MSDN Documentation

Your comprehensive guide to Microsoft technologies

Securing ASP.NET Core APIs

Last updated: October 26, 2023

Protecting your Application Programming Interfaces (APIs) is crucial for safeguarding sensitive data and ensuring the integrity of your applications. ASP.NET Core provides robust mechanisms for implementing API security.

Key Concepts in API Security

Several fundamental principles underpin effective API security:

  • Authentication: Verifying the identity of the client making the request.
  • Authorization: Determining what authenticated clients are allowed to do.
  • Data Encryption: Protecting data in transit and at rest.
  • Rate Limiting: Preventing abuse by controlling the number of requests a client can make.
  • Input Validation: Sanitizing all incoming data to prevent injection attacks.

Authentication Strategies

ASP.NET Core supports various authentication schemes suitable for API scenarios:

1. API Keys

A simple method where clients include a unique key in their requests. While easy to implement, API keys can be less secure if not managed carefully.


public void ConfigureServices(IServiceCollection services)
{
    services.AddAuthentication("MyApiKeyScheme")
        .AddScheme("MyApiKeyScheme", options => {});
}

public class ApiKeyHandler : AuthenticationHandler<AuthenticationSchemeOptions>
{
    // ... implementation to validate API key ...
}

2. JWT Bearer Tokens

JSON Web Tokens (JWT) are a popular choice for stateless authentication. They are compact and self-contained, carrying user claims within the token.

To configure JWT Bearer authentication:


services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
    .AddJwtBearer(options =>
    {
        options.TokenValidationParameters = new TokenValidationParameters
        {
            ValidIssuer = Configuration["Jwt:Issuer"],
            ValidAudience = Configuration["Jwt:Audience"],
            IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(Configuration["Jwt:Key"]))
        };
    });

You would then apply the [Authorize] attribute to your API controllers or actions.

3. OAuth 2.0 and OpenID Connect

For more complex scenarios involving third-party authentication or delegated access, OAuth 2.0 and OpenID Connect (OIDC) are industry standards. ASP.NET Core integrates well with identity providers like Azure Active Directory (now Microsoft Entra ID).

Authorization Techniques

Once authenticated, you need to control access to your API endpoints:

Role-Based Authorization

Assign roles to users and then restrict access to specific roles.


[Authorize(Roles = "Admin")]
[ApiController]
[Route("api/[controller]")]
public class AdminController : ControllerBase
{
    // ...
}

Policy-Based Authorization

Define authorization policies based on claims, roles, or custom requirements.


services.AddAuthorization(options =>
{
    options.AddPolicy("RequireAdminRole", policy => policy.RequireRole("Admin"));
    options.AddPolicy("ElevatedRights", policy => policy.RequireAssertion(context =>
        context.User.HasClaim(c => c.Type == "Elevation") ||
        context.User.IsInRole("Admin")
    ));
});

Then, apply the policy:


[Authorize(Policy = "ElevatedRights")]
public IActionResult GetSensitiveData() { /* ... */ }

Implementing HTTPS

Always use HTTPS to encrypt communication between clients and your API. ASP.NET Core makes this straightforward.

In your Program.cs (or Startup.cs in older versions):


app.UseHttpsRedirection();

Cross-Origin Resource Sharing (CORS)

If your API needs to be accessed by web applications running on different domains, you'll need to configure CORS.


services.AddCors(options =>
{
    options.AddPolicy("AllowMySpecificOrigin",
        builder => builder.WithOrigins("https://www.example.com")
                          .AllowAnyHeader()
                          .AllowAnyMethod());
});

// In Configure method:
app.UseCors("AllowMySpecificOrigin");

Best Practices for Secure APIs

  • Least Privilege: Grant only the necessary permissions.
  • Secure Secrets: Do not hardcode credentials or secrets. Use configuration providers or secret management tools.
  • Regular Updates: Keep ASP.NET Core and its dependencies updated to patch security vulnerabilities.
  • Logging and Monitoring: Implement comprehensive logging for security events.
  • Input Validation: Always validate and sanitize user input.

By leveraging the security features built into ASP.NET Core and adhering to best practices, you can build robust and secure APIs.

^