API security is one of the most important parts of modern software development. If your API is not secure, attackers can steal data, access sensitive information, manipulate systems, or even crash your application.<\/p>\n\n\n\n
In this article, we will learn multiple security methods used in ASP.NET Core Web API with easy explanations, real examples, and advanced techniques.<\/p>\n\n\n\n
API Security means protecting your API from:<\/p>\n\n\n\n
Without security:<\/p>\n\n\n\n
Example:<\/p>\n\n\n\n
Imagine your banking API has no authentication.<\/p>\n\n\n\n
Anyone can call:<\/p>\n\n\n\n
GET \/api\/account\/balance?id=1<\/code><\/pre>\n\n\n\nHTTP<\/p>\n\n\n\n
Then all customer data becomes public.<\/p>\n\n\n\n
Security Levels in ASP.NET Core API<\/h2>\n\n\n\nLevel<\/th> Security Type<\/th><\/tr> Beginner<\/td> HTTPS, Authentication<\/td><\/tr> Intermediate<\/td> JWT, API Keys, Validation<\/td><\/tr> Advanced<\/td> Rate Limiting, IP Whitelisting<\/td><\/tr> Enterprise<\/td> OAuth2, Zero Trust, WAF<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n1. HTTPS Security (Basic Level)<\/h2>\n\n\n\n
HTTPS encrypts data between client and server.<\/p>\n\n\n\n
Without HTTPS:<\/p>\n\n\n\n
\n- Data travels as plain text.<\/li>\n<\/ul>\n\n\n\n
With HTTPS:<\/p>\n\n\n\n
\n- Data becomes encrypted.<\/li>\n<\/ul>\n\n\n\n
Enable HTTPS in ASP.NET Core<\/h3>\n\n\n\n
In Program.cs:<\/p>\n\n\n\n
var builder = WebApplication.CreateBuilder(args);\n\nbuilder.Services.AddHttpsRedirection(options =>\n{\n options.HttpsPort = 443;\n});\n\nvar app = builder.Build();\n\napp.UseHttpsRedirection();\n\napp.Run();<\/code><\/pre>\n\n\n\nC#<\/p>\n\n\n\n
2. Authentication Security<\/h2>\n\n\n\n
Authentication checks:<\/p>\n\n\n\n
\u201cWho are you?\u201d<\/p>\n\n\n\n
Example:<\/p>\n\n\n\n
\n- Username + Password<\/li>\n\n\n\n
- WT Token<\/li>\n\n\n\n
- OAuth Login<\/li>\n<\/ul>\n\n\n\n
3. Authorization Security<\/h2>\n\n\n\n
Authorization checks:<\/p>\n\n\n\n
\u201cWhat are you allowed to access?\u201d<\/p>\n\n\n\n
Example:<\/p>\n\n\n\n
\n- Admin can delete users<\/li>\n\n\n\n
- User can only view profile<\/li>\n<\/ul>\n\n\n\n
4. JWT Token Authentication<\/h2>\n\n\n\n
JWT (JSON Web Token) is a secure token system used for API authentication.<\/p>\n\n\n\n
JWT Flow<\/h3>\n\n\n\n\n- User logs in<\/li>\n\n\n\n
- Server validates credentials<\/li>\n\n\n\n
- Server generates token<\/li>\n\n\n\n
- Client sends token in every request<\/li>\n<\/ul>\n\n\n\n
Install JWT Package<\/h3>\n\n\n\nInstall-Package Microsoft.AspNetCore.Authentication.JwtBearer<\/code><\/pre>\n\n\n\nPowerShell<\/p>\n\n\n\n
JWT Configuration<\/h3>\n\n\n\n
Program.cs<\/p>\n\n\n\n
using Microsoft.AspNetCore.Authentication.JwtBearer;\nusing Microsoft.IdentityModel.Tokens;\nusing System.Text;\n\nvar builder = WebApplication.CreateBuilder(args);\n\nbuilder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)\n.AddJwtBearer(options =>\n{\n options.TokenValidationParameters = new TokenValidationParameters\n {\n ValidateIssuer = true,\n ValidateAudience = true,\n ValidateLifetime = true,\n ValidateIssuerSigningKey = true,\n\n ValidIssuer = \"MyAPI\",\n ValidAudience = \"MyAPIUser\",\n\n IssuerSigningKey = new SymmetricSecurityKey(\n Encoding.UTF8.GetBytes(\"THIS_IS_SECRET_KEY_123456\"))\n };\n});\n\nvar app = builder.Build();\n\napp.UseAuthentication();\napp.UseAuthorization();\n\napp.Run();<\/code><\/pre>\n\n\n\nC#<\/p>\n\n\n\n
Generate JWT Token<\/h3>\n\n\n\nusing System.IdentityModel.Tokens.Jwt;\nusing System.Security.Claims;\nusing Microsoft.IdentityModel.Tokens;\nusing System.Text;\n\npublic string GenerateToken(string username)\n{\n var claims = new[]\n {\n new Claim(ClaimTypes.Name, username)\n };\n\n var key = new SymmetricSecurityKey(\n Encoding.UTF8.GetBytes(\"THIS_IS_SECRET_KEY_123456\"));\n\n var creds = new SigningCredentials(key, SecurityAlgorithms.HmacSha256);\n\n var token = new JwtSecurityToken(\n issuer: \"MyAPI\",\n audience: \"MyAPIUser\",\n claims: claims,\n expires: DateTime.Now.AddHours(1),\n signingCredentials: creds);\n\n return new JwtSecurityTokenHandler().WriteToken(token);\n}<\/code><\/pre>\n\n\n\nC#<\/p>\n\n\n\n
Secure API Controller<\/h3>\n\n\n\n[Authorize]\n[ApiController]\n[Route(\"api\/[controller]\")]\npublic class UserController : ControllerBase\n{\n [HttpGet]\n public IActionResult GetData()\n {\n return Ok(\"Secure Data\");\n }\n}<\/code><\/pre>\n\n\n\nC#<\/p>\n\n\n\n
5. API Key Security<\/h2>\n\n\n\n
API Key is a secret key sent in request headers.<\/p>\n\n\n\n
Example:<\/p>\n\n\n\n
x-api-key: ABC123XYZ<\/code><\/pre>\n\n\n\nMiddleware Example<\/h3>\n\n\n\npublic class ApiKeyMiddleware\n{\n private readonly RequestDelegate _next;\n private const string APIKEY = \"MY_SECRET_KEY\";\n\n public ApiKeyMiddleware(RequestDelegate next)\n {\n _next = next;\n }\n\n public async Task Invoke(HttpContext context)\n {\n if (!context.Request.Headers.TryGetValue(\"x-api-key\", out var extractedApiKey))\n {\n context.Response.StatusCode = 401;\n await context.Response.WriteAsync(\"API Key Missing\");\n return;\n }\n\n if (!APIKEY.Equals(extractedApiKey))\n {\n context.Response.StatusCode = 403;\n await context.Response.WriteAsync(\"Invalid API Key\");\n return;\n }\n\n await _next(context);\n }\n}<\/code><\/pre>\n\n\n\nC#<\/p>\n\n\n\n
Register Middleware<\/h3>\n\n\n\napp.UseMiddleware<ApiKeyMiddleware>();<\/code><\/pre>\n\n\n\nC#<\/p>\n\n\n\n
6. IP Whitelisting Security<\/h2>\n\n\n\n
Only allowed IP addresses can access APIs.<\/p>\n\n\n\n
Example:<\/p>\n\n\n\n
\n- Government APIs<\/li>\n\n\n\n
- Banking APIs<\/li>\n\n\n\n
- Internal APIs<\/li>\n<\/ul>\n\n\n\n
Middleware Example<\/h3>\n\n\n\npublic class IPWhitelistMiddleware\n{\n private readonly RequestDelegate _next;\n\n private readonly List<string> allowedIPs = new()\n {\n \"127.0.0.1\",\n \"192.168.1.10\"\n };\n\n public IPWhitelistMiddleware(RequestDelegate next)\n {\n _next = next;\n }\n\n public async Task Invoke(HttpContext context)\n {\n var remoteIp = context.Connection.RemoteIpAddress?.ToString();\n\n if (!allowedIPs.Contains(remoteIp))\n {\n context.Response.StatusCode = 403;\n await context.Response.WriteAsync(\"IP Not Allowed\");\n return;\n }\n\n await _next(context);\n }\n}<\/code><\/pre>\n\n\n\nC#<\/p>\n\n\n\n
7. SQL Injection Protection<\/h2>\n\n\n\nDangerous Code<\/h3>\n\n\n\n
\u274c Wrong:<\/p>\n\n\n\n
string query = \"SELECT * FROM Users WHERE Name='\" + username + \"'\";<\/code><\/pre>\n\n\n\nC#<\/p>\n\n\n\n
Attacker Input:<\/p>\n\n\n\n
' OR 1=1 --<\/code><\/pre>\n\n\n\nSQL<\/p>\n\n\n\n
This can expose all records.<\/p>\n\n\n\n
Secure Code<\/h3>\n\n\n\n
\u2705 Correct:<\/p>\n\n\n\n
SqlCommand cmd = new SqlCommand(\n\"SELECT * FROM Users WHERE Name=@Name\", conn);\ncmd.Parameters.AddWithValue(\"@Name\", username);<\/code><\/pre>\n\n\n\nC#<\/p>\n\n\n\n
8. Password Hashing Security<\/h2>\n\n\n\nNever Store Plain Passwords<\/h3>\n\n\n\n
\u274c Wrong:<\/p>\n\n\n\n
Password = 123456<\/code><\/pre>\n\n\n\n\u2705 Correct:<\/p>\n\n\n\n
Password = Hashed Value<\/code><\/pre>\n\n\n\nPassword Hashing Example<\/h3>\n\n\n\nusing BCrypt.Net;\nstring hash = BCrypt.Net.BCrypt.HashPassword(\"123456\");\nbool verify = BCrypt.Net.BCrypt.Verify(\"123456\", hash);<\/code><\/pre>\n\n\n\nC#<\/p>\n\n\n\n
9. Rate Limiting Protection<\/h2>\n\n\n\n
Limits number of requests.<\/p>\n\n\n\n
Protects from:<\/p>\n\n\n\n
\n- DDoS<\/li>\n\n\n\n
- Spam<\/li>\n\n\n\n
- Brute-force attacks<\/li>\n<\/ul>\n\n\n\n
ASP.NET Core Rate Limiting<\/h3>\n\n\n\n
Program.cs<\/p>\n\n\n\n
builder.Services.AddRateLimiter(options =>\n{\n options.AddFixedWindowLimiter(\"fixed\", opt =>\n {\n opt.PermitLimit = 10;\n opt.Window = TimeSpan.FromMinutes(1);\n });\n});\n\napp.UseRateLimiter();<\/code><\/pre>\n\n\n\nC#<\/p>\n\n\n\n
Apply Rate Limit<\/h3>\n\n\n\n[EnableRateLimiting(\"fixed\")]\n[HttpGet]\npublic IActionResult Get()\n{\n return Ok();\n}<\/code><\/pre>\n\n\n\nC#<\/p>\n\n\n\n
10. CORS Security<\/h2>\n\n\n\n
CORS controls which frontend domains can access API.<\/p>\n\n\n\n
Enable Secure CORS<\/h3>\n\n\n\nbuilder.Services.AddCors(options =>\n{\n options.AddPolicy(\"AllowMyApp\",\n policy =>\n {\n policy.WithOrigins(\"https:\/\/myapp.com\")\n .AllowAnyHeader()\n .AllowAnyMethod();\n });\n});\n\napp.UseCors(\"AllowMyApp\");<\/code><\/pre>\n\n\n\nC#<\/p>\n\n\n\n
11. Request Validation Security<\/h2>\n\n\n\n
Validate incoming data.<\/p>\n\n\n\n
Example<\/h3>\n\n\n\npublic class LoginModel\n{\n [Required]\n public string Username { get; set; }\n\n [Required]\n [MinLength(6)]\n public string Password { get; set; }\n}<\/code><\/pre>\n\n\n\nC#<\/p>\n\n\n\n
12. Secure Headers<\/h2>\n\n\n\nAdd Security Headers<\/h3>\n\n\n\napp.Use(async (context, next) =>\n{\n context.Response.Headers.Add(\"X-Frame-Options\", \"DENY\");\n context.Response.Headers.Add(\"X-XSS-Protection\", \"1; mode=block\");\n context.Response.Headers.Add(\"X-Content-Type-Options\", \"nosniff\");\n\n await next();\n});<\/code><\/pre>\n\n\n\nC#<\/p>\n\n\n\n
13. Logging and Monitoring<\/h2>\n\n\n\nWhy Important?<\/h3>\n\n\n\n
Detect:<\/p>\n\n\n\n
\n- Hacking attempts<\/li>\n\n\n\n
- Failed logins<\/li>\n\n\n\n
- Suspicious activities<\/li>\n<\/ul>\n\n\n\n
Example<\/h3>\n\n\n\ntry\n{\n \/\/ code\n}\ncatch(Exception ex)\n{\n _logger.LogError(ex.Message);\n}<\/code><\/pre>\n\n\n\nC#<\/p>\n\n\n\n
14. Swagger Security<\/h2>\n\n\n\nProtect Swagger in Production<\/h3>\n\n\n\nif (app.Environment.IsDevelopment())\n{\n app.UseSwagger();\n app.UseSwaggerUI();\n}<\/code><\/pre>\n\n\n\nC#<\/p>\n\n\n\n
15. OAuth2 Security (Advanced)<\/h2>\n\n\n\n
OAuth2 allows login using:<\/p>\n\n\n\n
\n- Google<\/li>\n\n\n\n
- Microsoft<\/li>\n\n\n\n
- Facebook<\/li>\n\n\n\n
- GitHub<\/li>\n<\/ul>\n\n\n\n
Used in enterprise systems.<\/p>\n\n\n\n
16. Refresh Token Security<\/h2>\n\n\n\nWhy Needed?<\/h3>\n\n\n\n
JWT expires quickly.<\/p>\n\n\n\n
Refresh Token helps generate new token without login.<\/p>\n\n\n\n
17. Data Encryption<\/h2>\n\n\n\nEncrypt Sensitive Data<\/h3>\n\n\n\n
Example:<\/p>\n\n\n\n
\n- Aadhaar Number<\/li>\n\n\n\n
- PAN Number<\/li>\n\n\n\n
- Bank Details<\/li>\n<\/ul>\n\n\n\n
AES Encryption Example<\/h3>\n\n\n\nusing System.Security.Cryptography;<\/code><\/pre>\n\n\n\nC#<\/p>\n\n\n\n
Use AES encryption for highly sensitive data.<\/p>\n\n\n\n
18. CSRF Protection<\/h2>\n\n\n\n
Stops fake requests from external websites.<\/p>\n\n\n\n
Mostly important in cookie-based authentication.<\/p>\n\n\n\n
19. Security Best Practices<\/h2>\n\n\n\nBest Practice<\/th> Description<\/th><\/tr> Use HTTPS<\/td> Encrypt communication<\/td><\/tr> Use JWT<\/td> Secure authentication<\/td><\/tr> Use Hashing<\/td> Protect passwords<\/td><\/tr> Validate Inputs<\/td> Stop invalid data<\/td><\/tr> Use Parameterized Queries<\/td> Stop SQL Injection<\/td><\/tr> Use Rate Limiting<\/td> Prevent abuse<\/td><\/tr> Enable Logging<\/td> Detect attacks<\/td><\/tr> Restrict Swagger<\/td> Protect API docs<\/td><\/tr> Use CORS<\/td> Restrict domains<\/td><\/tr> Use IP Whitelist<\/td> Restrict access<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n20. Enterprise-Level Security Architecture<\/h2>\n\n\n\nRecommended Flow<\/h3>\n\n\n\nClient App\n \u2193\nAPI Gateway\n \u2193\nWAF Firewall\n \u2193\nRate Limiter\n \u2193\nJWT Authentication\n \u2193\nAuthorization\n \u2193\nController\n \u2193\nDatabase<\/code><\/pre>\n\n\n\n21. Common API Attacks<\/h2>\n\n\n\nAttack<\/th> Solution<\/th><\/tr> SQL Injection<\/td> Parameterized Query<\/td><\/tr> XSS<\/td> Encode Output<\/td><\/tr> Brute Force<\/td> Rate Limiting<\/td><\/tr> Token Theft<\/td> HTTPS<\/td><\/tr> DDoS<\/td> Firewall + Rate Limit<\/td><\/tr> CSRF<\/td> Anti-Forgery Token<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n22. Example of Fully Secure API Request<\/h2>\n\n\n\nPOST \/api\/user\/profile\nHost: example.com\nAuthorization: Bearer TOKEN\nx-api-key: APIKEY123\nContent-Type: application\/json<\/code><\/pre>\n\n\n\nHTTP<\/p>\n\n\n\n
23. Advanced Enterprise Security Features<\/h2>\n\n\n\nMulti-Factor Authentication (MFA)<\/h3>\n\n\n\n
Extra security layer:<\/p>\n\n\n\n
\n- OTP<\/li>\n\n\n\n
- Email verification<\/li>\n\n\n\n
- Authenticator apps<\/li>\n<\/ul>\n\n\n\n
Device Tracking<\/h3>\n\n\n\n
Track:<\/p>\n\n\n\n
\n- IP<\/li>\n\n\n\n
- Browser<\/li>\n\n\n\n
- Device ID<\/li>\n<\/ul>\n\n\n\n
Audit Trail<\/h3>\n\n\n\n
Store:<\/p>\n\n\n\n
\n- Login history<\/li>\n\n\n\n
- User actions<\/li>\n\n\n\n
- Data changes<\/li>\n<\/ul>\n\n\n\n
24. Recommended Security Packages<\/h2>\n\n\n\nPackage<\/th> Use<\/th><\/tr> Microsoft.AspNetCore.Authentication.JwtBearer<\/td> JWT<\/td><\/tr> BCrypt.Net<\/td> Password Hashing<\/td><\/tr> Serilog<\/td> Logging<\/td><\/tr> FluentValidation<\/td> Validation<\/td><\/tr> AspNetCoreRateLimit<\/td> Rate Limiting<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n25. Final Recommended Secure Setup<\/h2>\n\n\n\n
For production ASP.NET Core API:<\/p>\n\n\n\n
\u2705 HTTPS
\u2705 JWT Authentication
\u2705 API Key
\u2705 IP Whitelist
\u2705 Rate Limiting
\u2705 Logging
\u2705 SQL Injection Protection
\u2705 Password Hashing
\u2705 CORS
\u2705 Secure Headers
\u2705 Audit Logs
\u2705 Encryption<\/p>\n\n\n\n
Conclusion<\/h2>\n\n\n\n
API security is not a single feature.<\/p>\n\n\n\n
It is a combination of:<\/p>\n\n\n\n
\n- Authentication<\/li>\n\n\n\n
- Authorization<\/li>\n\n\n\n
- Encryption<\/li>\n\n\n\n
- Validation<\/li>\n\n\n\n
- Monitoring<\/li>\n\n\n\n
- Network protection<\/li>\n<\/ul>\n\n\n\n
A secure ASP.NET Core API should always follow layered security architecture.<\/p>\n\n\n\n
Even if one layer fails, another layer should protect the system.<\/p>\n\n\n\n
Real-World Example<\/h2>\n\n\n\n
A Banking API may use:<\/p>\n\n\n\n
\n- HTTPS<\/li>\n\n\n\n
- JWT<\/li>\n\n\n\n
- API Key<\/li>\n\n\n\n
- IP Whitelist<\/li>\n\n\n\n
- Rate Limiting<\/li>\n\n\n\n
- Encryption<\/li>\n\n\n\n
- MFA<\/li>\n\n\n\n
- Audit Logs<\/li>\n<\/ul>\n\n\n\n
All together for maximum protection.<\/p>\n\n\n\n
Interview Questions<\/h2>\n\n\n\nQ1. What is JWT?<\/h3>\n\n\n\n
JWT is a token-based authentication mechanism used to securely transfer user identity between client and server.<\/p>\n\n\n\n
Q2. Difference between Authentication and Authorization?<\/h3>\n\n\n\nAuthentication<\/th> Authorization<\/th><\/tr> Who are you?<\/td> What can you access?<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\nQ3. How to prevent SQL Injection?<\/h3>\n\n\n\n
Use:<\/p>\n\n\n\n
\n- Parameterized queries<\/li>\n\n\n\n
- ORM frameworks<\/li>\n\n\n\n
- Input validation<\/li>\n<\/ul>\n\n\n\n
Q4. Why HTTPS is important?<\/h3>\n\n\n\n
HTTPS encrypts communication and protects data from attackers.<\/p>\n\n\n\n
End Result<\/h2>\n\n\n\n
After implementing these methods, your ASP.NET Core API becomes:<\/p>\n\n\n\n
\u2705 Secure<\/p>\n\n\n\n
\u2705 Scalable<\/p>\n\n\n\n
\u2705 Enterprise Ready<\/p>\n\n\n\n
\u2705 Production Ready<\/p>\n\n\n\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
API security is one of the most important parts of modern software development. If your API is not secure, attackers can steal data, access sensitive information, manipulate systems, or even crash your application. In this article, we will learn multiple security methods used in ASP.NET Core Web API with easy explanations, real examples, and advanced<\/p>\n","protected":false},"author":1,"featured_media":106,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-102","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/blog.vigplanet.com\/index.php?rest_route=\/wp\/v2\/posts\/102","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.vigplanet.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.vigplanet.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.vigplanet.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.vigplanet.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=102"}],"version-history":[{"count":1,"href":"https:\/\/blog.vigplanet.com\/index.php?rest_route=\/wp\/v2\/posts\/102\/revisions"}],"predecessor-version":[{"id":104,"href":"https:\/\/blog.vigplanet.com\/index.php?rest_route=\/wp\/v2\/posts\/102\/revisions\/104"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.vigplanet.com\/index.php?rest_route=\/wp\/v2\/media\/106"}],"wp:attachment":[{"href":"https:\/\/blog.vigplanet.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=102"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.vigplanet.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=102"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.vigplanet.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=102"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}