Secure .NET API Foundation is a healthcare-oriented ASP.NET Core API project focused on Application Security, Secure SDLC and Technical GRC concepts.
The project demonstrates secure API engineering practices including:
- JWT authentication
- Role-Based Access Control (RBAC)
- Audit logging
- API hardening
- Rate limiting
- Secure middleware
- OWASP-aligned controls
The API exposes secured healthcare-oriented endpoints protected with JWT authentication and RBAC authorization policies.
Main domains:
- Auth
- Patients
- MedicalRecords
- AuditLogs
- User authenticates through
/api/auth/login - JWT token is generated
- Protected endpoints require valid JWT authentication
- RBAC policies enforce least privilege access
- Sensitive actions are recorded through audit logging
- Security middleware applies hardening controls and correlation tracing
| Control | Purpose |
|---|---|
| JWT Authentication | Secure user authentication |
| RBAC Policies | Least privilege authorization |
| Rate Limiting | Abuse and brute force mitigation |
| Audit Logging | Accountability and traceability |
| Security Headers | HTTP hardening |
| Exception Middleware | Prevent information leakage |
| Correlation IDs | Request traceability |
The API uses JWT Bearer authentication with:
- issuer validation
- audience validation
- signing key validation
- expiration validation
Swagger integration allows authenticated testing directly from the UI.
Policy-based authorization is used to protect sensitive endpoints.
- CanViewMedicalRecords
- CanManageMedicalRecords
- Auditor/Admin access restrictions
- Doctor
- Nurse
- Auditor
- Admin
Main threats considered during development:
- Broken Access Control
- Unauthorized medical record access
- Brute force authentication attacks
- JWT abuse
- Excessive API usage
- Information disclosure
- Missing audit traceability
| Threat | Mitigation |
|---|---|
| Broken Access Control | RBAC authorization policies |
| Unauthorized medical record access | Role-based endpoint protection |
| Brute force authentication attacks | ASP.NET Core Rate Limiting |
| JWT abuse | JWT validation and expiration |
| Excessive API usage | Fixed-window rate limiting |
| Information disclosure | DTO-based response models |
| Missing audit traceability | Centralized audit logging |
| Unhandled exceptions | Global exception middleware |
| Request correlation issues | Correlation ID middleware |
- Least privilege access
- Defense in depth
- Secure-by-default APIs
- Traceability and accountability
- Reduced attack surface
| OWASP API Risk | Project Mitigation |
|---|---|
| API1: Broken Object Level Authorization | RBAC authorization policies and protected patient/medical record endpoints |
| API2: Broken Authentication | JWT Bearer authentication with issuer, audience, signing key and lifetime validation |
| API3: Broken Object Property Level Authorization | DTO-based request and response models to reduce unnecessary data exposure |
| API4: Unrestricted Resource Consumption | Rate limiting policies for authentication and API endpoints |
| API5: Broken Function Level Authorization | Policy-based authorization for patients, medical records and audit logs |
| API8: Security Misconfiguration | Security headers, HTTPS redirection and centralized exception handling |
| API9: Improper Inventory Management | Swagger/OpenAPI documentation and structured API routes |
| API10: Unsafe Consumption of APIs | Controlled backend-only data access through EF Core and internal services |
- JWT Bearer authentication
- Role-Based Access Control (RBAC)
- Policy-based authorization
- Protected sensitive endpoints with
[Authorize]
- HTTPS redirection enabled
- Security headers configured
- DTO-based request/response isolation
- Global exception handling middleware
- Centralized audit logging
- Correlation ID middleware
- Security-relevant event tracking
- Authentication event logging
- Rate limiting on authentication endpoints
- API request throttling
- Brute force mitigation controls
- Separation of concerns architecture
- Service layer abstraction
- Minimal data exposure
- OWASP-aligned controls
Tested scenarios include:
- Access without JWT token
- Access with invalid roles
- Expired JWT tokens
- Brute force login attempts
- Unauthorized medical record access attempts
- Invalid payload validation
- Rate limiting behavior
- Authentication failure logging
- Authorization enforcement testing
Custom middleware protections include:
- Correlation ID tracking
- Centralized exception handling
- Secure response headers
- Request traceability support
- X-Content-Type-Options
- X-Frame-Options
- Referrer-Policy
- Permissions-Policy
Security-relevant actions are logged for traceability and monitoring purposes.
- Successful login attempts
- Failed login attempts
- Medical record access
- Medical record creation
- Audit log access
- Username
- Role
- Timestamp
- Correlation ID
- IP address
- Action performed
- ASP.NET Core
- Entity Framework Core
- JWT Bearer Authentication
- Swagger / OpenAPI
- BCrypt
- GitHub Actions
- xUnit
- Docker
The repository integrates GitHub Actions CI workflows for automated validation and pipeline testing.
Current pipeline capabilities include:
- Automated build validation
- CI workflow execution
- Security-oriented repository structure
Planned improvements:
- CodeQL integration
- Dependency vulnerability scanning
- Secrets scanning
- Automated security testing
Planned security enhancements include:
- FluentValidation integration
- Refresh token support
- Integration security testing
- CodeQL security scanning
- Dependency vulnerability scanning
- Secrets scanning
- API versioning
- Structured SIEM-friendly logging
- Centralized logging integration
- Container security hardening
This repository was designed to demonstrate:
- Application Security engineering mindset
- Secure SDLC practices
- Secure API architecture
- Technical GRC awareness
- Defensive security controls
- AppSec-oriented development workflows
This project is intended for educational and portfolio purposes only.