Lesson 9: Securing Your API with HTTPS & API Gateway

Meta Description

Learn how to secure your .NET API using HTTPS, an API Gateway, Google reCAPTCHA, and API rate limiting. This tutorial covers enforcing HTTPS, setting up authentication middleware, configuring API keys, implementing CAPTCHA, and handling JWT security. Includes best practices and FAQs.

1️⃣ Why API Security Matters

APIs handle sensitive data and user authentication, making them a prime target for attacks. Securing your API is essential to prevent unauthorized access, data breaches, and malicious attacks.

Key security measures:

• Enforce HTTPS
• Use Authentication & Authorization
• Secure API Endpoints
• Implement Rate Limiting
• Protect Against Bots with Google reCAPTCHA

2️⃣ Installing Required Libraries

Before proceeding, install the required packages:

# Install JWT authentication
dotnet add package Microsoft.AspNetCore.Authentication.JwtBearer

# Install Rate Limiting
dotnet add package AspNetCoreRateLimit

# Install Google reCAPTCHA
nuget install reCAPTCHA.Net

These libraries will help secure our API with authentication, rate limiting, and bot protection.

3️⃣ Enforcing HTTPS in Azure

To ensure all requests use HTTPS, Azure provides an easy setting to redirect all HTTP traffic.

🔹 Update 2024: Enforcing HTTPS in Azure

It’s now under Settings > Configuration > General Settings:

1. Go to Azure Portal and open the overview page of the App Service.
2. In the sidebar, under the Settings section, click TLS/SSL Settings.
3. Enable HTTPS only.
4. Save the settings.

This works for every App Service Plan tier, including the F-Series (Free Tier).

For additional security, enforce HTTPS in your .NET code:

var builder = WebApplication.CreateBuilder(args);
var app = builder.Build();

app.UseHttpsRedirection(); // Forces HTTPS
app.UseAuthentication();
app.UseAuthorization();

app.MapControllers();
app.Run();

4️⃣ Protecting API Endpoints with JWT Authentication

We need to ensure only authenticated users can access certain routes.

🔹 Adding Authentication Middleware

Modify Program.cs to require JWT authentication:

builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
    .AddJwtBearer(options =>
    {
        options.Authority = $"https://securetoken.google.com/{YourFirebaseProjectId}";
        options.Audience = "{YourFirebaseProjectId}";
    });

builder.Services.AddAuthorization();

🔹 Securing an API Route

[Authorize]
[HttpGet("secure-data")]
public IActionResult GetSecureData()
{
    return Ok(new { message = "This is a protected route" });
}

Any request without a valid JWT token will receive a 401 Unauthorized error.

5️⃣ Implementing Google reCAPTCHA for Bot Protection

To prevent bots from accessing public endpoints (like user registration), use Google reCAPTCHA.

🔹 Set up reCAPTCHA in Google

1. Visit Google reCAPTCHA Admin
2. Register your site and choose reCAPTCHA v2 or v3.
3. Copy the Site Key and Secret Key.

🔹 Validate reCAPTCHA in .NET

[HttpPost("register")]
public async Task<IActionResult> RegisterUser([FromBody] RegisterRequest request)
{
    var isValidCaptcha = await VerifyRecaptcha(request.RecaptchaToken);
    if (!isValidCaptcha)
        return BadRequest("Invalid reCAPTCHA.");

    // Proceed with registration...
}

private async Task<bool> VerifyRecaptcha(string token)
{
    var secretKey = "Your-Google-Secret-Key";
    var client = new HttpClient();
    var response = await client.GetStringAsync($"https://www.google.com/recaptcha/api/siteverify?secret={secretKey}&response={token}");
    var json = JsonSerializer.Deserialize<RecaptchaResponse>(response);
    return json.success;
}

6️⃣ Limiting API Calls to Prevent Abuse

Using AspNetCoreRateLimit:

builder.Services.AddMemoryCache();
builder.Services.Configure<IpRateLimitOptions>(options =>
{
    options.GeneralRules = new List<RateLimitRule>
    {
        new RateLimitRule
        {
            Endpoint = "*", // Apply to all endpoints
            Limit = 100, // 100 requests
            Period = "1m" // Per minute
        }
    };
});

7️⃣ Common Questions & Answers

Q1: What is an authenticated user?

An authenticated user is one who has successfully logged in and received a valid JWT token. This token must be included in every request to access secured endpoints.

Q2: Does this mean only registration is unsecured?

Yes, registration is usually the only endpoint open to the public. After registering, the user receives a token and must use it for all future requests.

Q3: How do I restrict API access to specific users?

Check claims inside your controller:

var userId = User.FindFirst("user_id")?.Value;
if (userId != "allowed-user-id")
{
    return Unauthorized();
}

Q4: How do I protect against SQL Injection?

Use parameterized queries:

var cmd = new SqlCommand("SELECT * FROM Users WHERE Email = @Email", connection);
cmd.Parameters.AddWithValue("@Email", userEmail);

Q5: How do I enable CORS for secure access from multiple clients?

builder.Services.AddCors(options =>
{
    options.AddPolicy("AllowAll", builder =>
        builder.AllowAnyOrigin()
               .AllowAnyMethod()
               .AllowAnyHeader());
});
app.UseCors("AllowAll");

Next Steps

Now that our API is secured, we will cover: ✅ OAuth Login (Google, Facebook, Apple, AWS) ✅ Monitoring & Logging API Activity

Let me know if you have more questions! 🚀