ASP.NET Core Authentication Patterns: Cookie vs JWT vs OIDC
When to use cookie, JWT, or OIDC authentication in ASP.NET Core - a decision framework with threat model considerations.
Security
Insights tagged with Security
ASP.NET Core Middleware Pipeline: The Order That Actually Matters
Middleware order determines what works and what silently breaks. ForwardedHeaders before HTTPS, Authentication before Authorization, Routing before Rate Limiting.
Rate Limiting in ASP.NET Core: Patterns That Actually Protect
Fixed window vs sliding window vs token bucket: choose the right algorithm, partition by IP or user, and handle edge cases like missing IPs and exempt endpoints.
ForwardedHeaders and Reverse Proxies: The Trust Boundary Guide
ForwardedHeaders configuration that prevents IP spoofing: KnownNetworks vs KnownProxies, Azure/AWS/Nginx setups, and verification commands.
Configuration Anti-Patterns: Secrets in Logs and Other Production Fires
The 6 configuration mistakes that cause production incidents: secrets in logs, missing validation, hardcoded values, environment leakage, and insecure defaults.
Security Boundaries for AI-Assisted Development in ASP.NET Core
A practical threat model for AI-generated diffs, with concrete guardrails from a real ASP.NET Core content site.