End to end security of a web application

Secure Web application using ASP.NET Core, Angular, SonarQube Cloud and Terraform. Furthermore .NET Aspire is used for local development.

This repository hosts the source code for our .NET User Group Switzerland tour.

Introduction

📝 Using SonarCloud with ASP.NET Core, Angular and github actions

📺 Webinar

Setup and docs

ASP.NET Core/Angular

Local development

For local development environment setup proceed as follows:

1. Check out the repository
2. Install Angular CLI latest globally npm install -g @angular/cli latest
3. Open Bff.sln in Visual Studio 2022 or later
4. Set Bff.AppHost as startup project
5. Run the project (F5)
6. Open URL of bffmicrosoftentraid-server from the Aspire dashboard (usually https://localhost:5001)

Production

Agenda

• User Authentication
• Identity Authentication
  • OpenID Connect Code flow confidential client
  • PKCE
  • Microsoft Entra ID
    • Microsoft.Identity.Web
    • Microsoft Graph 5 for profile data
    • Profile data in UI (UserController)
• Secure APIs
• Session Security
• DevSecOps
  • build
  • deploy (IaC & app)
  • quality (SonarQube Cloud)
  • Analysis for different technical stacks (.NET, JavaScript/TypeScript, Hashicorp Terraform)
  • Sonar badges, GitHub Actions workflows badges

Other topics

• What's missing for a production setup?
  • Authorization
  • Data requirements
  • Update of ui\public\.well-known\security.txt
  • Make use of Azure Key Vault for secrets management

Angular CLI Updates

npm install -g @angular/cli latest

ng update

ng update @angular/cli @angular/core

History

• 2025-11-02 Added bootstrap, improved UI (style), created app registration for BFF app using terraform
• 2025-11-01 Added security.txt, added OpenAPI
• 2025-10-31 Updated to Angular CLI and Angular 20.3.0, using vite in dev
• 2025-10-30 Fixed deployment to Azure App Service, reverted Angular due to CSP nonce issues
• 2025-10-29 Added .NET Aspire, added terraform, Sonar SCA, SAST, improved GitHub Actions workflows
• 2025-10-28 Improved security headers, updated frontend packages, added integration tests, added GitHub Actions workflows
• 2025-10-27 Updated NuGet packages
• 2025-08-30 Angular 20, updated packages
• 2025-01-01 .NET 9, Angular 19
• 2024-10-17 Updated security headers performance, updated packages
• 2024-10-06 Angular 18.2.7, updated security headers

Links

• SonarQube Cloud - Analyzing GitHub projects
• rufer7 - github-sonarcloud-integration
• [HOWTO] Integrate SonarCloud analysis in an Azure DevOps YAML pipeline
• Sonar Community - Code coverage report for .Net not working on Linux agent
• SonarScanner for .NET - Analyzing languages other than C# and VB
• Andrei Epure - How to analyze JS/TS, HTML and CSS files with the Sonar Scanner for .NET
• damienbod - bff-aspnetcore-angular
• [Webinar] End-to-end security in a web application
• Tutorial: Add Aspire to an existing .NET app
• Orchestrate Node.js apps in Aspire
• Deploy to Azure App Service by using GitHub Actions