Rick Strahl's Web Log

Wind, waves, code and everything in between...
ASP.NET • C# • HTML5 • JavaScript • AngularJs
Contact   •   Articles   •   Products   •   Search

WebLog Posts in Category Security

A dynamic RequireSsl Attribute for ASP.NET MVC

In ASP.NET MVC the RequireHttps attribute allows for securing controllers and controller methods, but it's limited to either on or off statically. In this post I discuss a custom attribute that can dynamically set SSL usage based on a configuration setting or delegate.

IIS SSL Certificate Renewal Pain

IIS SSL Certificate renewals always seem to be a pain. Rarely does it just go right and I never seem to remember whether I should renew, or just issue a new cert. The answer is the latter, but this post discusses some of the issues and how to avoid them when renewing or installing new SSL certificates.

A WebAPI Basic Authentication Authorization Filter

Recently I needed to implement user based security in a Web API application that's easily accessible from a variety of clients. The customer asked specifically for Basic Auth support and so needed to implement custom Basic Auth support. In this post I describe a simple AuthorizationFilter based implementation of Basic Authentication for Web API.

.NET HTML Sanitation for rich HTML Input

If you need to sanitize raw HTML for display in Web applications, the job at hand is scary for .NET backends. Unfortunately it seems there aren't a lot of tools available to help in this formidable tasks and the tools that are tend to be inflexible to the point of often being unusable. In this post I show a base implementation of an HTML Sanitizer that can be customized for your own needs.

Wishful Thinking: Why can't HTML fix Script Attacks at the Source?

I'm dealing with user HTML input in a Web application today and again I curse over the complexities involved in sanitizing this html. So today I started dreaming about a possible alternative...

Loading Assemblies off Network Drives

Remote loading of assemblies and CAS policy in .NET have always been hassle and although .NET 4.0 improves security, lightning up rules to be on par with Win32 applications, for COM Interop and custom runtime hosting old rules still apply. Luckily there's some help in the form of a new configuration switch that allows overriding remote loading of assemblies.

Request Limit Length Limits for IIS’s requestFiltering Module

Got bit during an update today by code that ran just fine on my dev machine and failed on OpenID logins on the live machine. Turns out RequestFiltering was not allowing the long OpenID urls to be served, a problem that's easy to hit with the default settings in Windows Server 2008.

SSL Certificate Renewal Pain

I ran into some problems this time around renewing my SSL certificate for west-wind.com and it looks like the problem is related to how IIS 7 handles renewals. After all the years of problems with certificate renewals in IIS I figured that by now Microsoft would have this nailed, but in the end only a completely new certificate request managed to work for me.

Non ASPX Extensions and Authentication in the IIS 7 Integrated Pipeline

Ran into an issue where IIS 7's integrated pipeline exhibits different behavior authenticating non ASPX extensions. Looks like IIS 7 only authenticates mainline files resulting in Context.User==null or Context.User.Identity.IsAuthenticated==false. For example hitting CustomHit.axd doesn't provide user credentials where an ASPX url does.

MS Tests failing due to Security Errors

Ran into an odd problem today while testing with a third party DLL. My unit tests failed to run complaining that the third party DLL was not trusted. Turns out the problem is related to the security tags applied to the file when it was downloaded and installed directly of a Web download.

Watch out for XmlDocument.PreserveWhitespace when dealing with Digital Signatures

When creating digital signatures of XML documents its crucial that the Xml document settings on signing match the document settings that are expected for validating signatures. I ran into a problem where our signatures were failing with a vendor's site, due to the PreserveWhitespace property settings on our end and on the vendor's parser being mismatched.

Digitally Signing an XML Document and Verifying the Signature

Signing an XML document and then validating the digital signature of the document doesn't involve a lot of code - once you know how it works, but arriving there is quite the journey. This post describes setting up a certifcate for testing, signing an XML document with the Private key and then validating it with the Public key.