In this article, we will learn about Data Protection in ASP.NET Core: what it is, why we need it and how to implement it in .NET Core-based applications.
What is Data Protection?
The method of applying security to any data is called data protection. Data Protection plays a very vital role especially when we move data from one channel to other. For example – ASP.NET Core API, where we send and receive data from various sources or expose sensitive information in URLs.
So, whenever we transfer data over the network, we protect it under Data Protection.
Why do we need Data Protection?
Data protection is crucial, as it protects the data from unauthorized access. When we exchange data through API, data is risky to be hacked or tampered with. To avoid this, we use data protection.
In this mechanism, we encrypt the data so that it cannot be tempered or changed in the middle of the network.
Data Protection in ASP.NET Core
Data Protection in ASP.NET Core provides cryptography-based API to protect data. Microsoft uses Microsoft.AspNetCore.DataProtection namespace to implement data protection.
Microsoft.AspNetCore.DataProtection
This namespace is the core of data protection in ASP.NET Core. It contains cryptographic methods, configuration and key management and contains the below interfaces-
- IDataProtector – It is an interface which provides services to encrypt and decrypt data.
- IDataProtectionProvider
How to implement Data Protection in ASP.NET Core-based application?
In this section of the article, we will see a code snippet to implement data protection in the ASP.NET Core project.
First, create a Web API project in Visual Studio 2019 or 2022.
Next, add below line within ConfigureServices() method in startup.cs file to register in IServiceCollection.
services.AddDataProtection();Now, create a data protector object with IDataProtector.
private readonly IDataProtector _dataProtector;Add IDataProtectionProvider type parameter to the constructor of the controller class. I have created a TestController class so the constructor will be as below –
public TestController(IDataProtectionProvider dataProtectionProvider)
{
_dataProtector = dataProtectionProvider.CreateProtector("Secret Key");
}Now, we will use dataprotector instance to protect the data.
public string GetMessage()
{
string message = "This is a secret message to team";
return _dataProtector.Protect(message);
}Complete Code snippet –
namespace DataProtectorDemo.Controllers
{
[Route("api/[controller]")]
[ApiController]
public class TestController : ControllerBase
{
private readonly IDataProtector _dataProtector;
public TestController(IDataProtectionProvider dataProtectionProvider)
{
_dataProtector = dataProtectionProvider.CreateProtector("Secret Key");
}
[Route("GetMessage")]
public string GetMessage()
{
string message = "This is a secret message to team";
return _dataProtector.Protect(message);
}
}
}
Let’s see the output –
Run the application and hit the API either from the browser or swagger or POSTMAN.
Let’s verify the result by unprotecting the same data.
Change the Action method like below code snippet.
[Route("GetMessage")]
public IActionResult GetMessage()
{
string originalMessage = "This is a secret message to team";
string protectedMessage = _dataProtector.Protect(originalMessage);
string unProtectedMessage = _dataProtector.Unprotect(protectedMessage);
return Ok(new { originalMessage, protectedMessage, unProtectedMessage });
}Protect() method
This method accepts plain text and then protects the plain text cryptographically.
Unprotect() method
This method accepts protected data as a parameter and then unprotects the data cryptographically.
In Postman, you will see the below output.
As you may notice that I have first displayed the original message then protected the original message and finally unprotected the protected data.
Takeaway
We have gone through the implementation of data protection in ASP.NET Core. We know the significance of data protection and how this is useful in protecting sensitive information.
To summarize, we came through below headlines –
- What is Data Protection?
- How to implement Data Protection in ASP.NET Core?
- We can encrypt sensitive information in URLs and also in API responses.
Hope you enjoy this article.
