAuthenticatorProvider;
});

8. Software and Data Integrity Failures

// Vulnerability: Unsigned updates, insecure deserialization
// Mitigation:
public class SecureDeserializer
{
    public T Deserialize(string json)
    {
        var options = new JsonSerializerOptions
        {
            // Prevent type confusion attacks
            PropertyNameCaseInsensitive = false,
            MaxDepth = 32
        };
        
        return JsonSerializer.Deserialize(json, options);
    }
}

// Verify package integrity
// Use Subresource Integrity for CDN resources

9. Security Logging and Monitoring Failures

// Vulnerability: Insufficient logging
// Mitigation:
public class SecurityLogger
{
    private readonly ILogger _logger;
    
    public void LogSecurityEvent(string eventType, string details)
    {
        _logger.LogWarning(
            "Security Event: {EventType} - {Details} - User: {User} - IP: {IP} - Time: {Time}",
            eventType, details, GetCurrentUser(), GetUserIP(), DateTime.UtcNow);
    }
}

// Usage
public async Task Login(LoginModel model)
{
    var result = await _signInManager.PasswordSignInAsync(
        model.Email, model.Password, model.RememberMe, lockoutOnFailure: true);
        
    if (!result.Succeeded)
    {
        _securityLogger.LogSecurityEvent(
            "Failed Login Attempt", 
            $"Email: {model.Email}");
    }
    
    return result.Succeeded ? RedirectToAction("Index") : View(model);
}

// Configure logging
public void ConfigureServices(IServiceCollection services)
{
    services.AddLogging(builder =>
    {
        builder.AddConsole();
        builder.AddDebug();
        builder.AddApplicationInsights();
    });
}

10. Server-Side Request Forgery (SSRF)

// Vulnerability: Unvalidated URLs allowing internal resource access
// Mitigation:
public class SafeHttpClient
{
    private readonly HttpClient _httpClient;
    private readonly HashSet _allowedHosts = new()
    {
        "api.example.com",
        "trusted-service.com"
    };
    
    public async Task FetchUrl(string url)
    {
        if (!Uri.TryCreate(url, UriKind.Absolute, out var uri))
            throw new ArgumentException("Invalid URL");
            
        // Prevent access to internal resources
        if (uri.Host == "localhost" || 
            uri.Host.StartsWith("127.") ||
            uri.Host.StartsWith("192.168.") ||
            uri.Host.StartsWith("10."))
            throw new SecurityException("Access to internal resources denied");
            
        // Whitelist approach
        if (!_allowedHosts.Contains(uri.Host))
            throw new SecurityException("Host not in whitelist");
            
        return await _httpClient.GetStringAsync(uri);
    }
}

Additional Security Measures:

// Global security configuration
public void ConfigureServices(IServiceCollection services)
{
    // CORS
    services.AddCors(options =>
    {
        options.AddPolicy("SecurePolicy", builder =>
        {
            builder.WithOrigins("https://trusted-domain.com")
                   .AllowAnyMethod()
                   .AllowAnyHeader()
                   .AllowCredentials();
        });
    });
    
    // Rate limiting
    services.AddRateLimiter(options =>
    {
        options.GlobalLimiter = PartitionedRateLimiter.Create(context =>
            RateLimitPartition.GetFixedWindowLimiter(
                partitionKey: context.User.Identity?.Name ?? context.Request.Headers.Host.ToString(),
                factory: partition => new FixedWindowRateLimiterOptions
                {
                    AutoReplenishment = true,
                    PermitLimit = 100,
                    QueueLimit = 0,
                    Window = TimeSpan.FromMinutes(1)
                }));
    });
    
    // Request size limits
    services.Configure(options =>
    {
        options.ValueLengthLimit = int.MaxValue;
        options.MultipartBodyLengthLimit = 10 * 1024 * 1024; // 10 MB
    });
    
    // Anti-forgery
    services.AddAntiforgery(options =>
    {
        options.HeaderName = "X-CSRF-TOKEN";
        options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
        options.Cookie.SameSite = SameSiteMode.Strict;
    });
}

public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
    // Security headers middleware
    app.Use(async (context, next) =>
    {
        context.Response.Headers.Add("X-Content-Type-Options", "nosniff");
        context.Response.Headers.Add("X-Frame-Options", "DENY");
        context.Response.Headers.Add("X-XSS-Protection", "1; mode=block");
        context.Response.Headers.Add("Referrer-Policy", "strict-origin-when-cross-origin");
        context.Response.Headers.Add("Content-Security-Policy", 
            "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; connect-src 'self'; frame-ancestors 'none'");
        context.Response.Headers.Add("Permissions-Policy", 
            "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()");
        await next();
    });
    
    if (!env.IsDevelopment())
    {
        app.UseExceptionHandler("/Error");
        app.UseHsts();
    }
    
    app.UseHttpsRedirection();
    app.UseStaticFiles();
    app.UseRouting();
    app.UseCors("SecurePolicy");
    app.UseRateLimiter();
    app.UseAuthentication();
    app.UseAuthorization();
    app.UseEndpoints(endpoints =>
    {
        endpoints.MapControllers();
    });
}

Related Resources

OWASP Top 10