SecurityBlanket 1.1.0

There is a newer version of this package available.
See the version list below for details.

dotnet add package SecurityBlanket --version 1.1.0

NuGet\Install-Package SecurityBlanket -Version 1.1.0

This command is intended to be used within the Package Manager Console in Visual Studio, as it uses the NuGet module's version of Install-Package.

<PackageReference Include="SecurityBlanket" Version="1.1.0" />

For projects that support PackageReference, copy this XML node into the project file to reference the package.

paket add SecurityBlanket --version 1.1.0

The NuGet Team does not provide support for this client. Please contact its maintainers for support.

#r "nuget: SecurityBlanket, 1.1.0"

#r directive can be used in F# Interactive and Polyglot Notebooks. Copy this into the interactive tool or source code of the script to reference the package.

// Install SecurityBlanket as a Cake Addin
#addin nuget:?package=SecurityBlanket&version=1.1.0

// Install SecurityBlanket as a Cake Tool
#tool nuget:?package=SecurityBlanket&version=1.1.0

The NuGet Team does not provide support for this client. Please contact its maintainers for support.

A Security Blanket for your API

Nuget GitHub Workflow Status

When building an API, you have to always worry about data leaks: is it possible for a customer to accidentally view data for another customer? Does your API expose some information they shouldn't be permitted to see?

You can tell your engineers to check their database queries carefully, but even the tiniest mistake can leak customer data in a multi-tenant software-as-a-service environment.

With SecurityBlanket, you can add a second layer of protection: a middleware filter that verifies all your data before the API serves up a response.

Here's how to use it.

Step 1 - Add the middleware to your project

In your Program.cs file, mark all controllers to use the security blanket action filter.

var builder = WebApplication.CreateBuilder(args);

// Add the Security Blanket middleware to all API responses
builder.Services.AddControllersWithViews(options =>
{
    options.Filters.Add<SecurityBlanketActionFilter>();
});

var app = builder.Build();

Step 2 - Give your API response objects security rules

Add the IVisibleResult or IVisibleAsyncResult interface to your API response classes. This interface allows the object to determine whether or not it is permitted to be seen by the current HttpContext. This independent check will help you ensure that all database queries produce data the user is entitled to view.

Here's one way you could implement security on your objects:

public class MyApiResultObject : ICustomSecurity {
    public int AccountId { get; set; }
    bool IsVisible(HttpContext context)
    {
        return this.AccountId == (int?)context.Items["accountId"];
    }
}

If you have nested objects, you'll want to implement ICompoundSecurity. For data that isn't considered private, tag them with INoSecurity. You can easily audit all your objects to ensure that each of them has a valid security policy that can be tested against the API caller's HTTPContext.

Step 3 - Monitor your logs for security exceptions

If one of your APIs attempts to show an object to a user who isn't entitled to see it, you will get an exception. Track these exceptions and make sure that you track down all the sources of object visibility errors.

Step 4 - Use SecurityBlanket for custom validation

You can use the validator in your code outside of the API action filter as well:

var failures = await Validator.Validate(objectToValidate, context);

Product	Compatible and additional computed target framework versions.
.NET	net5.0 was computed. net5.0-windows was computed. net6.0 was computed. net6.0-android was computed. net6.0-ios was computed. net6.0-maccatalyst was computed. net6.0-macos was computed. net6.0-tvos was computed. net6.0-windows was computed. net7.0 was computed. net7.0-android was computed. net7.0-ios was computed. net7.0-maccatalyst was computed. net7.0-macos was computed. net7.0-tvos was computed. net7.0-windows was computed. net8.0 was computed. net8.0-android was computed. net8.0-browser was computed. net8.0-ios was computed. net8.0-maccatalyst was computed. net8.0-macos was computed. net8.0-tvos was computed. net8.0-windows was computed.
.NET Core	netcoreapp2.0 was computed. netcoreapp2.1 was computed. netcoreapp2.2 was computed. netcoreapp3.0 was computed. netcoreapp3.1 was computed.
.NET Standard	netstandard2.0 is compatible. netstandard2.1 was computed.
.NET Framework	net461 was computed. net462 was computed. net463 was computed. net47 was computed. net471 was computed. net472 was computed. net48 was computed. net481 was computed.
MonoAndroid	monoandroid was computed.
MonoMac	monomac was computed.
MonoTouch	monotouch was computed.
Tizen	tizen40 was computed. tizen60 was computed.
Xamarin.iOS	xamarinios was computed.
Xamarin.Mac	xamarinmac was computed.
Xamarin.TVOS	xamarintvos was computed.
Xamarin.WatchOS	xamarinwatchos was computed.

Compatible target framework(s)

Included target framework(s) (in package)

Learn more about Target Frameworks and .NET Standard.

.NETStandard 2.0
- Microsoft.AspNetCore.Mvc.Abstractions (= 2.2.0)
- Microsoft.AspNetCore.Mvc.Core (= 2.2.5)

NuGet packages

This package is not used by any NuGet packages.

GitHub repositories

This package is not used by any popular GitHub repositories.

Version	Downloads	Last updated
1.1.1	536	8/20/2023
1.1.0	700	11/23/2022
1.0.0	734	11/16/2022

# 1.1.0
     November 23, 2022

     Refined the program and improved documentation and usability.

     * Added simple security policy for public data (i.e. data with no restrictions on visibility)
     * Added compound security policy that can demonstrate multiple objects nested which also require validation
     * Refined the ActionFilter to hide details of the exception and return a simplified JSON response
     * Added logging using the standard ILogger interface
     * Added tests for ActionFilter behavior
     * Updated the demo app to demonstate these scenarios