HTTP Security Primer In this very first module, I want to give you an overview of the essential things you have to know to secure your HTTP-based applications. This is basically divided in two parts. The first part is about transport securities or how do you secure the bits and bytes going over the wire, and the second part is about the, so called, HTTP authentication framework that's how you transmit user credentials. And as an appendix I have a list of APIs and tools and resources like further reading resources that you might be interested when you want to, you know, learn more about the topic.
ASP.NET Web API Security Architecture Web API version 1 didn't have any real security features. It mostly relied on security provided by the host, mostly IIS. Now the big theme in version 2 of Web API and also this thing called project Katana, which goes along with Web API version 2, was security. So in version 2 we can really talk about something like a security architecture in Web API. And my intention for this module is to give you an overview of the architecture and show you all the various extensibility points that you can use to do security-related things. So I want to go over them one by one starting with the hosting layout, all the way down to pipeline to authorization filters. What has also changed in Web API version 2 is how you access the client identity. There were various ways to do that in version 1 and now there's a new unified and recommended way in version 2 and so we're going to have a look at all these things.
Authorization Now we've spent quite some time talking about how a user can authenticate, and how a client can authenticate, and how to request access tokens or request access in general to a Web API. Now, frankly, the hardest part is still to tackle and that's what happens after we get access to the API and now we want to do authorization based on the user's identity or the client's identity. Now this is hard because I can't give you any good guidance here because that is so specific to the application you are building. You know, sometimes you're doing something based on roles, sometimes, you know, you have something like permissions, others use role-level security in databases or have a multi-tenancy model, and depending on all of these details you would take different approaches to authorization. Nevertheless, there are some mechanisms and some good practices in Web API that help you build your authorization infrastructure. So I first want to look at client vs user authorization, what's the point here. Then I want to look at this thing called authorization filters and their corresponding attributes. And then spend a little bit more time on basically custom authorization logic, which is probably the thing that you'll, you know, invest the most code.