ASP.NET Core Security Best Practices: The 2026 Checklist for Enterprise Apps

Three things changed the threat picture this year. Supply chain attacks on NuGet keep rising. Regulators (HIPAA, PCI DSS 4.0, India's DPDP Act, the EU AI Act) now expect documented controls, not intent. And LLM-generated code is shipping faster than human review can catch defaults that look right but are not.

A checklist forces consistency across teams and sprints. It is also how a serious Dot NET Development Company proves due diligence to auditors and CISOs. The list below is ordered by the path a request actually takes through your application.

Use ASP.NET Core Identity, OpenID Connect, or a managed identity provider (Microsoft Entra ID, Auth0, Okta). Do not roll your own.

• Enforce minimum password length 12 with breach-password checks and account lockout after 5 failed attempts.
• Require multi-factor authentication for admin and finance roles. TOTP or FIDO2, not SMS.
• Rotate signing keys and refresh tokens on a schedule. Access token lifetime under 60 minutes.
• For service-to-service calls, use managed identities. No long-lived client secrets in config files.

A fintech client cut credential-stuffing incidents to zero in one quarter by adding breach-password checks and lockout. Two settings already in the framework.

Authentication says who you are. Authorization says what you can do. Most apps confuse the two.

• Default to deny. Add [Authorize] at controller level, open specific endpoints with [AllowAnonymous].
• Use policy-based authorization for anything beyond simple role checks. Policies live in code and are testable.
• Apply least privilege to database roles, storage SAS tokens, and queue access.
• Validate that a user owns the resource they touch. An ID in the URL is not enough. Insecure Direct Object Reference is still the most common bug we find in code reviews.

• Force HTTPS with app.UseHttpsRedirection() and HSTS in production. Set max-age to at least one year.
• Disable TLS 1.0 and 1.1 at the load balancer or Kestrel level. TLS 1.2 minimum, TLS 1.3 preferred.
• Add headers: Content-Security-Policy, X-Content-Type-Options: nosniff, Referrer-Policy, Permissions-Policy, X-Frame-Options: DENY.
• Configure CORS narrowly. Wildcard origins are a leak vector even without credentials.

• Validate on the server with data annotations or FluentValidation. Client-side validation is for UX, not security.
• Keep antiforgery tokens on every state-changing form. Razor Pages and MVC ship with this by default.
• For APIs, pick one pattern (cookies with same-site, or pure bearer tokens) and document it.
• Razor encodes output by default, but Html.Raw is a foot-gun. Search your codebase and justify every instance.

• No secrets in appsettings.json, environment files, or source control. Use Azure Key Vault, AWS Secrets Manager, or HashiCorp Vault.
• Use the .NET Secret Manager for local development only.
• Rotate database connection strings, API keys, and certificates quarterly. Automate the rotation.
• Scan repos with git-secrets, truffleHog, or GitHub Advanced Security.

The Custom .NET Development Company you work with should treat dependency hygiene as a release blocker.

• Run dotnet list package --vulnerable on every CI build. Fail on critical CVEs.
• Pin versions in Directory.Packages.props. No floating versions in production.
• Mirror critical NuGet packages to a private feed (Azure Artifacts, GitHub Packages, JFrog).
• Generate a Software Bill of Materials (SBOM) per release. SPDX or CycloneDX. Regulators ask for it.

• Encrypt data at rest with transparent data encryption (SQL Server, Azure SQL) or storage-level encryption.
• Use Always Encrypted or column-level keys for PII, payment data, and health records.
• Use the ASP.NET Core Data Protection API for cookies and tokens. Persist keys to Key Vault across instances.
• For PCI DSS and HIPAA workloads, document key custody and access logs separately.

• Use structured logging (Serilog or the built-in logger). Ship logs to a central SIEM.
• Never log secrets, full JWTs, full card numbers, or unredacted PII. Add a redaction filter and test it.
• Alert on failed login spikes, 401/403 surges, and unusual 5xx patterns.
• Document an incident response runbook with named owners and a 72-hour breach notification path for GDPR and DPDP.

• Run containers as non-root. Use the mcr.microsoft.com/dotnet/aspnet:8.0-chiseled image when possible.
• Set resource limits and read-only filesystems where the app does not write to disk.
• Use private endpoints for SQL, storage, and Key Vault.
• Enable Microsoft Defender for Cloud or AWS Security Hub. Act on the recommendations.

A US health-tech client engaged our ASP.NET Application Development Services to harden an existing patient portal ahead of a HITRUST audit. The codebase was on .NET 6, with mixed authentication patterns and secrets in environment files.

Over six weeks the team migrated to .NET 8 LTS, moved all secrets to Azure Key Vault with managed identity access, replaced bespoke role checks with policy-based authorization, added security headers, and stood up an SBOM pipeline. Critical CVE exposure dropped from 14 packages to zero. The audit passed on first review.

The point is not the before-and-after. It is that none of the work was novel. It was the checklist, applied with discipline.

Security in ASP.NET Core is a posture, not a project. The framework gives you most of what you need. Configuration discipline and dependency hygiene give you the rest. Run this checklist before every release. Update it when CVEs land. Make it part of your PR template.

If you would rather hand the checklist to a team that runs it daily, we can help. MetaDesign Solutions is an ASP.NET Development Service Company with engineers shipping secure enterprise systems since 2006. Whether you need a one-time security review or want to hire ASP.NET developers as a long-term extension of your team, we can start within two weeks.