.NET Security Overview
Explore the security fundamentals built into the .NET platform, from authentication and authorization to cryptography and secure coding practices.
Updated Sep 2025
Table of Contents
Core Security Principles
.NET follows a set of principles that help developers build resilient applications.
- Defense in Depth: Multiple layers of protection.
- Least Privilege: Operate with the minimal permissions required.
- Secure Defaults: APIs default to safe configurations.
- Fail Securely: Errors should not leak sensitive data.
- Validated Input: All external data must be validated or sanitized.
Authentication
Authentication verifies the identity of a user or service. .NET provides several mechanisms:
- ASP.NET Core Identity
- OpenID Connect & OAuth 2.0
- Windows Authentication (Kerberos, NTLM)
- Certificate-based authentication
Read more…
ASP.NET Core Identity is a membership system that adds login functionality to applications. It stores hashed passwords using PBKDF2 by default and supports multi‑factor authentication (MFA).
When integrating external providers (Google, Azure AD, etc.), the middleware handles token validation and user mapping automatically.
Cryptography
.NET includes a robust cryptographic library in System.Security.Cryptography. Key features:
- Symmetric algorithms: AES, ChaCha20
- Asymmetric algorithms: RSA, ECDsa, EdDSA
- Hashing: SHA‑256/384/512, Blake2, MD5 (deprecated)
- Key derivation: PBKDF2, Argon2 (via third‑party)
- Secure random number generation via
RandomNumberGenerator
Read more…
using System.Security.Cryptography;
byte[] key = RandomNumberGenerator.GetBytes(32);
using var aes = Aes.Create();
aes.Key = key;
aes.GenerateIV();
byte[] ciphertext = aes.EncryptCbc(plaintext, aes.IV);
The APIs are designed to be usage‑error‑resistant. For example, Aes.Create() returns an implementation that enforces a minimum key size of 128 bits.
Secure Coding Guidelines
Follow these practices to mitigate common vulnerabilities:
- Validate and sanitize all input (use
Microsoft.AspNetCore.Mvc.ModelBinding). - Prefer built‑in APIs over custom implementations for security‑critical functions.
- Never log sensitive data (passwords, tokens, personal identifiers).
- Use
usingstatements orawait usingfor disposable security objects. - Enable HTTPS everywhere; configure HSTS and TLS 1.2+.