Dotnet Security

Authentication & Authorization

Cryptography

Secrets Management

Security Decision Trees

Which Authentication?

API → JWT Bearer (dotnet-api-security)
  ↓
Web App → OIDC/Cookies (dotnet-api-security)
  ↓
SPA → BFF pattern (dotnet-api-security)
  ↓
Mobile → OAuth 2.1 (dotnet-api-security)

Which OWASP Mitigation?

Which Cryptography?

Complete Skill List

OWASP & Vulnerabilities (2 skills)

• dotnet-security-owasp - OWASP Top 10 mitigation
• dotnet-input-validation - Request validation

Authentication & Authorization (3 skills)

• dotnet-api-security - Identity, OAuth, JWT
• dotnet-blazor-auth - Blazor auth flows
• dotnet-csharp-configuration - User secrets

Cryptography (1 skill)

• dotnet-cryptography - Algorithms, hashing, encryption

Secrets Management (2 skills)

• dotnet-secrets-management - Secret management
• dotnet-csharp-configuration - Configuration security

Secure Coding (2 skills)

• dotnet-security-owasp - Deprecated API warnings
• dotnet-csharp-coding-standards - Secure coding conventions

Security Checklist

Application Security

• Input validation on all boundaries
• Output encoding for dynamic content
• Authentication on all endpoints
• Authorization checks at business logic
• Secure defaults (fail closed)
• Security headers configured
• Rate limiting implemented
• Audit logging enabled

Data Security

• Encryption at rest for sensitive data
• Encryption in transit (TLS 1.3)
• Secrets externalized (no hardcoding)
• Secure key management
• Data retention policies
• Backup encryption

API Security

• JWT validation (issuer, audience, expiry)
• Scope/claim validation
• CORS properly configured
• CSRF protection where needed
• API versioning for deprecations

Security Patterns

Input Validation

// Server-side validation
var validator = new CreateUserValidator();
var result = await validator.ValidateAsync(request);
if (!result.IsValid)
    return Results.ValidationProblem(result.ToDictionary());

// Never trust client input
public sealed class CreateUserRequest
{
    [Required, EmailAddress]
    public string Email { get; set; } = null!;
    
    [Required, MinLength(12)]
    public string Password { get; set; } = null!;
}

Secure Configuration

// Use user secrets in development
builder.Configuration.AddUserSecrets<Program>();

// Never commit secrets
if (builder.Environment.IsProduction())
{
    builder.Configuration.AddAzureKeyVault(...);
}

Output Encoding

// Razor encodes by default
@Model.UserInput  // HTML encoded

// Manual encoding when needed
var encoded = HtmlEncoder.Default.Encode(userInput);

Cross-References

• Web Development → dotnet-web
• API Design → dotnet-api-design
• Architecture → dotnet-architecture
• Fundamentals → dotnet-fundamentals

Security Headers

Version Assumptions

• .NET 8.0+ for modern security features
• Identity requires .NET 6.0+
• Passkeys require .NET 8.0+
• Cryptography APIs are version-stable

Common Vulnerabilities

See Also

• OWASP Top 10 2021
• Microsoft Security Docs
• INDEX.md - Complete skill index
• TAXONOMY.md - Taxonomy schema