Secure JSON parameter .NET Core

I have created an API with .NET Core. Probably, this API will be consumed by other apps for public. How can I secure the JSON transmitted ? Below is my sample API:

public async Task<int> InsertUpdate(Devmns_stok model)
    {
        mySqlConnection.Open();
        var cmd = mySqlConnection.CreateCommand();
        cmd.CommandText = @"SELECT `ID` FROM `Stok_Developer` WHERE `ID` [email protected]";
        var data = await mySqlConnection.QueryAsync<Devloperr>(cmd.CommandText, param: new { ID = model.DEVID } );

        if (data.Count() == 1)
        {
           cmd.CommandText = @"UPDATE `Stok_Developer` SET `ID` = @DEVID, `NAMA` = @DEVNAME, `GROUPDEVID` = @GROUPDEVID, `DEVNPWP` = @DEVNPWP,
            `DEVASSOCIATION` = @DEVASSOCIATION, `DEVCONTACTPERSON` = @DEVCONTACTPERSON, `DEVUPDDATE` = @DEVUPDDATE, `BRANCHID` = @BRANCHID, `ACTIVE` = @ACTIVE
            WHERE `ID`[email protected] ;";
            parameters.AddDynamicParams(model);
            var result = await mySqlConnection.ExecuteAsync(cmd.CommandText, parameters, commandType: sql);
            return result;
        }
        else
        {
           
            cmd.CommandText = @"INSERT INTO `Stok_Developer` (`ID`,`NAMA`,`GROUPDEVID`,`DEVNPWP`,`DEVASSOCIATION`, `DEVCONTACTPERSON`, `DEVUPDDATE`, `BRANCHID`, `ACTIVE`) VALUES ( @DEVID,@DEVNAME,@GROUPDEVID,@DEVNPWP,@DEVASSOCIATION,@DEVCONTACTPERSON,@DEVUPDDATE,@BRANCHID
            ,@ACTIVE);";
            parameters.AddDynamicParams(model);
            var result = await mySqlConnection.ExecuteAsync(cmd.CommandText, parameters, commandType: sql);
            return result;
           
        }

    }

The API will receive a parameter then insert/update it into database.
Really need advise.

Thank you.

Answer

well there are many ways to secure it, encryption, abstractions, local storage with data Id’s ect.

Secure it from interception: Post the data as a body.

which is as easy as:

[HttpPost("GetDataWithModel")]
public IActionResult MyAPiEndpoint([FromBody] model){...}

But I assume you are referring to allowing only certain people to access it, while others may not. In that case this is the way we do it (Major company that handles business data for Coca-Cola, government agencies and many more)

JToken

It’s a bit more than I can explain here. But essentially the flow is as follow:

  • User Sends Credentials (Login)
  • We Authenticate and send a JToken Back and user saves it somewhere in the front end.
  • User sends API request with paramaters.
  • We check that the user is (1) Authenticated, (2) Authorised (meaning if he wants admin data that he is an admin and not a common user) using MiddleWare and Custom Attributes.
  • If the user is allowed, we send response, otherwise send a 401 response back.

The reason we use JToken is because it is very easy to use. Here is an example of how to use it: https://auth0.com/docs/tokens/json-web-tokens

If you want a more advanced version using Auht0, you can checkout https://auth0.com/docs/tokens/json-web-tokens

Validation

Some of the comments suggest you are looking for validation of a model. This is a very easy thing to do. In your Model you add Data Annotations. See the following Link: https://docs.microsoft.com/en-us/aspnet/web-api/overview/formats-and-model-binding/model-validation-in-aspnet-web-api

Example:

public class MyModel 
{
    [Required]
    public int Id { get; set; }
    
    public string Name { get; set; }
    
    [Range(0, 200)]
    public int Age { get; set; }
}

Then on your endpoint you just put:

[ValidateModel]
public IActionResult MyApiValidationEndpoint (MyModel model) {...}