Introduction
Application security is one of the most critical aspects of modern software development. As a .NET developer , you are often building enterprise-grade applications that handle sensitive business and user data. A single security vulnerability can expose your application to SQL injection, XSS, CSRF, data leaks, or denial-of-service attacks .
In this article, we’ll explore the top 10 application security best practices every .NET developer should follow when building applications with ASP.NET Core MVC, Web API, and .NET Framework .
1. Enforce HTTPS Everywhere
app.UseHttpsRedirection();
app.UseHsts();
Always use TLS certificates (Let’s Encrypt, Azure Key Vault, AWS ACM).
2. Validate and Sanitize All Inputs
Never trust user inputs (form data, query strings, JSON).
Use Data Annotations or FluentValidation .
public class RegisterModel
{
[Required]
[EmailAddress]
public string Email { get; set; }
}
Prevents injection attacks, XSS, and malformed payloads .
3. Prevent SQL Injection
// Vulnerable
var users = db.Users.FromSqlRaw("SELECT * FROM Users WHERE Name = '" + name + "'");
// Safe
var users = db.Users.FromSqlInterpolated($"SELECT * FROM Users WHERE Name = {name}");
Never concatenate strings into SQL commands.
4. Secure Authentication and Authorization
Use ASP.NET Core Identity or external providers (Azure AD, IdentityServer).
Enforce role-based or policy-based authorization .
[Authorize(Roles = "Admin")]
public IActionResult AdminDashboard()
{
return View();
}
Implement Multi-Factor Authentication (MFA) wherever possible.
5. Protect Against Cross-Site Request Forgery (CSRF)
<form asp-action="Save">
@Html.AntiForgeryToken()
</form>
Prevents attackers from performing actions on behalf of authenticated users.
6. Implement Secure File Handling
Restrict file types and sizes.
Store files outside wwwroot .
Always rename files before saving.
var safeFileName = Guid.NewGuid() + Path.GetExtension(file.FileName);
Prevents malware uploads, path traversal, and remote code execution .
7. Use Security Headers
Apply HTTP security headers using middleware:
app.Use(async (context, next) =>
{
context.Response.Headers.Add("X-Frame-Options", "DENY");
context.Response.Headers.Add("X-Content-Type-Options", "nosniff");
context.Response.Headers.Add("Referrer-Policy", "no-referrer");
await next();
});
Helps mitigate clickjacking, XSS, and data leaks .
8. Rate Limiting and Throttling
"IpRateLimiting": {
"EnableEndpointRateLimiting": true,
"GeneralRules": [
{
"Endpoint": "*",
"Period": "1m",
"Limit": 100
}
]
}
Protects APIs from abuse and overload attacks .
9. Secure Sensitive Data
Use the Data Protection API for encrypting cookies and tokens.
Store secrets in Azure Key Vault or AWS Secrets Manager , not appsettings.json .
builder.Configuration.AddAzureKeyVault(new Uri(keyVaultUrl), new DefaultAzureCredential());
Never hardcode passwords, API keys, or connection strings.
10. Keep Dependencies and Frameworks Updated
Regularly update .NET runtime, NuGet packages, and third-party libraries .
Use GitHub Dependabot or OWASP Dependency-Check to identify vulnerabilities.
Many attacks exploit known vulnerabilities in outdated libraries.
Conclusion
Security is not a one-time setup —it’s a continuous process. By applying these 10 best practices , you can significantly reduce the risk of attacks in your ASP.NET Core MVC and Web API applications .
Always follow the OWASP Top 10 guidelines, perform regular security testing , and stay updated with the latest .NET security patches .