dotnet-aspnetcore-securitylisted
Install: claude install-skill hlsitechio/claude-skills-security
# ASP.NET Core Security Audit
Audit ASP.NET Core applications (.NET 6, 7, 8, 9).
## When this skill applies
- Reviewing ASP.NET Core middleware pipeline
- Auditing controllers / Minimal API endpoints
- Reviewing EF Core for SQL injection
- Checking authentication / authorization setup
- Auditing `appsettings.json` for secret handling
## Workflow
Follow `../_shared/audit-workflow.md`.
### Phase 1: Stack detection
```bash
find . -name '*.csproj' -not -path '*/bin/*' -not -path '*/obj/*'
find . -name 'Program.cs' -not -path '*/bin/*' -not -path '*/obj/*'
dotnet --version 2>/dev/null
```
### Phase 2: Inventory
```bash
# Middleware pipeline
grep -rn 'app\.Use\|app\.Map\|builder\.Services' Program.cs Startup.cs 2>/dev/null
# Authorize attributes
grep -rn '\[Authorize\|\[AllowAnonymous' . --include='*.cs'
# EF queries
grep -rn 'FromSqlRaw\|ExecuteSqlRaw\|FromSqlInterpolated' . --include='*.cs'
# Configuration
ls appsettings*.json 2>/dev/null
```
### Phase 3: Detection — the checks
#### Middleware pipeline order
```csharp
// Program.cs (.NET 6+ minimal hosting)
var app = builder.Build();
app.UseHttpsRedirection();
app.UseHsts(); // HSTS
app.UseStaticFiles(); // Static files before auth (intentional)
app.UseRouting();
app.UseCors(policyName); // After routing, before auth
app.UseAuthentication(); // Authentication
app.UseAuthorization(); // Authorization (after authentication)
app.UseAntiforgery(); // .NET 8+ explicit
app.MapControlle