SecuritySettings
Members
Namespace: ASPSecurityKit
Assembly: ASPSecurityKit.dll
Summary
Implements the ISecuritySettings to enable configuration of various security settings used by the security pipeline.
Constructors
#ctor(config)
Summary
Initializes a new instance of the SecuritySettings class.
Parameters
| Name | Type | Description |
|---|---|---|
| config | ASPSecurityKit.IConfig | The config. |
Properties
LetSuspendedAuthenticate
Summary
Gets or sets a value indicating whether suspended users should be allowed to successfully authenticate. The default is false.
Value
true if suspended users should be allowed to successfully authenticate; otherwise, false.
MustHaveBeenVerified
Summary
Gets or sets a value indicating whether user must have been verified to execute requests. The default is true.
Value
true if user must have been verified; otherwise, false.
Remarks
If MustHaveBeenVerified is true and if current user is not verified, operation execution is halted and an unauthorized response is returned. You can explicitly opt out operations from verification by using VerificationNotRequired. See your platform specific ASK library docs to learn how operations can be marked with request features.
HmacMaxAgeInSeconds
Summary
Gets or sets the HMAC maximum age in seconds. Set it as low as possible to prevent replay attacks. Default is 300 (5 minutes).
Value
The HMAC maximum age in seconds. Set it as low as possible to prevent replay attacks.
Exceptions
| Type | Description |
|---|---|
| System.ArgumentException | When value is not a positive integer (>= 1). |
Remarks
The default value is 300 (5 minutes). If there’s no value provided or the value provided is less than or equal to 0, the default value will be returned. To configure this setting in configuration file, provide a value for the key by the same name HmacMaxAgeInSeconds in the appSettings section.
IsDevelopmentEnvironment
Summary
Gets or sets a value indicating whether current application execution environment is development. The default is false. Used by such things as WriteToResponse to decide how much error details to emit to response.
Value
true if current application execution environment is development; otherwise, false.
FirewallEnabled
Summary
Gets or sets a value indicating whether IP firewall is enabled. The default is true.
Value
true if IP firewall is enabled; otherwise, false.
IgnoreFirewallWithServiceHMacToken
Summary
Gets or sets a value indicating whether IP firewall check should be ignored when service hmac token is being used. The default is true.
Value
true if IP firewall check should be ignored when service hmac token is being used; otherwise, false.
AllowedVerbsForQSToken
Summary
Gets or sets the verbs (HTTP methods) allowed for embedding HMAC tokens QSHmac in queryString. Default is GET.
Value
The verbs (HTTP methods) allowed for embedding HMAC tokens QSHmac in queryString.
AllowedOperationsForImpersonation
Summary
Gets or sets a list of ImpersonateAllowOperation rules that determines which operations are allowed during impersonation without needing to explicitly indicate the same on the operation. The default is GET (for read-only impersonation).
Value
A list of ImpersonateAllowOperation rules that determines which operations are allowed during impersonation.
MFAAliveForMinutes
Summary
Gets or sets the duration in minutes of inactivity after which MFA is required again. The minimum is 5 and the default is 30.
Exceptions
| Type | Description |
|---|---|
| System.ArgumentException | When value is less than 5. |
Remarks
The default value is 30 minutes. If there’s no value provided or the value provided is less than 5, the default value will be returned. To configure this setting in configuration file, provide a value for the key by the same name MFAAliveForMinutes in the appSettings section.
PasswordResetTokenExpirationInMinutes
Summary
Gets or sets the time interval, in minutes, the password reset token is valid after it is generated.
Value
The time interval, in minutes, the password reset token is valid after it is generated.
Exceptions
| Type | Description |
|---|---|
| System.ArgumentException | When value is not a positive integer. |
Remarks
The default value is 30. If there’s no value provided or the value provided is less than or equal to 0, the default value will be returned. To configure this setting in configuration file, provide a value for the key by the same name PasswordResetTokenExpirationInMinutes in the appSettings section.
RememberMeTimeoutInMinutes
Summary
Gets or sets the timeout period in minutes for persistent authentication cookie (when remember me is true).
Value
The timeout period in minutes for persistent authentication cookie (when remember me is true).
Exceptions
| Type | Description |
|---|---|
| System.ArgumentException | When value is not a positive integer. |
Remarks
The default value is 21600 (15 days). If there’s no value provided or the value provided is less than or equal to 0, the default value will be returned. To configure this setting in configuration file, provide a value for the key by the same name RememberMeTimeoutInMinutes in the appSettings section.
PasswordHashingIterations
Summary
Gets or sets the iteration count to use when computing password hash with PBKDF2. This shouldn’t be lower than 1000 for production environment. Don’t compromise hash strength to speed up execution. For test environments this can be lowered down to minimum expectable value.
Value
The iteration count to use when computing password hash with PBKDF2.
Exceptions
| Type | Description |
|---|---|
| System.ArgumentException | When value is not a positive integer. |
Remarks
The default value is 1000. If there’s no value provided or the value provided is less than or equal to 0, the default value will be returned. This shouldn’t be lower than 1000 for production environment. Don’t compromise hash strength to speed up execution. For test environments this can be lowered down to minimum expectable value. To configure this setting in configuration file, provide a value for the key by the same name PasswordHashingIterations in the appSettings section.
ThrowSecurityFailureAsException
Summary
Gets or sets a value indicating whether security failure should be thrown as AuthFailedException. The default is false.
Value
true if security failure should be thrown as AuthFailedException; otherwise, false.
AuthCookieOptions
Summary
Gets or sets the default options for the Cookie.
Value
The default options for the Cookie.
Exceptions
| Type | Description |
|---|---|
| System.ArgumentNullException | When value is null. |
Remarks
The default is new CookieOptions { HttpOnly = true, SameSite = SameSiteOption.Lax, Path = “/” }. The ExpiresIn isn’t set by default because RememberMeTimeoutInMinutes is already there to define the timeout default for all kinds of login schemes.
UnprotectedRequestPaths
Summary
Gets the request paths (AbsolutePath) to be not protected by ASPSecurityKit’s security pipeline. Match is Case-insensitive. A full match with the incoming request path is required with an item in this collection, to avoid unintended paths be unprotected due to partial match. Use this setting to specify endpoints like those related to API documentation, which never need authentication and access checks. For public operations like SignUp/SignIn, don’t use this setting; use the AllowAnonymousAttribute instead, as in such cases, you would still prefer to validate input for XSS and AuthToken sent in the request.
Value
The request paths to be not protected by ASPSecurityKit’s security pipeline.
Remarks
The default is empty List`1.
ValidateXss
Summary
Gets or sets a value indicating whether cross-site scripting (XSS) validation should be performed on the request input. The default is true for all environment except for frameworks like ASP.NET MVC5, which have their own built-in XSS validation.
Value
A Boolean value indicating whether cross-site scripting (XSS) validation should be performed on the request input.
Methods
IsMFAEnabled()
Summary
Determines whether or not multi-factor authentication is enabled. The default is true.
Returns
true if multi-factor authentication is enabled; otherwise, false.
Parameters
This method has no parameters.
GetMFAWhitelistedIPRanges()
Summary
Gets the IP ranges through which any originating request does not go through MFA at all. The default is null (MFA is not skipped for any traffic).
Returns
The IP ranges through which any originating request does not go through MFA at all.
Parameters
This method has no parameters.
GetPasswordExpirationIntervalInDays(user)
Summary
Gets the number of days after which password will expire for the user. The default is null (no expiration).
Returns
The number of days after which password will expire for the user.
Parameters
| Name | Type | Description |
|---|---|---|
| user | ASPSecurityKit.IUser | Optional; The user instance for which password expiration needs to be updated. Helps in determining the applicable password expiration policy in a multi-tenant environment. null when new user is being created. |
IsUnprotected(absoluteUri)
Summary
Gets whether the given URL is part of the UnprotectedRequestPaths collection.
Returns
true if the given URL is part of the UnprotectedRequestPaths collection; otherwise, false.
Parameters
| Name | Type | Description |
|---|---|---|
| absoluteUri | System.String | The requested URL. If it’s null/empty/whitespace, no match shall be attempted. |
Remarks
The default implementation uses the logic as described in the UnprotectedRequestPaths but you can extend it to anything you desire.
IsMFAEnabledAsync()
Summary
Determines whether or not multi-factor authentication is enabled. The default is true.
Returns
true if multi-factor authentication is enabled; otherwise, false.
Parameters
This method has no parameters.
IsMFAEnabledAsync(cancellationToken)
Summary
Determines whether or not multi-factor authentication is enabled. The default is true.
Returns
true if multi-factor authentication is enabled; otherwise, false.
Parameters
| Name | Type | Description |
|---|---|---|
| cancellationToken | System.Threading.CancellationToken | The cancellation token. |
GetMFAWhitelistedIPRangesAsync()
Summary
Gets the IP ranges through which any originating request does not go through MFA at all. The default is null (MFA is not skipped for any traffic).
Returns
The IP ranges through which any originating request does not go through MFA at all.
Parameters
This method has no parameters.
GetMFAWhitelistedIPRangesAsync(cancellationToken)
Summary
Gets the IP ranges through which any originating request does not go through MFA at all. The default is null (MFA is not skipped for any traffic).
Returns
The IP ranges through which any originating request does not go through MFA at all.
Parameters
| Name | Type | Description |
|---|---|---|
| cancellationToken | System.Threading.CancellationToken | The cancellation token. |
GetPasswordExpirationIntervalInDaysAsync(user)
Summary
Gets the number of days after which password will expire for the user. The default is null (no expiration).
Returns
The number of days after which password will expire for the user.
Parameters
| Name | Type | Description |
|---|---|---|
| user | ASPSecurityKit.IUser | Optional; The user instance for which password expiration needs to be updated. Helps in determining the applicable password expiration policy in a multi-tenant environment. null when new user is being created. |
GetPasswordExpirationIntervalInDaysAsync(user,cancellationToken)
Summary
Gets the number of days after which password will expire for the user. The default is null (no expiration).
Returns
The number of days after which password will expire for the user.
Parameters
| Name | Type | Description |
|---|---|---|
| user | System.Threading.CancellationToken | Optional; The user instance for which password expiration needs to be updated. Helps in determining the applicable password expiration policy in a multi-tenant environment. null when new user is being created. |
| cancellationToken | ASPSecurityKit.IUser | The cancellation token. |
IsUnprotectedAsync(absoluteUri)
Summary
Gets whether the given URL is part of the UnprotectedRequestPaths collection.
Returns
true if the given URL is part of the UnprotectedRequestPaths collection; otherwise, false.
Parameters
| Name | Type | Description |
|---|---|---|
| absoluteUri | System.String | The requested URL. If it’s null/empty/whitespace, no match shall be attempted. |
Remarks
The default implementation uses the logic as described in the UnprotectedRequestPaths but you can extend it to anything you desire.
IsUnprotectedAsync(absoluteUri,cancellationToken)
Summary
Gets whether the given URL is part of the UnprotectedRequestPaths collection.
Returns
true if the given URL is part of the UnprotectedRequestPaths collection; otherwise, false.
Parameters
| Name | Type | Description |
|---|---|---|
| absoluteUri | System.String | The requested URL. If it’s null/empty/whitespace, no match shall be attempted. |
| cancellationToken | System.Threading.CancellationToken | The cancellation token. |
Remarks
The default implementation uses the logic as described in the UnprotectedRequestPaths but you can extend it to anything you desire.