Stop man-in-the-middle (MITM) Attack (.net core)

Use HTTPS

Ensure that your ASP.NET application uses HTTPS to encrypt all communications between the client and the server. This prevents attackers from intercepting and reading the data.


  • Obtain and Install an SSL/TLS Certificate: Use a certificate from a trusted Certificate Authority (CA).
  • Enforce HTTPS: Configure your ASP.NET application to redirect all HTTP requests to HTTPS.


In your Program.cs or Startup.cs, you can enforce HTTPS by adding:

app.UseHttpsRedirection();


Secure Your TLS Configuration

Make sure to use strong TLS configurations.


  • Disable Older Protocols: Disable older protocols like TLS 1.0 and 1.1.
  • Enable Strong Cipher Suites: Use strong and secure cipher suites.


In appsettings.json, you can specify these settings:

{
  "Kestrel": {
    "EndpointDefaults": {
      "Protocols": "Http1AndHttp2",
      "SslProtocols": "Tls12,Tls13"
    }
  }
}


Implement HSTS (HTTP Strict Transport Security)

HSTS ensures that browsers only connect to your site over HTTPS, even if the user attempts to use HTTP.


Add HSTS in your middleware configuration in program.cs file:

app.UseHsts();


Secure Cookies

Ensure that your cookies are secure and not accessible via JavaScript.


  • Set Secure and HttpOnly Flags: These flags prevent cookies from being sent over non-HTTPS connections and accessed via JavaScript.


In your ConfigureServices method in program.cs file:

services.AddSession(options =>
{
    options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
    options.Cookie.HttpOnly = true;
});


Implement Content Security Policy (CSP)

CSP helps prevent cross-site scripting (XSS) attacks, which can be used to execute MITM attacks.


Add CSP headers in your middleware:

app.Use(async (context, next) =>
{
    context.Response.Headers.Add("Content-Security-Policy", "default-src 'self'; script-src 'self';");
    await next();
});


Monitor and Audit

Regularly monitor and audit your application and server for suspicious activities.


  • Use Logging: Implement logging to keep track of requests and detect anomalies.


In your Program.cs or Startup.cs:

app.Use(async (context, next) =>
{
  // Log request details here
  await next.Invoke();
});