This page shows the posts published with the category 'Security'

Stop using IntPtr for dealing with system handles

When using system handles such as file handles, process handles, or any other handles provided by the kernel, you should take care to release them correctly when you don't need them anymore. The native APIs often provides a method to get a handle and a method to release it, plus sometimes a few methods to work with the resource. For instance, you can get a file handle using the method CreateFile, release… [read more]

JWT authentication with ASP.NET Core

In a previous post, I've written about using cookie authentication for an ASP.NET Core web site. Authenticating user by using a cookie is common for a web site. However, for an API, it's more common to use a token for authentication. Json Web Token (JWT) is a way to create and validate a token. In this post, we'll see how to use JWT with ASP.NET Core to authenticate the users. While the client can be any… [read more]

Validating user with cookie authentication in ASP.NET Core 2

In a previous post, I wrote about the cookie authentication in ASP.NET Core 2. The cookie authentication does 2 things: Write a cookie with encrypted data when the user logs in Read the cookie, decrypt it, and set the request identity (Request.User.Identity) When it read the cookie and set the identity, it doesn't check the user actually exists. For instance, John logs in on browser A, then, he deletes… [read more]

Enable BitLocker AES-XTX 256 encryption algorithm

The latest version of Windows 10 (1511) has introduced a new encryption algorithm AES-XTX. This version of AES is specific to encrypt hard drives. By default, Windows 10 1511 uses AES-XTX 128 to encrypt your hard drives. If you want to protect sensitive data, you may prefer using AES-XTX 256 algorithm. Let's see how to enable this algorithm. Open the Local Group Policy Editor Select Computer Configuration… [read more]

Adding a free SSL certificate to a website hosted on nginx using Let's Encrypt

In the previous post, I showed how to publish an ASP.NET Core website to Linux. In this post, I'll show you how to secure your website using a free SSL certificate provided by Let's Encrypt. Get a free SSL certificate using Let's encrypt certbot is the tool provided by let's encrypt to generate a certificate. First, you need to install it: sudo add-apt-repository ppa:certbot/certbot sudo apt-get update… [read more]

Improve the security of your website using SSL and HSTS with ASP.NET Core

Using HTTPS on your website provides additional security for your users: confidentiality, integrity and authentication. Using Let's encrypt, you can get a free certificate and start using HTTPS. If you aren't using HTTPS yet, you can read my previous blog post about setting up Let's encrypt for your website. But HTTPS isn't perfect, and some people has found multiple attacks: CRIME, BEAST, POODLE or SSL… [read more]

Improve the log in experience with the Credential Management API

Many web sites require users to log in to access their resources. From a user point of view, the log in process can be complicated, and this is more true when you can log in using a login/password or using a social provider (Microsoft, Google, Facebook, etc.). For instance, some users enter their Google credentials in the Username/Password form instead of clicking the Google button, or they don't remember… [read more]