Rick Strahl's Weblog
Wind, waves, code and everything in between...
- Rest Client and Http Load Testing for Windows
WebLog Posts in Category Security
November, 2022 (1)
October, 2022 (1)
September, 2022 (2)
August, 2022 (3)
July, 2022 (2)
June, 2022 (2)
April, 2022 (2)
March, 2022 (2)
February, 2022 (2)
January, 2022 (2)
December, 2021 (1)
November, 2021 (3)
October, 2021 (1)
ASP.NET Core (56)
Visual Studio (54)
.NET Core (19)
Web Services (19)
Web Api (16)
Sql Server (10)
Microsoft AJAX (8)
West Wind Ajax Toolkit (7)
Web Connection (7)
Entity Framework (6)
Internet Explorer (6)
Html Help Builder (5)
Markdown Monster (5)
Live Writer (5)
Software Development (5)
Source Control (4)
Help Builder (3)
Web Browser Control (3)
Visual Studio Code (2)
Web Development (2)
ASP.NET vNext (2)
.NET Standard (2)
Visual Studio (1)
ASP.NET Markdown (1)
Control Development (1)
Credit Card Processing (1)
Dynamic Types (1)
CSharp Dotnet (1)
WPF Windows (1)
VS Code (1)
Web Assembly (1)
Web Deployment Projects (1)
Web Design (1)
Fix automatic re-routing of http:// to https:// on localhost in Web Browsers
October 24, 2022 - Maui, Hawaii
If you're doing local Web develop with multiple development tools you've probably run into a problem where you end up not being able to access a local site via unsecured `http://` requests and automatically get redirected to `https://` no matter what you try. If you don't have a certificate set up for the site you may not even be able to access the site at all. Turns out this usually is due to HSTS which is a nasty little bugger of a security protocol that is applied universally to a domain even in applications that don't use HSTS. In this post I discuss how HSTS works and why it can be a problem for local development as well as how to clear out the HSTS cache or avoid using it locally.
Role based JWT Tokens in ASP.NET Core APIs
March 09, 2021 - Maui, Hawaii
ASP.NET Core Authentication and Authorization continues to be the most filddly part of the ASP.NET Core eco system and today I ran into a problem to properly configure JWT Tokens with Roles. As I had a hard time finding the information I needed in one place and instead ended up with some outdated information, I'm writing up a post to hopefully put all the basic bits into this single post.
Markdown and Cross Site Scripting
August 31, 2018 - Hood River, Oregon
I've been getting a number of requests for providing XSS support in my various Markdown components. While Markdown itself makes no provision for HTML Sanitation, if you use Markdown for capturing user input some sort of sanitation is required to avoid potential XSS attacks. In this post I look at XSS scenarios and show how the `Westwind.AspnetCore.Markdown` package deals with removing script tags from rendered Markdown content.
Code Magazine Article: Securing IIS Web Sites with Let’s Encrypt Certificates
December 26, 2017 - Maui, Hawaii
Lets Encrypt makes it very easy to create free TLS certificates for your Web site. In this CODE magazine article Rick reviews some of the history of Lets Encrypt and then shows how you can easily take advantage of it to create free and automatically installed and updated certificates for your Windows based IIS Web servers.
Configuring LetsEncrypt for ASP.NET Core and IIS
September 09, 2017 - Hood River, OR
LetsEncrypt makes it easy to create SSL certificates for your applications for free and lets you automate the process. When using LetsEncrypt with IIS and ASP.NET Core however a few extra steps are required to make an ASP.NET Core site work with LetsEncrypt. I show you how in this post.
Dealing with Anti-Virus False Positives
October 05, 2016 - Maui, Hawaii
I've been struggling with false positive Anti-Virus warnings for Markdown Monster. In this post I describe what problems I was running into and how eventually managed to get a clean distribution of Markdown Monster out the door.
ASP.NET Core and CORS Gotchas
September 26, 2016 - Hood River, Oregon
CORS is a requirement for cross domain XHR calls, and when you use Angular 2.0 default dev server and talk to an ASP.NET Core application you'll need to use CORS to get XHR to talk across the domain boundaries. Here's how to set up CORS and how to test it.
Moving to Lets Encrypt SSL Certificates
July 09, 2016 - Lake Garda, Italy
This week marks the expiration of my last paid for SSL certificates and moving all certificates to Lets Encrypt. In the process I had a chance to moving some of my smaller personal and hobby sites as well as moving my wildcard cert for the main site. In this post I'll describe the process I'll describe what tools I used and the process I went through to gradually move my sites over to Lets Encrypt.
Use Powershell to bind SSL Certificates to an IIS Host Header Site
June 23, 2016 - Maui, HI
Managing SSL certificates on Windows has always been a pain in the ass and recently with the introduction of SNI to support multiple SSL certificates per site things have changed slightly in order to register certificates with IIS programmatically. In this post I show how to use PowerShell and the IIS WebAdministration snap in commands to create or import and register an SSL Certificate via the Command Line along with how this convoluted process works
Getting 'motivated' to move to SSL and HTTPS
May 09, 2016 - Maui, HI
The pressure is on: HTTPS is pushed front and center more and more as we see the browser vendors and API tools providers, making SSL encryption no longer an optional part for many things that you build on the Web. SSL and HTTPS are becoming a requirement and for good reasons. I personally ran into this with the Google Maps API in one of my applications that now requires an HTTPS based client page in order to use this API. In this post I discuss some of the issues and why this is actually a good thing, and some of the steps I took to move my existing site to HTTPS.
Using Let's Encrypt with IIS on Windows
February 22, 2016 - Maui, HI
Let's Encrypt is a new, open source certificate authority for creating free SSL certificates. In this post I show you how you can use some of the API clients on Windows to create Let's Encrypt certificates for use in IIS.
A dynamic RequireSsl Attribute for ASP.NET MVC
June 18, 2014 - Hood River, OR
In ASP.NET MVC the RequireHttps attribute allows for securing controllers and controller methods, but it's limited to either on or off statically. In this post I discuss a custom attribute that can dynamically set SSL usage based on a configuration setting or delegate.
IIS SSL Certificate Renewal Pain
May 08, 2014 - Hood River, OR
IIS SSL Certificate renewals always seem to be a pain. Rarely does it just go right and I never seem to remember whether I should renew, or just issue a new cert. The answer is the latter, but this post discusses some of the issues and how to avoid them when renewing or installing new SSL certificates.
A WebAPI Basic Authentication Authorization Filter
April 18, 2013 - Maui, Hawaii
Recently I needed to implement user based security in a Web API application that's easily accessible from a variety of clients. The customer asked specifically for Basic Auth support and so needed to implement custom Basic Auth support. In this post I describe a simple AuthorizationFilter based implementation of Basic Authentication for Web API.
.NET HTML Sanitation for rich HTML Input
July 19, 2012 - Maui, Hawaii
If you need to sanitize raw HTML for display in Web applications, the job at hand is scary for .NET backends. Unfortunately it seems there aren't a lot of tools available to help in this formidable tasks and the tools that are tend to be inflexible to the point of often being unusable. In this post I show a base implementation of an HTML Sanitizer that can be customized for your own needs.
Wishful Thinking: Why can't HTML fix Script Attacks at the Source?
April 14, 2012 - Maui, Hawaii
I'm dealing with user HTML input in a Web application today and again I curse over the complexities involved in sanitizing this html. So today I started dreaming about a possible alternative...
Loading Assemblies off Network Drives
March 22, 2011 - Maui, Hawaii
Remote loading of assemblies and CAS policy in .NET have always been hassle and although .NET 4.0 improves security, lightning up rules to be on par with Win32 applications, for COM Interop and custom runtime hosting old rules still apply. Luckily there's some help in the form of a new configuration switch that allows overriding remote loading of assemblies.
Request Limit Length Limits for IIS’s requestFiltering Module
October 28, 2010 - Maui, Hawaii
Got bit during an update today by code that ran just fine on my dev machine and failed on OpenID logins on the live machine. Turns out RequestFiltering was not allowing the long OpenID urls to be served, a problem that's easy to hit with the default settings in Windows Server 2008.
SSL Certificate Renewal Pain
January 21, 2009 - Maui, Hawaii
I ran into some problems this time around renewing my SSL certificate for west-wind.com and it looks like the problem is related to how IIS 7 handles renewals. After all the years of problems with certificate renewals in IIS I figured that by now Microsoft would have this nailed, but in the end only a completely new certificate request managed to work for me.
Non ASPX Extensions and Authentication in the IIS 7 Integrated Pipeline
May 23, 2008 - Frankfurt, Germany
Ran into an issue where IIS 7's integrated pipeline exhibits different behavior authenticating non ASPX extensions. Looks like IIS 7 only authenticates mainline files resulting in Context.User==null or Context.User.Identity.IsAuthenticated==false. For example hitting CustomHit.axd doesn't provide user credentials where an ASPX url does.
MS Tests failing due to Security Errors
March 17, 2008 - Maui, Hawaii
Ran into an odd problem today while testing with a third party DLL. My unit tests failed to run complaining that the third party DLL was not trusted. Turns out the problem is related to the security tags applied to the file when it was downloaded and installed directly of a Web download.
Watch out for XmlDocument.PreserveWhitespace when dealing with Digital Signatures
March 03, 2008 - Maui, Hawaii
When creating digital signatures of XML documents its crucial that the Xml document settings on signing match the document settings that are expected for validating signatures. I ran into a problem where our signatures were failing with a vendor's site, due to the PreserveWhitespace property settings on our end and on the vendor's parser being mismatched.
Digitally Signing an XML Document and Verifying the Signature
February 23, 2008 - Maui, Hawaii
Signing an XML document and then validating the digital signature of the document doesn't involve a lot of code - once you know how it works, but arriving there is quite the journey. This post describes setting up a certifcate for testing, signing an XML document with the Private key and then validating it with the Public key.