How to create a security ASP.NET Web API controller

 Hi,

Here is a code that has base response class and use it in an ASP.NET Web API controller to send a response with a cookie and security headers.

This code creates a BaseResponse<T> class with a Status property and a Data property of type T. In the Post method of MyController, a new HttpResponseMessage is created with a status of OK and the content set to a serialized BaseResponse<string>. A cookie is added to the response headers, and then several security headers are added. The X-Content-Type-Options header is set to nosniff to prevent the browser from trying to interpret content with a MIME type that doesn't match the declared type. The X-Frame-Options header is set to SAMEORIGIN to prevent the page from being displayed in a frame or iframe. The Content-Security-Policy header is set to only allow content from the same origin

In this code, I've assumed that you have a service IDatabaseService with a method CheckIfExists that checks if an ID exists in the database. The Post method now accepts an ID, checks if it exists in the database, and sets the Status property of the BaseResponse to the result. It also generates a new GUID for the session ID and sets it as a cookie in the response headers. The Data property of the BaseResponse is set to the ID that was passed to the Post method.

This code sets the HttpOnly attribute of the cookie to true, which prevents the cookie from being accessed by client-side scripts. It also sets the Expires attribute to 1 hour from now, which means the cookie will be deleted after 1 hour. The Strict-Transport-Security header is set to max-age=31536000; includeSubDomains, which tells the browser to only use HTTPS for all future requests to this domain and its subdomains for the next year. The Secure attribute is set to true, which means the cookie will only be sent over an HTTPS connection. Please note that this attribute will have no effect if your application is not served over HTTPS.

public class BaseResponse<T>
{
    public bool Status { get; set; }
    public T Data { get; set; }
}
public class MyController : ApiController
{
    private readonly IDatabaseService _databaseService;

    public MyController(IDatabaseService databaseService)
    {
        _databaseService = databaseService;
    }

    public async Task<HttpResponseMessage> Post([FromBody] string id)
    {
        var exists = await _databaseService.CheckIfExists(id);

        var response = new HttpResponseMessage(HttpStatusCode.OK)
        {
            Content = new StringContent(JsonConvert.SerializeObject(new BaseResponse<string> { Status = exists, Data = id }), Encoding.UTF8, "application/json")
        };

        var newSessionId = Guid.NewGuid().ToString();
        var cookie = new CookieHeaderValue("session-id", newSessionId)
        {
            HttpOnly = true,
            Secure = true,
            Expires = DateTimeOffset.Now.AddHours(1)
        };
        response.Headers.AddCookies(new CookieHeaderValue[] { cookie });

        response.Headers.Add("X-Content-Type-Options", "nosniff");
        response.Headers.Add("X-Frame-Options", "SAMEORIGIN");
        response.Headers.Add("Content-Security-Policy", "default-src 'self'");
        response.Headers.Add("Strict-Transport-Security",                 "max-age=31536000; includeSubDomains");

        return response;
    }
}

Have a nice day :)


Comments

Post a Comment

Popular posts from this blog

A sharepoint list view of the current month

Image
Who has not asked to make view of the current month? And every time we need to reinvent the wheel. This time I'll show how to do this: Need to create two columns 1. Start of the Month 2. End of the Month Two columns need type -" calculated " The formula of "Start of the Month" =DATE(YEAR(Created),MONTH(Created),1) The formula of "End of the Month" =DATE(YEAR(Created),MONTH(Created)+1,1)-1 The view definition in the "Filter": "Start of the Month" is Less than or Equle to [Today] Or "End of the Month" is Greater than or Equal to [Today] Here is the result: Hope i helped, Roi
Read more

The specified path, file name, or both are too long. The fully qualified file name must be less than 260 characters

Image
When you try to compile a project in visual studio and get this message The specified path, file name, or both are too long. The fully qualified file name must be less than 260 characters All you need is to correct an error that VS created (and I do not know how) He has written a number of times in the " Deployment Path " "$ SharePoint.Project.FileNameWithoutExtension $ _ $ SharePoint.Feature.FileNameWithoutExtension $" Instead of one in " Deployment Path " It should be like this "YourValue_ $ SharePoint.Feature.FileNameWithoutExtension $" Yours, Roi  
Read more

Export SharePoint 2010 List to Excel with PowerShell

Image
In the previous article I explained how to create a list item, This time I will demonstrate how to export SharePoint List to Excel using PowerShell. All we need to do, is to open the Site, the List and the Items, and then to export it to Excel. Code: $MyWeb = WebUrl $ MyList = MyWeb. Lists [ " ListName " ] $ MyItems = $MyList. Items $ MyItems | Select Fields.. | Export-Csv FilePath $ MyWeb. Dispose() The list looks like this The Excel sheet looks like this
Read more