Security in fullstackhero is layered defence with sensible defaults. JWT bearer with rotating refresh tokens; fine-grained permission gates on every endpoint; ASP.NET Identity for the user store; multi-tenant isolation as the default behaviour of every query; rate limiting on auth-flow endpoints; HMAC-signed webhooks; Valkey-backed data protection keys; audit on every state change; JSON masking for sensitive payloads.
The pillars
- 01/08
Authentication
JWT bearer with rotating refresh tokens, ASP.NET Identity user store, lockout, email confirmation, and the auth-flow rate-limit policy.
- 02/08
Authorization
Permission-based authorization — fine-grained gates on every endpoint via .RequirePermission() with a flat registry, role-and-group aggregation, and the silent-no-op gotcha that catches every team once.
- 03/08
Operator impersonation
Time-bound, cross-tenant impersonation with a server-side revocation list, full audit trail, and an IGlobalEntity persistence model.
- 04/08
Two-factor authentication (TOTP)
Opt-in TOTP enrolment for any user — QR code, verify, disable, with TOTP-required token issuance once enrolled.
- 05/08
Webhook signing
HMAC-SHA256 payload signing for every outbound webhook delivery, with a fresh delivery id per attempt and a complete subscriber-side verification recipe.
- 06/08
Data protection
Valkey-backed Data Protection key persistence so cookies, antiforgery tokens, and IDataProtector payloads survive rolling deploys across instances.
- 07/08
CORS & security headers
CORS-before-HTTPS-redirect ordering, the SignalR-credentialed-CORS gotcha, and the production security headers you should configure before launch.
- 08/08
Production security checklist
Ten configuration items you must check before shipping fullstackhero to production. Skip none.
Each page covers one concern in depth.
Related
- Multitenancy deep-dive — tenant isolation discipline.
- Identity module — the authentication + permission implementation.
- Auditing module — capture + masking + retention.
- Webhooks module — HMAC signing.
- Rate limiting (cross-cutting) — the auth-policy mechanics.