End-to-end security in a web application
A technical walkthrough of securing a web application end-to-end, demonstrating how SonarQube's taint analysis and security hotspot detection identify injection risks and authentication flaws across the full stack.
Introduction to Modern Web Application Security
Damien Borden, a Microsoft MVP web developer from iSolutions in Switzerland, and Dennis Troller, a product manager from Sonar, presented a comprehensive webinar on implementing end-to-end security in web applications using ASP.NET Core. The presentation focused on practical approaches to authentication, authorization, and security requirements that can be deployed in production environments. Rather than theoretical concepts, the speakers demonstrated how to build a real-world application with security considerations integrated throughout the development lifecycle.
The Evolution of Security Architecture
A significant shift has occurred in recent years regarding how security is implemented in modern web applications. Traditional single-page applications (SPAs) with separate backend services inadvertently split the security context between frontend and backend, creating vulnerabilities when sensitive information is handled in the browser. The current best practice recommendation is to treat web applications as a unified security context, deploying and securing frontend and backend as a single entity. This approach includes validating both the application and the user, reducing the attack surface that existed when these components were treated independently.
Practical Development and Deployment Strategy
While the ideal approach is deploying applications as one unified unit, practical development workflows often require flexibility. Developers need to use the tools and frameworks they are most productive with—whether that's Angular for frontend developers or .NET Core for backend developers. To balance this, Borden recommended maintaining separate development environments using proxies to separate Angular development from the .NET backend, while ensuring that production deployment builds and deploys these components together. Critically, developers should maintain consistency between local development and production environments, such as using HTTPS everywhere to ensure the same session protection mechanisms apply in both contexts.
Authentication Implementation with OpenID Connect
The recommended authentication flow for modern web applications is OpenID Connect Code Flow with PKCE (Proof Key for Code Exchange) using a confidential client model. This approach involves a two-step process where users are redirected to an identity provider for authentication, where they can perform multi-factor authentication or use phishing-resistant methods like passkeys. Upon successful authentication, the browser receives a code that the backend application exchanges with the identity provider using a secret or certificate authentication. The backend then receives ID tokens, access tokens, and potentially refresh tokens, which are managed securely on the server side rather than exposing them to the browser.
Integration with Existing Identity Providers
Rather than implementing standalone authentication systems, the speakers emphasized the importance of leveraging existing identity providers within enterprise environments. Most organizations already have identity systems in place, and reusing these through OpenID Connect integration reduces complexity and security overhead. This approach allows organizations to maintain centralized identity management while securing web applications through standardized protocols.
Key Takeaways
- Unified Security Context: Web applications should be deployed and secured as a single entity rather than splitting security between frontend and backend components
- Balanced Development Workflow: Maintain separate local development environments for different technical stacks while ensuring production deployments are unified and tested consistently
- OpenID Connect Code Flow with PKCE: This is the recommended authentication pattern for modern web applications, providing security through server-side token management
- Leverage Existing Identity Providers: Organizations should integrate with existing enterprise identity providers using OpenID Connect rather than building standalone authentication systems
- Environment Consistency: Ensure that security mechanisms like HTTPS are applied consistently across development and production to catch configuration issues early