Introduction
Application security has become one of the most critical aspects of modern software development. Whether you are building ASP.NET Core MVC, Web API, or .NET Framework applications, or even desktop apps, securing your application should always be a top priority.
Attackers continuously look for vulnerabilities such as SQL Injection, Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), insecure authentication, and sensitive data exposure.
In this article, we will explore the best practices for application security in C# development with practical recommendations and ready-to-use code snippets.
1. Authentication and Authorization
Use ASP.NET Core Identity, OAuth 2.0, or OpenID Connect for secure authentication.
Always hash and salt passwords using PBKDF2, bcrypt, or Argon2.
Implement multi-factor authentication (MFA) for sensitive apps.
Enforce Role-Based Access Control (RBAC) or Claims-Based Authorization.
[Authorize(Roles = "Admin")]
public IActionResult AdminDashboard()
{
return View();
}
2. Preventing SQL Injection
Always use Entity Framework LINQ or parameterized queries. Never concatenate user input directly into SQL strings.
Safe (Entity Framework LINQ) :
var user = db.Users.FirstOrDefault(u => u.Username == username);
Safe (ADO.NET with parameters) :
var cmd = new SqlCommand("SELECT * FROM Users WHERE Username = @username", conn);
cmd.Parameters.AddWithValue("@username", username);
Vulnerable (SQL Injection) :
var query = $"SELECT * FROM Users WHERE Username = '{username}'";
3. Input Validation and Output Encoding
Validate user input using data annotations or libraries like FluentValidation .
Use whitelisting validation where possible.
Encode all output to prevent XSS attacks.
@Html.DisplayFor(model => model.Comment) // Razor safely encodes output
4. Secure Configuration
Never hardcode secrets (use Azure Key Vault, AWS Secrets Manager, or environment variables ).
Disable detailed error messages in production.
Enforce HTTPS/TLS 1.2+ using middleware.
app.UseHttpsRedirection();
5. Protect Against Cross-Site Attacks
CSRF Protection
@Html.AntiForgeryToken()
And in the controller:
[HttpPost]
[ValidateAntiForgeryToken]
public IActionResult SubmitForm(MyModel model)
{
// Handle form safely
}
CORS Protection
Restrict origins and headers:
app.UseCors(builder =>
builder.WithOrigins("https://trusteddomain.com")
.AllowAnyHeader()
.AllowAnyMethod());
6. Logging and Monitoring
Use structured logging (Serilog, NLog, or Microsoft.Extensions.Logging).
Do not log sensitive data such as passwords or tokens.
_logger.LogInformation("User {UserId} logged in at {Time}", userId, DateTime.UtcNow);
7. Secure APIs
Use JWT or OAuth2.0 for API security.
Always validate tokens for issuer, audience, and expiration.
Implement rate limiting to prevent brute-force attacks.
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(options =>
{
options.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = true,
ValidateAudience = true,
ValidateLifetime = true,
ValidateIssuerSigningKey = true
};
});
8. Dependency and Patch Management
Keep .NET runtime, NuGet packages, and libraries up to date.
Use tools like OWASP Dependency-Check or GitHub Dependabot.
9. Secure File Handling
Validate file extensions and MIME types.
Store uploaded files outside the web root.
Use GUID filenames instead of user-supplied names.
var fileName = $"{Guid.NewGuid()}{Path.GetExtension(file.FileName)}";
var path = Path.Combine("uploads", fileName);
10. Cryptography and Data Protection
using (var rng = RandomNumberGenerator.Create())
{
byte[] tokenData = new byte[32];
rng.GetBytes(tokenData);
string token = Convert.ToBase64String(tokenData);
}
11. Secure Development Lifecycle
Use static analysis tools (SonarQube, Roslyn analyzers).
Perform penetration testing with OWASP ZAP or Burp Suite.
Apply threat modeling (STRIDE, DREAD) early in design.
12. Compliance and Standards
Follow OWASP Top 10 and CWE/SANS Top 25 guidelines.
Ensure compliance with GDPR, PCI-DSS, or HIPAA as required.
Real-World Security Checklist for C# Developers
Here’s a quick reference you can use in your projects:
Authentication & Authorization
Use ASP.NET Identity / OAuth2 / OpenID Connect
Enforce strong password policies & MFA
Apply role-based or claims-based access control
Data Protection
Parameterize all queries (no string concatenation)
Encrypt sensitive data (AES-256, DPAPI)
Use secure random numbers ( RandomNumberGenerator )
Web Security
Enable HTTPS/TLS (redirect all HTTP to HTTPS)
Enable CSRF protection in forms
Restrict CORS to trusted domains
File Handling
Logging & Monitoring
Use structured logging (Serilog/NLog)
Never log passwords, tokens, or PII
Monitor with alerts for suspicious activity
Dependencies & Config
Testing & SDLC
Perform code reviews for security flaws
Run static code analysis (SonarQube, Roslyn analyzers)
Conduct penetration testing (OWASP ZAP, Burp Suite)
Conclusion
Security should never be an afterthought in software development. By following these best practices in your C# applications , you can significantly reduce the risk of common vulnerabilities and safeguard your users’ data.
Remember the golden rules:
Validate input, escape output, and parameterize queries.
Secure authentication and authorization with least privilege.
Protect secrets, enforce HTTPS, and enable CSRF protection.
Keep dependencies updated and log securely.
By adopting these practices, developers can build secure, reliable, and resilient C# applications that stand strong against today’s cyber threats.