Understanding Anti-Forgery in ASP.NET Core
In today’s web applications, security is a top priority. One of the common attacks that web developers need to guard against is Cross-Site Request Forgery (CSRF). ASP.NET Core provides built-in support to protect against such attacks using Anti-Forgery tokens.
Let’s explore what CSRF is, look at the default settings in ASP.NET Core, and how to implement Anti-Forgery in MVC, Razor Pages, and Minimal APIs. We will also cover handling Anti-Forgery tokens when using XHR or fetch requests originating from JavaScript and considerations for load-balanced scenarios.
Duende IdentityServer 7.2.0 Release Now Available
A busy week here at Duende! After yesteday’s release of Duende BFF Security Framework V3, we’re happy to announce the release of Duende IdentityServer 7.2.0, which includes enhancements, bug fixes, and new features. This post will discuss some of the most notable changes and how you might want to use them in your current deployments.
Duende BFF Security Framework V3 released!
Good news! We are happy to share a new major version of the Duende Backend-for-Frontend (BFF) Security Framework V3 with you.
When building applications with SPA frameworks like React, Angular, VueJs or Blazor, Backend-For-Frontend (BFF) makes it easier and more secure to integrate and manage OAuth/OpenID Connect interactions.
In this post, let’s explore what’s new in Duende BFF v3.
Data Protection for ASP.NET Core Developers and Duende IdentityServer
An essential part of securing ASP.NET Core applications while maintaining the capabilities to scale out to meet user demand is Data Protection.
In this post, we’ll discuss data protection, how to implement it, how to configure data protection options, and some choices you may want to consider when building your applications. We’ll also explain how this relates to our Duende IdentityServer product offering.
IdentityServer4 is public again
Duende BFF Security Framework V3 Release Candidate 1
Today, we’re happy to bring you the first Release Candidate for the next version of the Duende Backend-for-Frontend (BFF) Security Framework V3.
BFF (Backend-For-Frontend) solves security and development challenges for client-side developers using SPA frameworks like React, Angular, VueJs or Blazor by providing a dedicated backend to manage OAuth/OIDC interactions while enforcing a “no tokens in the browser” policy.
In this blog post, we’ll look at some new functionality and cover some aspects you should be aware of when upgrading.
Upcoming Duende IdentityServer 7.2 Preview 1 Release
Duende IdentityServer 7.1 New Year's Release
Happy New Year! Duende IdentityServer 7.1 is a new release we’re excited to share with you. In this article, we will discuss some exciting enhancements and breaking changes that software developers should be aware of when upgrading from previous versions.
Security hotfix for Duende.AccessTokenManagement.OpenIdConnect
We recently published Duende.AccessTokenManagement.OpenIdConnect 3.0.1, a security hotfix which addresses CVE-2024-51987, a medium-severity security issue that can cause refreshed access tokens to be cached and used for the wrong user.
We encourage everyone using Duende.AccessTokenManagement.OpenIdConnect 3.0.0 to update to version 3.0.1.
DPoP Package Updates
Today we are publishing two NuGet packages related to DPoP:
- Duende.IdentityServer 7.0.8, which addresses a low-severity security issue in our DPoP support for local APIs (CVE-2024-49755), and
- Duende.AspNetCore.Authentication.JwtBearer 0.1.3, the first preview of a new series of ASP.NET Core extensions that help you leverage advanced IdentityServer features - in this case DPoP support for APIs.
We encourage everyone using IdentityServer 7.0.0 and later to update to IdentityServer 7.0.8, but do note that most IdentityServer implementations are not affected. In this blog post, we’ll discuss the issue in more detail and the specific circumstances where this vulnerability applies, as well as show how to use the new package to implement DPoP in your ASP.NET APIs.