SecurityBlanket 1.1.0
See the version list below for details.
dotnet add package SecurityBlanket --version 1.1.0
NuGet\Install-Package SecurityBlanket -Version 1.1.0
<PackageReference Include="SecurityBlanket" Version="1.1.0" />
paket add SecurityBlanket --version 1.1.0
#r "nuget: SecurityBlanket, 1.1.0"
// Install SecurityBlanket as a Cake Addin #addin nuget:?package=SecurityBlanket&version=1.1.0 // Install SecurityBlanket as a Cake Tool #tool nuget:?package=SecurityBlanket&version=1.1.0
A Security Blanket for your API
When building an API, you have to always worry about data leaks: is it possible for a customer to accidentally view data for another customer? Does your API expose some information they shouldn't be permitted to see?
You can tell your engineers to check their database queries carefully, but even the tiniest mistake can leak customer data in a multi-tenant software-as-a-service environment.
With SecurityBlanket, you can add a second layer of protection: a middleware filter that verifies all your data before the API serves up a response.
Here's how to use it.
Step 1 - Add the middleware to your project
In your Program.cs
file, mark all controllers to use the security blanket action filter.
var builder = WebApplication.CreateBuilder(args);
// Add the Security Blanket middleware to all API responses
builder.Services.AddControllersWithViews(options =>
{
options.Filters.Add<SecurityBlanketActionFilter>();
});
var app = builder.Build();
Step 2 - Give your API response objects security rules
Add the IVisibleResult
or IVisibleAsyncResult
interface to your API response classes.
This interface allows the object to determine whether or not it is permitted to be seen
by the current HttpContext
. This independent check will help you ensure that all
database queries produce data the user is entitled to view.
Here's one way you could implement security on your objects:
public class MyApiResultObject : ICustomSecurity {
public int AccountId { get; set; }
bool IsVisible(HttpContext context)
{
return this.AccountId == (int?)context.Items["accountId"];
}
}
If you have nested objects, you'll want to implement ICompoundSecurity
. For data
that isn't considered private, tag them with INoSecurity
. You can easily audit
all your objects to ensure that each of them has a valid security policy that can be
tested against the API caller's HTTPContext.
Step 3 - Monitor your logs for security exceptions
If one of your APIs attempts to show an object to a user who isn't entitled to see it, you will get an exception. Track these exceptions and make sure that you track down all the sources of object visibility errors.
Step 4 - Use SecurityBlanket for custom validation
You can use the validator in your code outside of the API action filter as well:
var failures = await Validator.Validate(objectToValidate, context);
Product | Versions Compatible and additional computed target framework versions. |
---|---|
.NET | net5.0 was computed. net5.0-windows was computed. net6.0 was computed. net6.0-android was computed. net6.0-ios was computed. net6.0-maccatalyst was computed. net6.0-macos was computed. net6.0-tvos was computed. net6.0-windows was computed. net7.0 was computed. net7.0-android was computed. net7.0-ios was computed. net7.0-maccatalyst was computed. net7.0-macos was computed. net7.0-tvos was computed. net7.0-windows was computed. net8.0 was computed. net8.0-android was computed. net8.0-browser was computed. net8.0-ios was computed. net8.0-maccatalyst was computed. net8.0-macos was computed. net8.0-tvos was computed. net8.0-windows was computed. |
.NET Core | netcoreapp2.0 was computed. netcoreapp2.1 was computed. netcoreapp2.2 was computed. netcoreapp3.0 was computed. netcoreapp3.1 was computed. |
.NET Standard | netstandard2.0 is compatible. netstandard2.1 was computed. |
.NET Framework | net461 was computed. net462 was computed. net463 was computed. net47 was computed. net471 was computed. net472 was computed. net48 was computed. net481 was computed. |
MonoAndroid | monoandroid was computed. |
MonoMac | monomac was computed. |
MonoTouch | monotouch was computed. |
Tizen | tizen40 was computed. tizen60 was computed. |
Xamarin.iOS | xamarinios was computed. |
Xamarin.Mac | xamarinmac was computed. |
Xamarin.TVOS | xamarintvos was computed. |
Xamarin.WatchOS | xamarinwatchos was computed. |
-
.NETStandard 2.0
- Microsoft.AspNetCore.Mvc.Abstractions (= 2.2.0)
- Microsoft.AspNetCore.Mvc.Core (= 2.2.5)
NuGet packages
This package is not used by any NuGet packages.
GitHub repositories
This package is not used by any popular GitHub repositories.
# 1.1.0
November 23, 2022
Refined the program and improved documentation and usability.
* Added simple security policy for public data (i.e. data with no restrictions on visibility)
* Added compound security policy that can demonstrate multiple objects nested which also require validation
* Refined the ActionFilter to hide details of the exception and return a simplified JSON response
* Added logging using the standard ILogger interface
* Added tests for ActionFilter behavior
* Updated the demo app to demonstate these scenarios