Security in .Net MVC core application ?

Security of any application is the major concern in today's world of technology. Insecure applications leads to data loss, business loss, loss of privacy, financial losses and many more losses will be encounters in day by day life. Now a days all the applications are accesed by internet and they are distributed through out the world. Web applications that is hosted on internet needs to be safegaurd against the unauthorised access or hackers so that we required security feature to be embedded into it.

Security :- Security means to protect something from outer world or unathorised access. Application security is the security of application from unauthorised access, stealing the sensitive information, hijacking the network, virsuses, trozan horse are the key player of security.
While sending the sensitive that from one network to another network, a middile man can steal this information and used it, if it is not encrypted, so encryption of data is must for every application.

Do's and Don'ts for Security Implementation :-

• Cross Site Scripting :- Cross Site Scripting is Security Vulnerabilty in whcih attackers places client side scripts through the inputs/form field into a web page intentionally and steal the cookies, session tokens and redirected it to another page.
• SQL Injection :- In the ADO.Net code where in-line queries used for data manipulation, from application input parameters send from the code to DB using these parameters and without Stored procedures then attackers can easily input there own probable data into database and breach the db security as well as application security.
  Always use Stored Procedures to avoid the SQL injection.
• Cross Site Request Forgery :- In Cross Site Request Forgery, attackers send some forged data into the site where end users are logged in with current session and end users seems like it is same as they are working on. Attackers use the Social engineering in this type of attacks. We can prevent by using AntoForgeryToken to use in every request.
• Authentication :- Authentication is the process where we identifies a authentic user by the credentials they enter against the cross check in database or password vault. Using Authentication only valid users can logged into the application and access it.
• Data Encryption :- It is a technique in which we can convert original data into any other unreadble format using some key pairs and cryptographic algorithms.
  While sending the sensitive that from one network to another network, a middile man can steal this information and used it if it is not encrypted so encryption of data is must for every application.
• Safegaurd to application secrets :- Application Secrets are the keys to enter into any application so it very most important thing to safegaurd to steal.
  Now a days of cloud we can store our Secrets into the Secret Manager in the form of encryption or we can store them in password vault and access with some kind of tokens that provides extra security layer to secrets of application.
• Open redirect Attacks :- In Open Redirect Attacks a hacker can use the redirect links provided into the query string for redirected page and then they send the same link to end users and when end users click on it they will be redirected to attackers website and fill the required details. Using the LocalRedirect we can protect against it in ASP net core applications.
• Enforce Https :- When any user hit the url using http protocol that is not secure so that application will enforce it to redirect to https. Https is the secure protocol and provides the SSL security to applications.