-
Notifications
You must be signed in to change notification settings - Fork 1
#63 secure user registration
Ahmad Bin Amzah - 24/03/2019
Exploring methods to securely send a user registration page which is using ASP.NET Core.
- Microsoft Docs (Microsoft Documentation)
Sending data over the internet without any security controls is unwise especially when handling private user information and credentials as there are regulatory and legal requirements that ensures internet security is not compromised. After researching, the conclusion reached is to enforce HTTPS onto web applications.
HTTPS ensures that data sent is kept private by encrypting data in transit, meaning no one can eavesdrop onto a connection between the client and the host. HTTPS requires SSL certificates which can be obtained for free utilising automated Certificate Authorities such as “Let’s Encrypt”. SSL certs can be obtained via https://certbot.eff.org/ and following the instructions provided after selecting the appropriate server OS and software. For development/test purposes, self-signed certificates can be used to test whether HTTPS has been configured correctly without the need to obtain SSL certs. This can be enabled through command prompt with the following .NET command.
dotnet dev-certs https --trustAfter obtaining an SSL certificate, HTTPS will need to be configured and enforced through the following;
- Add the “UseHttpsRedirection” call in the “startup” class within the “Configure” function.
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
else
{
app.UseExceptionHandler("/Error");
app.UseHsts();
}
app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseCookiePolicy();
app.UseMvc();
}- The HTTPS port needs to be specified via one of the following methods;
- Using “AddHttpsRedirection” in “startup”
public void ConfigureServices(IServiceCollection services)
{
services.AddMvc();
services.AddHsts(options =>
{
options.Preload = true;
options.IncludeSubDomains = true;
options.MaxAge = TimeSpan.FromDays(60);
options.ExcludedHosts.Add("example.com");
options.ExcludedHosts.Add("www.example.com");
});
services.AddHttpsRedirection(options =>
{
options.RedirectStatusCode = StatusCodes.Status307TemporaryRedirect;
options.HttpsPort = 5001;
});
}- Setting the “https_port”
public class Program
{
public static void Main(string[] args)
{
CreateWebHostBuilder(args).Build().Run();
}
public static IWebHostBuilder CreateWebHostBuilder(string[] args) =>
WebHost.CreateDefaultBuilder(args)
.UseSetting("https_port", "8080")
.UseStartup<Startup>();
}With HTTPS set up, all that is left is to bind the SSL cert to the website (if self-signed certs are not being used and the webpage needs to be tested on a server). Different methods apply when binding SSL certs based on the web server/service used.
Whilst HTTPS does protect data in transit through encryption, it does not secure the endpoints of communication, meaning compromised devices and malicious links could enable attackers access to user information and data. Therefore, there are other controls that could be implemented to further secure the user registration from attacks. These could include;
-
Preventing Open Redirect Attacks – Attackers can use the querystring “returnUrl” to redirect users to malicious sites. To prevent this, one of the methods described in this documentation will check if the redirected url is local.
-
Preventing Cross-Site Request Forgery – Attacks which exploit the authenticated session between a client and a host, hijacking it and using it to perform any action that the user/client is allowed to perform on the website/server. Antiforgery can be configured to counter this attack.
-
Prevent Cross-Site Scripting (XSS) – A vulnerability which enables attackers to execute client-side scripts when users load into affected web pages, which then enables attackers to steal cookies and session tokens, change the contents of the web page and redirect users to a malicious page. Some methods to counteract this vulnerability is describe in this article.
About
Documents
-
AWS
-
Other
-
REST
-
Nectar
-
Rancher
-
ASP.NET
-
Data
-
Blockchains
-
Processes