Daishi.Armor.WebFramework
Protect ASP.NET Applications Against CSRF Attacks
Install / Use
/learn @daishisystems/Daishi.Armor.WebFrameworkREADME
<a href="http://insidethecpu.com/2015/04/10/protecting-asp-net-applications-against-csrf-attacks/">
</a>
ASP.NET ARMOR Web Framework
As seen on <a href="https://visualstudiomagazine.com/articles/2015/05/01/csrf-attacks.aspx">visualstudiomagazine.com</a>.
The Encrypted Token Pattern is a defence mechanism against Cross Site Request Forgery (CSRF) attacks, and is an alternative to its sister-patterns; Synchroniser Token, and Double Submit Cookie. The ARMOR Web Framework provides a means to leverage this technique in repelling CSRF attacks against ASP.NET applications.
Click <a href="http://insidethecpu.com/2015/04/10/protecting-asp-net-applications-against-csrf-attacks/">here for an in-depth tutorial</a> on protecting ASP.NET applications from CSRF attacks using this framework.
<a href="http://insidethecpu.com/2015/04/10/protecting-asp-net-applications-against-csrf-attacks/">
</a>
Installation
PM> Install-Package Daishi.Armor.WebFramework
Sample Code
Generating Keys
ARMOR requires both encryption and hashing keys, in Base64 format. You can generate both keys using the code below.
Note: Key-generation, rotation, and management are out-of-band topics in terms of leveraging ARMOR.
byte[] encryptionKey = new byte[32];
byte[] hashingKey = new byte[32];
using (var provider = new RNGCryptoServiceProvider()) {
provider.GetBytes(encryptionKey);
provider.GetBytes(hashingKey);
}
Adding Fortification Filters
Add the following filter to ASP.NET Web API applications
config.Filters.Add(new WebApiArmorFortifyFilter());
Add the following filter to ASP.NET MVC applications
public static void RegisterGlobalFilters(GlobalFilterCollection filters) {
filters.Add(new MvcArmorFortifyFilter());
}
Protecting your Endpoints
Add the following attribute to ASP.NET Web API endpoints
[WebApiArmorAuthorize]
Add the following attribute to ASP.NET MVC endpoints
[MvcArmorAuthorize]
Integrating with your Authentication Mechanism
Assuming that your application leverages Claims-based authentication, ARMOR will automatically read the UserID claim as follows:
public override bool TryRead(out IEnumerable<Claim> identity) {
var claims = new List<Claim>();
identity = claims;
var claimsIdentity = principal.Identity as ClaimsIdentity;
if (claimsIdentity == null) return false;
var subClaim = claimsIdentity.Claims.SingleOrDefault(c => c.Type.Equals(“UserId”));
if (subClaim == null) return false;
claims.Add(subClaim);
return true;
}
If your application leverages any other form of authentication mechanism, simply create your own implementation of IdentityReader and override the TryRead method appropriately in order to return the logged-in UserID in Claim-based format.
Contact the Developer
Please reach out and contact me for questions, suggestions, or to just talk tech in general.
<a href="http://insidethecpu.com/feed/">
</a><a href="https://twitter.com/daishisystems">
</a><a href="https://www.linkedin.com/in/daishisystems">
</a><a href="https://plus.google.com/102806071104797194504/posts">
</a><a href="https://www.youtube.com/user/daishisystems">
</a>
Related Skills
node-connect
349.9kDiagnose OpenClaw node connection and pairing failures for Android, iOS, and macOS companion apps
frontend-design
109.8kCreate distinctive, production-grade frontend interfaces with high design quality. Use this skill when the user asks to build web components, pages, or applications. Generates creative, polished code that avoids generic AI aesthetics.
openai-whisper-api
349.9kTranscribe audio via OpenAI Audio Transcriptions API (Whisper).
qqbot-media
349.9kQQBot 富媒体收发能力。使用 <qqmedia> 标签,系统根据文件扩展名自动识别类型(图片/语音/视频/文件)。
