Overview

Security in fullstackhero is layered defence with sensible defaults. JWT bearer with rotating refresh tokens; fine-grained permission gates on every endpoint (wired as both the default and fallback authorization policy, so nothing fails open); ASP.NET Identity for the user store; multi-tenant isolation as the default behaviour of every query; rate limiting on auth-flow endpoints; HMAC-signed webhooks with secrets encrypted at rest; Valkey-backed data protection keys; audit on every state change; JSON masking for sensitive payloads.

The pillars

• 01
  01/08

  Authentication

  JWT bearer with rotating refresh tokens, ASP.NET Identity user store, lockout, email confirmation, per-device session tracking, and the auth-flow rate-limit policy.

  Read
• 02
  02/08

  Authorization

  Permission-based authorization — fine-grained gates on every endpoint via .RequirePermission() with a flat registry, default + fallback policy wiring, and the silent-no-op gotcha that catches every team once.

  Read
• 03
  03/08

  Operator impersonation

  Time-bound, cross-tenant impersonation with a server-side revocation check on every request, full audit trail, and an IGlobalEntity persistence model.

  Read
• 04
  04/08

  Two-factor authentication (TOTP)

  Opt-in TOTP enrolment for any user — shared secret + otpauth URI, verify, password-confirmed disable, with TOTP-required token issuance once enrolled.

  Read
• 05
  05/08

  Webhook signing

  HMAC-SHA256 payload signing for every outbound webhook delivery, secrets encrypted at rest via Data Protection, and a complete subscriber-side verification recipe.

  Read
• 06
  06/08

  Data protection

  Valkey-backed Data Protection key persistence so cookies, antiforgery tokens, and IDataProtector payloads survive rolling deploys across instances.

  Read
• 07
  07/08

  CORS & security headers

  CORS-before-HTTPS-redirect ordering, the SignalR-credentialed-CORS gotcha, and the production security headers the kit emits by default.

  Read
• 08
  08/08

  Production security checklist

  Ten configuration items you must check before shipping fullstackhero to production. Skip none.

  Read

Each page covers one concern in depth.

Related

• Multitenancy deep-dive — tenant isolation discipline.
• Identity module — the authentication + permission implementation.
• Auditing module — capture + masking + retention.
• Webhooks module — HMAC signing.
• Rate limiting (cross-cutting) — the auth-policy mechanics.