Security resources for .NET web applications

A collection of web app security links with focus on ASP.NET:

OWASP – The Open Web Application Security project is a worldwide community of professionals interested in security and a good starting point for securing your web apps. Some of the topics: Vulnerability, .NET ProjectCheat sheets, .NET Security Cheat Sheet, Top 10 security risks. Troy Hunt has some great Pluralsight courses about the Top 10 issues.

Top 10 Common Web Attacks from vpnMentor. Good summary of the OWASP Top 10 – 2017 edition. A good place to start (thanks to Qusai for the tip)

ASP.NET MVC Guidance: Security, Authentication and Authorization  (ASP.NET site)

Security, Authentication, and Authorization in ASP.NET Web API (MS Docs)

ASP.NET Identity – Current MS stack for authentication and authorization in ASP.NET. Check the articles on security and especially the one on deployment, passwords and the cloud.

Troy Hunt – MS MVP, blogger and security expert. I really like his stuff. Take the list of topics of his Hack Yourself First workshop as inspiration, check out his Pluralsight courses and sign up for his newsletter. Love one of his recent posts Passwords Evolved: Authentication Guidance for the Modern Era.

Ten Immutable Laws Of Security (Version 2.0) – Security philosophy 101 from Microsoft. Makes you think.

.NET Blog – General and security-related information.

My own blog entries about security.

Enable global authentication with ASP.NET MVC and Identity

To require user authentication for all action methods on all controllers please add the AuthorizeAttribute class to the App_Start/FilterConfig.cs file:

public static void RegisterGlobalFilters(GlobalFilterCollection filters) 
{ 
    filters.Add(new AuthorizeAttribute()); 
}

To configure an exception and allow anonymous access to an action method: Decorate it with the AllowAnonymousattribute:

[AllowAnonymous]
public ActionResult Index()
{ 
    // do stuff
}