search
HomepageDemo

Best Practices

hashtag
Configuration Settings

If your deployment allows for configuring settings outside of the source code (e.g. the Application Settings tab on Microsoft Azure App Services) then this can be used to configure a set of application settings that even the developers won't have access to.

hashtag
Security Tokens

Critical: Replace all security tokens in production environments. The default tokens generated during development should never be used in production as they may be committed to source control.

Replace the following tokens in your production configuration:

  • ApplicationSalt (via the Vidyano:ApplicationSalt app setting)

  • DiagnosticsToken (via the Vidyano:Diagnostics app setting)

  • ObjectIdsSalt (via the Vidyano:ObjectIdsSalt app setting)

  • JwtHS256Key (via the Vidyano:JwtHS256Key app setting)

PowerShell Token Generator:

Use this PowerShell snippet to generate secure random tokens matching Vidyano's token generation logic:

function Get-SecureRandomString {
    param(
        [int]$Length = 32
    )

    $bytes = New-Object byte[] $Length
    $rng = [System.Security.Cryptography.RandomNumberGenerator]::Create()
    $rng.GetBytes($bytes)
    $rng.Dispose()

    $base64 = [Convert]::ToBase64String($bytes)
    return $base64.Replace('+', '-').Replace('/', '_').TrimEnd('=')
}

Write-Host '"ApplicationSalt": "' -NoNewline
Write-Host (Get-SecureRandomString -Length 40) -NoNewline -ForegroundColor Green
Write-Host '",'

Write-Host '"DiagnosticsToken": "' -NoNewline
Write-Host (Get-SecureRandomString -Length 40) -NoNewline -ForegroundColor Green
Write-Host '",'

Write-Host '"ObjectIdsSalt": "' -NoNewline
Write-Host (Get-SecureRandomString -Length 40) -NoNewline -ForegroundColor Green
Write-Host '",'

Write-Host '"JwtHS256Key": "' -NoNewline
Write-Host (Get-SecureRandomString -Length 32) -NoNewline -ForegroundColor Green
Write-Host '"'

This outputs JSON-formatted values ready to copy-paste into your configuration.

hashtag
Cookie-Based Authentication

Recommended: Enable cookie-based authentication for enhanced security in web applications.

By default, Vidyano stores authentication tokens in browser storage. For improved security, you can enable secure, HttpOnly cookies via the CookieBasedAuthentication setting:

Benefits:

  • Authentication tokens stored in secure, HttpOnly cookies (not accessible via JavaScript)

  • Better protection against XSS attacks

  • Automatic cookie transmission with requests

Compatibility notes:

  • Safe to enable for standard web applications

  • If your application calls Vidyano APIs directly (e.g., from external services), ensure your HTTP client library has cookie store support enabled

  • The Vidyano.Core NuGet package has this enabled by default since v5.53.0

hashtag
Other Configuration Settings

  • Use a different set of credentials/connection string for the database

  • If configured, use another connection string for verbose logging

  • Enable the Vidyano:ForceHttps app setting to enable HSTS

  • Configure TLS 1.2 to be the minimum TLS version

  • Disable the admin user and use another named user that is an administrator or make sure that the password is strong (and different from development)

hashtag
Code Configuration

hashtag
Rate Limiting

Enable rate limiting to protect against abuse and brute-force attacks. Rate limiting is disabled by default and can be enabled in your appsettings.json:

This enables the default Moderate level with rate limit headers included. You can customize the level if needed:

Available levels:

Level
Read/min
Write/min
Use Case

Relaxed

500

200

Development, internal tools

Moderate

120

60

Default - recommended for production

Strict

60

30

High-security environments

VeryStrict

30

10

Public APIs

The rate limiting feature includes:

  • User-based partitioning - Works in intranet environments without IP-based issues

  • Automatic 2FA token reuse prevention - Built-in protection against replay attacks

  • Read/Write classification - Different limits for read vs write operations

  • Standard response headers - X-RateLimit-Limit and X-RateLimit-Remaining

hashtag
Distributed Cache (Optional)

Recent versions of Vidyano include automatic in-memory rate limiting and 2FA token validation. However, you may still want to add a distributed cache in these scenarios:

  • Multi-instance deployments - When your application runs across multiple instances, pods, or servers

  • Persistence across restarts - To maintain rate limit counters and 2FA validation state when the application restarts

Redis Cache (Recommended for production):

Install the Microsoft.Extensions.Caching.StackExchangeRedisarrow-up-right NuGet package, then configure:

SQL Server Cache:

When IDistributedCache is registered, Vidyano will automatically use it for rate limiting and 2FA validation. Otherwise, it falls back to in-memory caching (per instance).

hashtag
Security Headers

Add security headers to protect against common web vulnerabilities. The GetWebsiteContent method in your [Schema]Web class is called for the initial HTML page and is the ideal place to add security headers:

Important: Review and adjust the Content-Security-Policy based on your application's specific needs. The example above is a starting point that may need to be relaxed for certain features.

hashtag
Automation protection

If the web app is available on the public internet and can be accessed without logging in (e.g. contact form) you should provide extra protection against abuse. This can easily be done by using the Google reCaptcha library to validate the request.

hashtag
External Audit

Vidyano has been externally audited by The Security Factory, you can read the report here (2023)arrow-up-right, here (2018)arrow-up-right, here (2014)arrow-up-right.

“Overall Security Posture

Based on our experience we would rate the security posture of the application in the higher regions of good security.”

PreviousForgot passwordNextAzure AD SAML based Sign-on

Last updated

Was this helpful?