Showing all posts tagged: 'security'

A 16-post collection

.NET Core authentication and authorisation using Auth0

I'm a big proponent of delegated authentication. It's no surprise that Broken Authentication is #2 at the OWASP top 10 latest report. It's been #2 for a very long time, which means that developers and enterprises are still getting this wrong. There are so many ways that authentication that can go wrong, that delegated authentication should be the preferred and possibly the default choice for all platforms. There are many different services that can provide this. I've heavily worked with Azure AD and Azure AD B2C but this time I wanted to take Auth0 for a spin. In this post …[read more]

Configure and use User Secrets in .NET Core 2.0 Console apps in development

Managing sensitive information and secrets in config files is something we have to deal with on a daily basis. Unfortunately, this is also something that we still get wrong. In many cases, secrets spill from production to development and vice versa or we have to setup up obscure file transformations and processes to change said secrets as we move from one environment to another. .NET Core has introduced the notion of User Secrets which we can use to store application variables outside the application folder. The file that stores the secrets ends up in one of the following locations, depending …[read more]

Restrict public access to your Azure Web Apps with the IPSecurityRestrictions option

This is a little unknown gem that I've used a few times as I help customers secure access to their Azure Web Apps.. Traditionally, if one wants to restrict access to a website running on a VM (i.e IaaS) then they can make use of Firewalls to ensure that everything goes through a single endpoint and access is restricted. However, as we move to the cloud and further up the stack (PaaS or FaaS) we give lose some of that tight control for the benefit of using a managed service! But what if you wanted to run your website …[read more]

Enforcing HTTPS-only traffic and HSTS settings for Azure Web Apps and Azure Functions

I hope that by now your site is running under HTTPS. If not, you may want to read Troy Hunt's blog post(s) on the subject. He does a great job explaining the WHY. If your site's running on Azure Web Apps under the default naming convention <yoursitename>, you have the option to enforce HTTPS using the Azure certificate. However, this is not recommended. Most likely, you'll have your site running under a custom domain. If that's the case, you'll need a custom certificate. There are many ways to acquire a certificate for free but the …[read more]

EF Core, String Interpolation and SQL Injection

EF Core has always provided support for inline SQL queries. This means that you could pass a T-SQL query to be executed through the current DbContext. A typical example would look like this: var term = "some search term"); var blogs = db.Blogs.FromSql($"SELECT * FROM dbo.Blogs WHERE Title = {term}") .OrderBy(b => b.Url) .Select(b => b.Url); This feature is great if you need to call a table function etc. I would urge that this feature is used in moderation and with careful consideration. Calling raw T-SQL requires that developers understand the potential security or performance implications …[read more]