search

Rater-Inc / dotnet-api

2 stars 0 forks source link

Security Optimization #33

Closed Sirmelihy closed 2 weeks ago

Sirmelihy commented 2 weeks ago

Description:

We need to perform a security audit and optimization for our .NET API to ensure the highest level of security for our application and user data. This includes reviewing our current implementation, identifying potential vulnerabilities, and implementing best practices for securing our API.

Tasks:

  1. Rate Limiter Implementation:

    1.1 Evaluate Current Rate Limiting Mechanism:

     -  Review the current fixed window rate-limiting implementation.
 -  Identify its limitations and explore alternative methods.

    1.2 Implement New Rate Limiting Method:

     -  Switch to a rate-limiting method that better suits our needs, such as sliding window or token bucket.
 -  Configure the rate limiter to specifically limit certain IP addresses.

    1.3 Implement New Rate Limiting Method:

     -  Lower the permit limit to enhance security and prevent abuse.

  2. JWT Token Management:

    2.1 Token Duration:

     -  Review the current JWT token expiration policy.
 -  Implement configurable token expiration settings to balance security and user experience.
 -  Set a short lifespan for access tokens and a longer lifespan for refresh tokens.

    2.2 Single-Time Use Tokens:

     - Ensure JWT tokens are used only once to prevent replay attacks.
 - Implement token invalidation mechanisms to revoke tokens after use.
 - Store used token identifiers in a secure store (e.g., Redis) to track and invalidate tokens after they are used.

Additional Information:

Please refer to the OWASP Top Ten for guidance on common security risks and mitigation strategies.

Priority: High