Tutorials ASP.NET Core Complete Tutorial (ShopNest)
Data Protection and Encryption in ASP.NET Core
Learn Data Protection and Encryption in ASP.NET Core in our free ASP.NET Core Complete Tutorial (ShopNest) series. Step-by-step explanations, examples, and interview tips on Toolliyo Academy.
On this page
Introduction
ShopNest Health module stores sensitive patient data — ASP.NET Core Data Protection API encrypts cookies and tokens; combined with XSS/CSRF/SQL injection defenses and OWASP awareness, you build defensible applications.
After this article you will
- Use IDataProtectionProvider for field-level encryption
- Understand cookie encryption and key ring
- Prevent SQL injection via EF Core parameterization
- Prevent XSS in Razor and CSRF on forms
- Map OWASP Top 10 to ASP.NET Core mitigations
Prerequisites
- Article 33 — OAuth2 and External Login
- ShopNest.Web with EF Core and configuration from Module 3
Concept deep-dive
public class PatientDataProtector
{
private readonly IDataProtector _protector;
public PatientDataProtector(IDataProtectionProvider provider)
=> _protector = provider.CreateProtector("ShopNest.Health.Patient.v1");
public string Protect(string plain) => _protector.Protect(plain);
public string Unprotect(string cipher) => _protector.Unprotect(cipher);
}
| Threat | ShopNest defense |
|---|---|
| SQL injection | EF Core parameterized queries — never string-concat SQL |
| XSS | Razor auto-encoding; avoid Html.Raw on user input |
| CSRF | [ValidateAntiForgeryToken] + form tag helpers |
| Broken auth | Identity, lockout, HTTPS, secure cookies |
| Sensitive data exposure | Encrypt at rest, TLS in transit, mask logs |
GDPR basics: consent, data export/delete endpoints, minimize collected fields, audit access to patient records.
Hands-on — ShopNest Healthcare Patient Data System
- Encrypt patient notes field with Data Protection before SaveChanges.
- Security headers middleware (X-Content-Type-Options, CSP baseline).
- Audit log who viewed patient record (Article 26 filter pattern).
Common errors & best practices
- Hard-coded data protection keys — configure key ring persistence in production (Azure Blob/Redis).
- Html.Raw(@Model.UserBio) — XSS vector.
- FromSqlRaw with string concat — SQL injection.
Interview questions
Q: Data Protection vs manual AES?
A: Data Protection handles key rotation and purpose isolation — preferred for app-level encrypt.
Q: CSRF how prevented?
A: Synchronizer token — cookie + hidden form field validated on POST.
Q: EF Core SQL injection?
A: Use parameterized FromSqlRaw with {0} placeholders, never interpolate user input.
Summary
- Data Protection API for cookies and field encryption
- EF Core + Razor defaults block injection and XSS
- OWASP Top 10 mapped to concrete ShopNest practices
- GDPR-aware design for healthcare patient data
Previous: OAuth2 and External Login
Next: HTTPS, SSL Certificates and Security
FAQ
Key ring in Azure?
Persist to Azure Blob Storage or Redis so all instances share keys.
Encrypt DB columns vs app-level?
App-level with Data Protection for selective fields; TDE for whole database at rest.
Sign in to ask a question or upvote helpful answers.
No questions yet — be the first to ask!