Introduction
In today’s connected world, secure data transfer is not optional—it’s essential. Whether your API handles personal information, financial data, or enterprise operations, ensuring that data remains confidential and tamper-proof during transmission is critical.
In this article, we’ll explore how to implement encryption and HTTPS in ASP.NET Core APIs, covering TLS (Transport Layer Security), symmetric/asymmetric encryption, and best practices to ensure that your API meets enterprise-grade security standards.
1. Why HTTPS and Encryption Matter
Plain HTTP sends data in clear text, meaning that any attacker intercepting the communication (via a man-in-the-middle attack) can read or modify the data. HTTPS, backed by TLS, encrypts this communication, ensuring:
Confidentiality – Only the intended recipient can read the data.
Integrity – The message cannot be tampered with in transit.
Authentication – Clients can verify the server’s identity via SSL certificates.
In addition to HTTPS, data-level encryption adds another security layer, ensuring sensitive payloads (like passwords, tokens, or personal data) remain encrypted even if intercepted or stored insecurely.
2. Enforcing HTTPS in ASP.NET Core
ASP.NET Core provides a straightforward way to enforce HTTPS across the application.
Step 1: Configure HTTPS Redirection
In your Program.cs
var builder = WebApplication.CreateBuilder(args);
builder.Services.AddHttpsRedirection(options =>
{
options.RedirectStatusCode = StatusCodes.Status308PermanentRedirect;
options.HttpsPort = 443;
});
var app = builder.Build();
app.UseHttpsRedirection();
app.UseAuthorization();
app.MapControllers();
app.Run();
This ensures every HTTP request automatically redirects to HTTPS.
3. Setting Up SSL/TLS Certificates
For local development, use a development certificate:
dotnet dev-certs https --trust
For production
Obtain an SSL certificate from a trusted Certificate Authority (CA).
Configure it in your hosting environment (IIS, Kestrel, Nginx, or Azure App Service).
Always use TLS 1.2 or higher for secure communication.
In appsettings.json for Kestrel
"Kestrel": {
"Endpoints": {
"Https": {
"Url": "https://localhost:5001",
"Certificate": {
"Path": "certs/your-cert.pfx",
"Password": "your-password"
}
}
}
}
4. Encrypting Data in Transit and at Rest
HTTPS ensures encryption in transit, but sensitive data may also need encryption before transmission or before saving to the database.
Example: Symmetric Encryption using AES
public static class EncryptionHelper
{
public static string EncryptString(string plainText, string key)
{
using var aes = Aes.Create();
aes.Key = Encoding.UTF8.GetBytes(key);
aes.GenerateIV();
using var encryptor = aes.CreateEncryptor(aes.Key, aes.IV);
using var ms = new MemoryStream();
ms.Write(aes.IV, 0, aes.IV.Length);
using var cs = new CryptoStream(ms, encryptor, CryptoStreamMode.Write);
using var sw = new StreamWriter(cs);
sw.Write(plainText);
return Convert.ToBase64String(ms.ToArray());
}
public static string DecryptString(string cipherText, string key)
{
var buffer = Convert.FromBase64String(cipherText);
using var aes = Aes.Create();
aes.Key = Encoding.UTF8.GetBytes(key);
var iv = new byte[aes.BlockSize / 8];
Array.Copy(buffer, iv, iv.Length);
aes.IV = iv;
using var decryptor = aes.CreateDecryptor(aes.Key, aes.IV);
using var ms = new MemoryStream(buffer, iv.Length, buffer.Length - iv.Length);
using var cs = new CryptoStream(ms, decryptor, CryptoStreamMode.Read);
using var sr = new StreamReader(cs);
return sr.ReadToEnd();
}
}
This AES-based approach is great for encrypting payloads or sensitive data before saving to a database.
5. Enforcing HSTS (HTTP Strict Transport Security)
HSTS ensures browsers always connect via HTTPS, even if the user types http://.
app.UseHsts();
⚠️ Note: Enable HSTS only in production environments.
6. Backend Integration Example
In a secure Angular + ASP.NET Core setup:
The Angular frontend calls HTTPS endpoints only.
Sensitive data (like access tokens or personal info) can be encrypted client-side before sending to the API.
The backend decrypts and processes it securely.
Example API Controller
[ApiController]
[Route("api/[controller]")]
public class SecureDataController : ControllerBase
{
[HttpPost("submit")]
public IActionResult Submit([FromBody] EncryptedPayload payload)
{
string key = "1234567890123456"; // 16-char key
string decrypted = EncryptionHelper.DecryptString(payload.Data, key);
return Ok(new { message = "Data received securely", content = decrypted });
}
}
public class EncryptedPayload
{
public string Data { get; set; }
}
7. Best Practices for Secure APIs
Always Use HTTPS – Redirect all HTTP traffic.
Apply HSTS – Enforce HTTPS for future requests.
Use Modern TLS Versions (1.2/1.3) – Avoid older, insecure protocols.
Implement Data Encryption – AES or RSA for sensitive data.
Rotate Keys Periodically – Never hardcode or reuse encryption keys.
Use Secrets Manager – Store keys in Azure Key Vault or AWS Secrets Manager.
Apply Certificate Pinning – Prevent man-in-the-middle attacks.
Use Strong Authentication – JWT or OAuth2 over HTTPS only.
8. Tools for API Security Testing
OWASP ZAP – For penetration testing and vulnerability scanning.
Burp Suite – For intercepting and analyzing HTTPS requests.
Postman Interceptor – To ensure secure API endpoint validation.
Conclusion
Securing your ASP.NET Core API involves more than just enabling HTTPS—it requires layered defense, combining TLS encryption, data-level protection, and security best practices.
By implementing these strategies, your APIs will meet modern compliance standards and protect sensitive information from evolving cyber threats—making your system truly enterprise-ready.