Back to Blog
.NET Development

The .NET API Security Checklist We Follow on Every Project

Security isn't a feature — it's a baseline. Here's the checklist we run through for every .NET API we ship to production.

Bracha Group6 min read

Every API we build goes through a security review before deployment. Over time, we've formalized this into a checklist that covers the most critical areas.

Authentication and Authorization

  • JWT validation: Always validate issuer, audience, and expiration. Never trust tokens without verification.
  • Role-based and policy-based authorization: Use ASP.NET Core's authorization policies for granular access control.
  • API key rotation: Support multiple active keys to enable zero-downtime rotation.

Input Validation

  • Model validation: Use DataAnnotations and FluentValidation for all request models.
  • Parameterized queries: Never concatenate user input into SQL strings. EF Core handles this, but raw SQL needs explicit parameterization.
  • File upload restrictions: Validate file type, size, and content. Never trust the Content-Type header alone.

Rate Limiting and Throttling

ASP.NET Core's built-in rate limiting middleware handles most scenarios. We configure:

  • Per-endpoint rate limits based on expected usage
  • Sliding window algorithms for API consumers
  • Differentiated limits for authenticated vs. anonymous users

CORS Configuration

Never use a wildcard CORS policy in production. We explicitly list allowed origins and review them during each deployment.

Logging and Monitoring

  • Structured logging: We use Serilog with structured properties for every request.
  • Sensitive data filtering: Request/response logging must exclude passwords, tokens, and PII.
  • Alert thresholds: Set up alerts for unusual error rates, response times, and authentication failures.

Dependency Security

  • Regular NuGet audit: Run dotnet list package --vulnerable as part of CI.
  • Lock files: Use packages.lock.json to prevent supply chain attacks.

HTTPS and Transport Security

  • HSTS headers: Enforce HTTPS with Strict-Transport-Security.
  • Certificate pinning: For service-to-service communication in sensitive environments.

Conclusion

Security is iterative. This checklist is our baseline — each project adds domain-specific security requirements on top. The important thing is having a systematic approach rather than relying on memory.

Want to discuss this topic?

We love talking shop. Reach out to discuss how we can apply these practices to your project.

Get in Touch

Related Articles

.NET Development

Building Scalable .NET APIs: Patterns That Actually Work in Production

After shipping dozens of .NET APIs, we've distilled the architecture patterns that consistently deliver performance at scale. From CQRS to vertical slices, here's what we've learned.

8 min read
.NET Development

Migrating Legacy .NET Framework Apps to Modern .NET: A Practical Guide

We've migrated enterprise applications from .NET Framework 4.x to .NET 8+. Here's our battle-tested strategy for doing it without breaking production.

9 min read