Top Security Practices for Blazor PWAs in 2025

 


Progressive Web Apps (PWAs) have revolutionized the way we build and deliver applications, offering a native-like experience with the flexibility of the web. Blazor, as a modern framework for building PWAs with .NET, empowers developers to create robust applications. However, with increased functionality comes greater responsibility to ensure your app is secure.

In 2025, security threats are more sophisticated than ever, making it critical to adopt best practices when building Blazor PWAs. In this post, we’ll explore modern security strategies, including HTTPS, authentication, CSRF protection, and securing service workers, to safeguard your Blazor PWA.

1. Enforce HTTPS Everywhere

Why HTTPS?

HTTPS encrypts the communication between your app and the user, protecting sensitive data from being intercepted by attackers. For PWAs, HTTPS is a requirement to use service workers and enable features like push notifications and offline support.

Best Practices

  • Enforce HTTPS: Configure your server to redirect all HTTP traffic to HTTPS.
  • HSTS (HTTP Strict Transport Security): Use HSTS to prevent users from accessing the site over HTTP, even if they manually attempt to.
  • Certificate Management: Use automated tools like Let’s Encrypt to manage SSL/TLS certificates.

Example: Enabling HTTPS in ASP.NET Core Ensure your app enforces HTTPS in Program.cs:


var builder = WebApplication.CreateBuilder(args);
builder.Services.AddHttpsRedirection(options =>
{
    options.RedirectStatusCode = StatusCodes.Status308PermanentRedirect;
    options.HttpsPort = 443;
});
var app = builder.Build();
app.UseHttpsRedirection();
app.Run();

2. Implement Secure Authentication

Modern Authentication Options

  • OAuth 2.0 and OpenID Connect (OIDC): Use a robust identity provider like Azure AD, Auth0, or Okta.
  • Multi-Factor Authentication (MFA): Add an extra layer of security by requiring users to verify their identity with a second factor.
  • Token-Based Authentication: Use secure JSON Web Tokens (JWT) for stateless authentication.

Best Practices

  • Secure Storage: Store tokens in secure locations, like sessionStorage, and avoid localStorage to minimize risks from XSS attacks.
  • Token Expiration: Use short-lived tokens and refresh them securely.

Example: Configuring Authentication in Blazor Configure OIDC in Program.cs:


builder.Services.AddOidcAuthentication(options =>
{
    options.ProviderOptions.Authority = "https://your-identity-provider";
    options.ProviderOptions.ClientId = "your-client-id";
});

3. Prevent Cross-Site Request Forgery (CSRF)

What is CSRF?

CSRF is an attack that tricks a user into performing unwanted actions on a website where they are authenticated. Protecting against CSRF is critical for safeguarding sensitive user actions.

Best Practices

  • Use Anti-Forgery Tokens: Blazor Server automatically includes anti-forgery tokens for form submissions. Ensure they are enabled.
  • Restrict CORS Policies: Limit cross-origin requests to trusted origins only.

Example: Enforcing Anti-Forgery in ASP.NET Core


app.Use(async (context, next) =>
{
    var tokens = context.RequestServices.GetRequiredService<IAntiforgery>();
    var tokenSet = tokens.GetAndStoreTokens(context);
    context.Response.Cookies.Append("XSRF-TOKEN", tokenSet.RequestToken!,
        new CookieOptions { HttpOnly = false });
    await next.Invoke();
});

4. Secure Service Workers

Why Service Worker Security Matters

Service workers are powerful but can introduce vulnerabilities if not implemented securely. Since they intercept network requests and cache resources, they can be exploited for malicious purposes.

Best Practices

  • Restrict Scope: Limit the scope of your service worker to the specific areas it serves using the scope option.
  • Validate Cached Assets: Implement a cache versioning strategy to ensure outdated or malicious files aren’t served.
  • HTTPS Only: Service workers require HTTPS for a reason—ensure your app enforces it.

Example: Secure Service Worker Registration


navigator.serviceWorker.register('/service-worker.js', { scope: '/' })
    .then(registration => {
        console.log('Service worker registered with scope:', registration.scope);
    })
    .catch(error => {
        console.error('Service worker registration failed:', error);
    });

5. Harden Your Blazor Application

Content Security Policy (CSP)

CSP mitigates XSS attacks by defining the sources from which content can be loaded.

Example: Adding a CSP Header


app.Use(async (context, next) =>
{
    context.Response.Headers.Add("Content-Security-Policy", "default-src 'self'; script-src 'self'");
    await next();
});

Input Validation

Always validate user input on the client and server to prevent injection attacks. Use Blazor’s built-in validation components for client-side validation.

6. Monitor and Log Security Events

Why Logging Matters

Monitoring your app for suspicious activities, failed login attempts, and unexpected errors can help you identify and respond to potential threats quickly.

Best Practices

  • Use Azure Application Insights or similar tools to monitor app activity.
  • Log failed authentication attempts and unusual traffic patterns.

Example: Logging in ASP.NET Core


builder.Services.AddLogging(logging =>
{
    logging.AddConsole();
    logging.AddAzureWebAppDiagnostics();
});

7. Keep Dependencies Updated

Vulnerabilities in outdated dependencies are a common attack vector. Regularly update your Blazor application and its dependencies to patch known security issues.

Best Practices

  • Use tools like Dependabot or NuGet Package Manager to track and apply updates.
  • Audit your dependencies for vulnerabilities using tools like OWASP Dependency-Check.

8. Secure API Communication

Best Practices

  • Use HTTPS for all API calls.
  • Authenticate API endpoints with OAuth or API keys.
  • Validate all incoming requests on the server.

Example: Calling an API Securely


private async Task FetchData()
{
    var request = new HttpRequestMessage(HttpMethod.Get, "https://api.example.com/data");
    request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", accessToken);

    var response = await Http.SendAsync(request);
    if (response.IsSuccessStatusCode)
    {
        var data = await response.Content.ReadFromJsonAsync<MyData>();
    }
}

Conclusion

Securing a Blazor PWA in 2025 requires a proactive approach, leveraging modern tools and best practices to protect your app and its users. By enforcing HTTPS, securing authentication, preventing CSRF, and hardening service workers, you can build resilient applications that stand up to evolving threats.

Are you ready to take your Blazor PWA security to the next level? For more insights, advanced techniques, and real-world examples, check out my book, Building Progressive Web Apps with Blazor.

Comments

Post a Comment

Popular posts from this blog

Yes, Blazor Server can scale!

Image
From the very beginning of the release of Blazor Server naysayers have incorrectly stated that Blazor Server can not scale.  They usually state that the limit is 5,000 concurrent users. There are several misconceptions and wrong assumptions about their statement.  Let's break it down and get a better understanding of Blazor server-side scaling. What is the "limit" for users When Microsoft talks about the need to scale an application, what they are saying is that when a normal response for any concurrent user is taking longer than 200 ms, the system is not performant and needs to scale. We will accept that definition: If any normal user response is taking longer than 200 ms, the system needs to scale for concurrent users. By a normal response, we are referring to a page get, a post, etc.  Large database access requests would not be included in this measurement. What is scaling There are 2 common ways to scale, scale, out horizontally, and scale-up, up vertically. In our di...
Read more

Blazor - Displaying an Image

I wanted to be able to display an image file within a Blazor page.  During my research I realized that there is very little difference between displaying an image in Blazor as compared to displaying it in a HTML page.  So, I decided to add a couple of other features to my application.   The features I have added are:   1. Get a list of files on the server   2. Display at list in a Blazor page   3. Provide a UI effect to zoom in on the image   I will be using the Blazor Server configuration for this application.  We can do this with the Client-side configuration, but you need an API to access the server files.  I have created a folder under WWWROOT called DsiplayImages where I have placed several images I will be working with.  I have created a service that will access the image files from the server.  In addition, I have created a model for the file properties I a need.   ...
Read more

Blazor new and improved Search Box

 Back in March, I posted a new Blazor data grid with a search box ( see post ).  Since then I have found a new and improved search box that I wanted to implement.  The search part is implemented the same.  What I added was the ability for the user to narrow down the search by selecting which field they wanted to search on.  This will help the user find what they are looking for and in a large collection, the search will end up being faster. The goal of making the change was to make the search box a new component and have it handle the UI functionality part. Prep Work Here is the prep work I did before adding the search box: Started with the source code from the post listed above. Upgraded the project to .Net 5 Upgraded the Nuget packages that were out of date. Ensured every build and run. Change to a Component I wanted to create a component for the search box so I could use it in other applications.   1. Create a Folder under UIControls called "SearchB...
Read more