BizBox.WebApi.Template 1.6.0

.NET CLI

dotnet new install BizBox.WebApi.Template::1.6.0

This package contains a .NET Template Package you can call from the shell/command line.

🚀 BizBox WebAPI Template

Version 1.6.0 - Enterprise-grade .NET 8 Web API template with 100% complete security implementation

📋 Table of Contents

Overview
Installation
Quick Start
Features
Documentation
Architecture
Security
Project Structure
Development
Deployment
Version History
Support & Contributing

🎯 Overview

BizBox is a production-ready .NET 8 Web API template built with Clean Architecture principles, featuring enterprise-grade security, HIPAA-compliant audit logging, and comprehensive authentication/authorization systems. Perfect for healthcare, finance, and high-security applications.

🌟 Key Highlights

🔐 Enterprise Security - Multi-layer defense with JWT, encrypted payloads, token blacklist, refresh tokens
🏥 HIPAA-Ready Features - Comprehensive audit logging, encryption at transit, secure logout, account lockout
🛡️ Advanced Protection - BOLA/IDOR prevention with ticket-based authorization
💬 Real-time Messaging - SignalR-powered WebSocket communication
🏗️ Clean Architecture - Maintainable, testable, scalable codebase
📊 Audit Trail - Automatic change tracking with old/new values, duration monitoring
🔄 Session Management - Configurable single/multi-device policies with proper logout
📧 Invitation System - Email-based user onboarding
🚀 Template Ready - Install from NuGet, customize, and deploy

📈 Current Status

Metric	Status	Notes
Overall Security	100% Complete	✅ 19/19 items implemented 🎉
HIPAA Compliance	55% Complete	🚧 Core features done, encryption pending
Production Ready	✅ Yes	Secure for non-PHI workloads
HIPAA PHI Ready	🚧 In Progress	Encryption at rest pending

📦 Installation (from NuGet)

Install the Template

dotnet new install BizBox.WebApi.Template

Create a New Project

# Create from template
dotnet new bizboxapi -n MyCompanyName.ProjectName

# Navigate to project
cd MyCompanyName.ProjectName

# Open in IDE
code .  # VS Code
# or
start MyCompanyName.ProjectName.sln  # Visual Studio

Verify Installation

dotnet new bizboxapi --help

🚀 Quick Start

1. Generate Secrets

# Windows
Generate-Secrets.bat

# Or PowerShell
.\Generate-Secrets.ps1

This will generate all required secrets and optionally save them to a .env file.

2. Database Setup

# Create PostgreSQL databases
createdb BizBox.Db           # Main database
createdb BizBox.AuditDb      # Audit database (HIPAA requirement)

3. Configure Secrets

cd MyProject.API

# Initialize User Secrets
dotnet user-secrets init

# Set required secrets
dotnet user-secrets set "ConnectionStrings:Default" "Host=localhost;Port=5432;Username=postgres;Password=yourpassword;Database=BizBox.Db"
dotnet user-secrets set "ConnectionStrings:AuditDb" "Host=localhost;Port=5432;Username=postgres;Password=yourpassword;Database=BizBox.AuditDb"
dotnet user-secrets set "Jwt:Key" "your-super-secret-jwt-key-min-32-characters-long"
dotnet user-secrets set "Encryption:Key" "12345678901234567890123456789012"
dotnet user-secrets set "Encryption:IV" "1234567890123456"
dotnet user-secrets set "SuperAdmin:Email" "admin@yourdomain.com"
dotnet user-secrets set "SuperAdmin:Password" "SecurePassword123!"

4. Apply Migrations

# Main database
dotnet ef database update --context ApplicationDbContext

# Audit database
dotnet ef database update --context AuditDbContext

5. Run the Application

dotnet run --project BizBox.API

API: https://localhost:7264
Swagger: https://localhost:7264/swagger
SignalR Test: https://localhost:7264/signalr-test-client.html

📖 Need help? See docu/QUICK_START.md for detailed setup

✨ Features

🔐 Security Features (100% Complete)

✅ Implemented (19/19)

Authentication & Authorization:

✅ JWT Authentication with HS256/RS256 support
✅ Role-based authorization (Admin, SuperAdmin, Finance)
✅ Token versioning (concurrent session detection)
✅ Encrypted JWT payloads (AES-256)
✅ Ticket-based authorization (BOLA/IDOR protection)
✅ Password hashing (PBKDF2 with salt)
✅ Email confirmation
✅ Invitation-based registration

Token Management:

✅ Refresh Token Implementation (NEW in v1.2.0 ✨)
- Long-lived sessions (30 days) with short-lived JWTs (60 min)
- Automatic token rotation on every use (old token revoked, new issued)
- SHA-256 hashing for secure database storage
- Token reuse detection for security breach identification
- Token version validation prevents concurrent session attacks
- Session mode support (Single/Multiple/Limited)
- IP address and User-Agent tracking
- /api/auth/refresh-token endpoint for token renewal
- Full audit trail integration
✅ Token Blacklist (NEW in v1.2.0 ✨)
- Immediate token invalidation on logout
- "Logout all devices" functionality with bulk blacklisting
- Database-backed blacklist (PostgreSQL)
- Token blacklist middleware (validates on every request)
- Background cleanup service (removes expired tokens hourly)
- Configurable cleanup interval and batch size
- Works across load-balanced servers
- Proper logout that actually works!
- No more "JWT tokens can't be revoked" problem! 🎉

Account Protection:

✅ Account Lockout Mechanism (v1.1)
- Automatic lockout after 5 failed attempts
- 15-minute lockout duration (configurable)
- Admin unlock capability with reason tracking
- List all locked accounts (admin dashboard)
- Full audit trail integration
- Generic error messages (prevents account enumeration)

Audit & Monitoring:

✅ Comprehensive Audit Logging (v1.1)
- Separate PostgreSQL audit database (HIPAA requirement)
- Automatic change tracking for all entities
- Old/new value capture for complete audit trail
- User and operation tracking
- Duration and IP address logging
- Fire-and-forget pattern (minimal performance impact)
- Audit query API endpoints (admin only)
- Security event tracking (failed logins, lockouts, privilege changes)
- HIPAA-compliant with 6-year retention support
✅ Structured logging with Serilog
✅ Real-time security event monitoring

API Protection:

✅ Rate limiting (AspNetCoreRateLimit)
- Login: 5 attempts per 15 minutes
- Registration: 3 per hour
- Token refresh: 10 per hour
- General API: 100 per minute
✅ IP-based rate limiting
✅ Configurable per-endpoint limits
✅ IP whitelist support

Configuration Security:

✅ User Secrets (Development)
✅ Environment Variables (Production)
✅ Azure Key Vault ready
✅ Secrets generator tool
✅ Configurable Identity Settings
- Lockout policy via appsettings.json
- Password requirements configurable
- Environment-specific overrides

Transport Security:

✅ HTTPS enforcement
✅ HSTS headers
✅ CORS configuration
✅ Secure WebSocket (SignalR)
✅ Security Headers (NEW in v1.3.0 ✨)
- Content Security Policy (CSP) with report-only mode
- X-Frame-Options (clickjacking protection)
- X-Content-Type-Options (MIME sniffing prevention)
- Referrer-Policy (privacy protection)
- Permissions-Policy (feature control)
- X-XSS-Protection (legacy browser support)
- Server header removal (information disclosure prevention)
- Configurable per environment (Dev/Production/OnPremise/Docker)
- External origin validation for non-browser apps (mobile, APIs)
- Proxy support with header poisoning protection

Session Management:

✅ Single/Multiple/Limited session modes
✅ Multi-device tracking
✅ Logout current device (with blacklist)
✅ Logout all devices (with blacklist)
✅ Session info endpoint
✅ Refresh token integration

18. ✅ Input Sanitization (XSS Protection)

Status: ✅ Complete (February 2026 - v1.4.0)
Category: Input Validation
Priority: P2 - High
Implementation:
- Global sanitization filter for automatic XSS protection
- HtmlSanitizer integration (v8.1.870)
- Attribute-based control ([SanitizePlainText], [SanitizeRichText])
- Two operation modes: Silent (auto-fix) and Reject (strict)
- Threat detection with 5 levels (None to Critical)
- Environment-specific configuration (Dev strict, Prod safe)
- Comprehensive audit logging integration
- Nested objects, arrays, and dictionaries support
- /api/* POST/PUT/PATCH automatic sanitization
- 30+ page implementation guide

Documentation: INPUT_SANITIZATION_GUIDE.md

19. ✅ CSRF Protection (Architecture-Based)

Status: ✅ Complete (February 10, 2026 - v1.5.0)
Category: Web Security
Priority: P2 - High
Implementation:
- JWT + localStorage provides inherent CSRF protection
- No traditional anti-forgery tokens needed
- Architecture-based security approach
- Documented decision and rationale

Documentation: WHY_NO_CSRF_PROTECTION.md

🚧 Future Enhancements (For HIPAA PHI Certification)

Priority 3 (P3) - Medium:

Encryption at Rest (HIPAA Critical) - 1-2 weeks
- Database field-level encryption
- AES-256 encryption for PHI
- Secure key management

Priority 4 (P4) - Optional:

Two-Factor Authentication (2FA) - 1-2 weeks
- TOTP-based implementation
- QR code generation
- Backup codes

📊 Detailed Status: See docu/SECURITY_AUDIT.md

💬 Real-time Features (SignalR)

✅ Private messaging
✅ Group chat
✅ Online/offline status
✅ Multi-device support
✅ Typing indicators
✅ System notifications
✅ Auto-reconnection
✅ JWT authentication

🎯 Application Features

✅ User management (Identity framework)
✅ Email invitation system
✅ Global exception handling
✅ Input validation (FluentValidation)
✅ AutoMapper object mapping
✅ MediatR CQRS pattern
✅ Swagger/OpenAPI documentation
✅ API versioning
✅ Sample CRUD operations

🏢 Facility Management (NEW in v1.6.0 ✨)

✅ Multi-tenant facility architecture
✅ Complete facility information (address, contact, type)
✅ Facility-scoped data isolation (BOLA/IDOR protection)
✅ Primary facility designation
✅ Active/inactive facility management
✅ Logo and branding support
✅ Soft delete with audit trail
✅ Facility-specific configurations
✅ User-facility relationships

📁 File Storage System (NEW in v1.6.0 ✨)

Core Features:

✅ GUID-based physical storage (prevents path guessing)
✅ Virtual folder hierarchy (user-friendly organization)
✅ Multiple file type support:
- Images: JPG, JPEG, PNG, GIF (with thumbnail generation)
- Documents: PDF, DOCX, XLSX
- Text: TXT
✅ MD5 content hashing (integrity verification)
✅ Duplicate detection
✅ Soft delete with trash functionality (30-day retention)
✅ Access tracking and analytics
✅ File sharing with permission control
✅ Storage quota management per facility/user

Security Features:

✅ Facility-scoped storage (BOLA/IDOR protection)
✅ User ownership enforcement
✅ Content type validation (magic bytes)
✅ File size limit enforcement
✅ Virus scanning support (future integration)
✅ Secure file path generation

Architecture:

✅ Physical Storage: Flat structure with GUID filenames
- Example: documents/fac_abc/user_xyz/550e8400-e29b-41d4.pdf
✅ Logical Storage: Virtual folder hierarchy in database
- Example: Projects/Client A/proposal.pdf
✅ Provider-agnostic design (Local, Azure Blob, AWS S3 ready)
✅ Automatic thumbnail generation for images
✅ Image metadata extraction (dimensions)

Entities:

✅ FileMetadata - Main file tracking with complete metadata
✅ FileFolder - Virtual folder hierarchy (adjacency list)
✅ FileShare - File sharing permissions and access control
✅ FileStorageQuota - Storage quota management and enforcement

📚 Documentation

🚀 Getting Started

Quick Start Guide - Get up and running in 5 minutes
Secrets Setup - Configure development secrets
Clean Architecture Guide - Deep dive into architecture patterns

🔐 Security Implementation Guides (⭐⭐⭐⭐⭐ Quality)

Comprehensive Implementation Guides (500+ lines each):

Token Blacklist Guide - Complete token blacklist implementation (500+ lines)
- Solves the "JWT can't be revoked" problem
- Database-backed persistent blacklist
- Automatic cleanup service
- Performance optimization strategies
- Complete testing procedures
Refresh Token Guide - Long-lived session implementation (400+ lines)
- Token generation and SHA-256 hashing
- Automatic rotation mechanism
- Token reuse detection system
- Session mode integration
- Security best practices
Account Lockout Guide - Brute force protection (850+ lines)
- Automatic lockout after failed attempts
- Admin unlock capability
- Account enumeration prevention
- Complete testing procedures
- HIPAA compliance details
Audit Logging Guide - HIPAA-compliant audit system (700+ lines)
- Separate audit database architecture
- Automatic change tracking
- Old/new value capture
- Performance & scalability analysis
- Complete testing procedures
Security Headers Guide - HTTP security headers implementation (NEW v1.3.0 ✨)
- Content Security Policy (CSP) configuration
- Clickjacking, XSS, and MIME sniffing protection
- HTTPS enforcement with HSTS
- Environment-specific configurations
- External origin validation
- Proxy configuration and header poisoning prevention
Input Sanitization Guide - XSS protection implementation (NEW v1.4.0 ✨)
- Automatic sanitization for all POST/PUT/PATCH requests
- Attribute-based control system
- Environment-specific configuration
- Testing procedures and examples
- Threat detection and audit logging
- 30+ page comprehensive guide

Supporting Documentation:

CSRF Protection Rationale - Architectural decision (NEW v1.5.0 ✨)
Proxy Configuration - Configurable proxy support
External Origins Guide - Non-browser app integration (mobile, APIs)
Security Audit - Comprehensive security assessment (100% complete)
Security Items Checklist - Detailed implementation tracking
Security-First Development - Building secure code from the start
Identity Configuration Guide - Configure lockout & password policies

🗄️ Database & Infrastructure

Audit Database Setup - Configure separate audit database
Docker Secrets Guide - Secure Docker deployment

📝 Additional Resources

Account Lockout Testing - Test procedures
Account Lockout Summary - Quick reference

🏗️ Architecture

BizBox follows Clean Architecture (Onion Architecture) with clear separation of concerns:

┌──────────────────────────────────────────────────┐
│           BizBox.API (Presentation)              │
│  ├─ Controllers (API Endpoints)                  │
│  ├─ Middleware (Authentication, rate limiting)   │
│  ├─ Hubs (SignalR)                              │
│  └─ Configurations (DI, services setup)         │
└───────────────────┬──────────────────────────────┘
                    │
┌───────────────────▼──────────────────────────────┐
│        BizBox.APPLICATION (Use Cases)            │
│  ├─ Commands (Write operations - CQRS)          │
│  ├─ Queries (Read operations - CQRS)            │
│  └─ Validators (FluentValidation)               │
└───────────────────┬──────────────────────────────┘
                    │
┌───────────────────▼──────────────────────────────┐
│           BizBox.DOMAIN (Entities)               │
│  ├─ Entities (Core business objects)            │
│  ├─ Value Objects                               │
│  └─ Domain Interfaces (Contracts)               │
└───────────────────┬──────────────────────────────┘
                    │
┌───────────────────▼──────────────────────────────┐
│      BizBox.PERSISTENCE (Data Access)            │
│  ├─ DbContext (EF Core contexts)                │
│  │   ├─ ApplicationDbContext (Main data)        │
│  │   └─ AuditDbContext (Audit logs)             │
│  ├─ Migrations (Database versions)              │
│  └─ Configurations (Entity configurations)      │
└───────────────────┬──────────────────────────────┘
                    │
┌───────────────────▼──────────────────────────────┐
│        BizBox.SERVICES (Infrastructure)          │
│  ├─ TokenBlacklistService (Token invalidation)  │
│  ├─ RefreshTokenService (Long-lived sessions)   │
│  ├─ EmailService (SMTP integration)             │
│  ├─ EncryptionService (AES-256 crypto)          │
│  ├─ CurrentUserService (User context)           │
│  └─ AuditLogService (Audit logging)             │
└──────────────────────────────────────────────────┘

🔐 Security

Defense-in-Depth Architecture

Layer 1: Rate Limiting (DDoS protection)
         ↓
Layer 2: HTTPS/TLS (Transport encryption)
         ↓
Layer 3: Security Headers (Browser protection) ← v1.3.0
         ↓
Layer 4: JWT Authentication (Identity)
         ↓
Layer 5: Token Blacklist (Logout validation) ← v1.2.0
         ↓
Layer 6: Token Versioning (Session security)
         ↓
Layer 7: Refresh Token Validation (Long-lived sessions) ← v1.2.0
         ↓
Layer 8: External Origin Validation (Mobile/API apps) ← v1.3.0
         ↓
Layer 9: Role Authorization (Access control)
         ↓
Layer 10: Ticket Validation (BOLA protection)
         ↓
Layer 11: Input Validation (Data integrity)
         ↓
Layer 12: Input Sanitization (XSS protection) ← v1.4.0
         ↓
Layer 13: CSRF Protection (Architecture-based) ← v1.5.0
         ↓
Layer 14: Audit Logging (Monitoring & compliance)

HIPAA Compliance Status

Requirement	Status	Implementation
Access Control	✅ Complete	Role-based, ticket validation, account lockout, token blacklist
Audit Controls	✅ Complete	Comprehensive audit logging (separate database)
Person/Entity Authentication	✅ Complete	JWT + refresh tokens + email verification + lockout + proper logout
Session Termination	✅ Complete	Token blacklist, refresh token rotation, configurable timeouts
Transmission Security	✅ Complete	HTTPS/TLS, encrypted JWT payloads (AES-256)
Integrity Controls	🚧 Partial	Change tracking implemented, hash verification pending
Encryption at Rest	❌ Pending	Database field encryption (P3 - Critical for PHI)

Current Score: 55% HIPAA Compliant

Completed Requirements:

✅ §164.312(b) - Audit Controls
✅ §164.308(a)(5)(ii)(D) - Password Management
✅ §164.312(a)(2)(i) - Unique User Identification
✅ §164.312(d) - Person or Entity Authentication
✅ §164.308(a)(5)(ii)(C) - Logon Monitoring

Pending Requirements:

🚧 §164.312(a)(2)(iv) - Encryption and Decryption (at rest)
🚧 §164.312(e)(1) - Integrity Controls

📁 Project Structure

BizBox.WebApi.Template/
│
├── BizBox.API/                          # 🌐 Presentation Layer
│   ├── Controllers/
│   │   ├── AuthController.cs            # Authentication (login, logout, refresh)
│   │   ├── UserController.cs
│   │   └── AuditLogController.cs
│   └── Middleware/
│       ├── TokenBlacklistMiddleware.cs  # Token blacklist validation (v1.2.0)
│       ├── TokenVersionValidationMiddleware.cs
│       └── TicketValidationMiddleware.cs
│
├── BizBox.APPLICATION/                  # 💼 Application Layer
│   └── Auth/
│       ├── Commands/
│       │   ├── SignIn.cs
│       │   ├── RefreshToken.cs          # Refresh token command (v1.2.0)
│       │   ├── Logout.cs                # Logout command (v1.2.0)
│       │   └── LogoutAllDevices.cs      # Logout all devices (v1.2.0)
│       └── Queries/
│           └── GetLockedAccounts.cs     # Get locked accounts (v1.1)
│
├── BizBox.DOMAIN/                       # 🎯 Domain Layer
│   ├── Entities/
│   │   ├── Facility/                    # NEW v1.6.0 ✨
│   │   │   ├── Facility.cs              # Multi-tenant facility entity
│   │   │   └── FacilityConfiguration.cs # Facility configurations
│   │   ├── FileStorage/                 # NEW v1.6.0 ✨
│   │   │   ├── FileMetadata.cs          # File metadata and tracking
│   │   │   ├── FileFolder.cs            # Virtual folder hierarchy
│   │   │   ├── FileShare.cs             # File sharing permissions
│   │   │   └── FileStorageQuota.cs      # Storage quota management
│   │   ├── TokenBlacklist/
│   │   │   └── TokenBlacklist.cs        # Token blacklist entity (v1.2.0)
│   │   ├── RefreshToken/
│   │   │   └── UserRefreshToken.cs      # Refresh token entity (v1.2.0)
│   │   ├── Audit/
│   │   │   └── AuditLog.cs              # Audit log entity (v1.1)
│   │   └── User/
│   │       └── ApplicationUser.cs
│   └── Interfaces/
│       ├── ITokenBlacklistService.cs    # Token blacklist contract (v1.2.0)
│       ├── IRefreshTokenService.cs      # Refresh token contract (v1.2.0)
│       └── IAuditLogRepository.cs       # Audit repository contract (v1.1)
│
├── BizBox.PERSISTENCE/                  # 🗄️ Persistence Layer
│   ├── Context/
│   │   ├── ApplicationDbContext.cs      # Main database
│   │   └── AuditDbContext.cs            # Audit database (v1.1)
│   ├── Migrations/
│   │   ├── *_TokenBlacklist.cs          # Token blacklist migration (v1.2.0)
│   │   ├── *_RefreshTokens.cs           # Refresh tokens migration (v1.2.0)
│   │   └── Audit/
│   │       └── *_InitialAudit.cs        # Audit DB migration (v1.1)
│   └── Configurations/
│       ├── TokenBlacklistConfiguration.cs
│       ├── RefreshTokenConfiguration.cs
│       └── AuditLogConfiguration.cs
│
└── BizBox.SERVICES/                     # ⚙️ Infrastructure Layer
    ├── TokenBlacklistService/           # (v1.2.0)
    │   ├── DatabaseTokenBlacklistService.cs
    │   └── TokenBlacklistCleanupService.cs
    ├── RefreshTokenService/             # (v1.2.0)
    │   └── RefreshTokenService.cs
    └── AuditLogService/                 # (v1.1)
        └── AuditLogService.cs

🛠️ Development

Running Locally

# Development mode with watch
dotnet watch --project BizBox.API

# Run without watch
dotnet run --project BizBox.API

Database Migrations

# Main Database
dotnet ef migrations add MigrationName \
  --project BizBox.PERSISTENCE \
  --startup-project BizBox.API \
  --context ApplicationDbContext

# Audit Database
dotnet ef migrations add MigrationName \
  --project BizBox.PERSISTENCE \
  --startup-project BizBox.API \
  --context AuditDbContext \
  --output-dir Migrations/Audit

# Apply Migrations
dotnet ef database update --context ApplicationDbContext
dotnet ef database update --context AuditDbContext

📊 Version History

🎉 Version 1.6.0 (Current - February 12, 2026)

🚀 Major Features:

1. Facility Management System ✨

✅ Multi-tenant facility architecture
- Complete isolation between facilities
- Users can belong to multiple facilities
- Data scoped by FacilityId for BOLA/IDOR protection
✅ Comprehensive facility information
- Name, code, description
- Full address details (street, city, state, postal, country)
- Contact information (phone, email, website)
- Facility type categorization
- Logo/branding support
✅ Facility management features
- Active/inactive status management
- Primary facility designation
- Soft delete with audit trail
- Facility-specific configurations
- User-facility relationships
✅ Clean Architecture implementation
- Domain entities with navigation properties
- Computed properties (FullAddress, DisplayName)
- Entity Framework configuration

2. File Storage System ✨

✅ Enterprise-grade file storage architecture
- GUID-based physical storage (security by obscurity)
- Virtual folder hierarchy (user-friendly organization)
- Provider-agnostic design (Local/Azure/AWS ready)
✅ Comprehensive file support
- Images: JPG, JPEG, PNG, GIF (with automatic thumbnails)
- Documents: PDF, DOCX, XLSX
- Text files: TXT
- Content type validation (magic bytes)
- File size limit enforcement
✅ Advanced features
- MD5 content hashing for integrity verification
- Duplicate detection capability
- Soft delete with 30-day trash retention
- Access tracking and analytics (last accessed, access count)
- Thumbnail generation for images (configurable dimensions)
- Image metadata extraction (width, height)
✅ File organization
- Virtual folder hierarchy (adjacency list pattern)
- Path caching for performance
- Depth limiting for security
- Circular reference prevention
✅ Sharing and collaboration
- File sharing with permission control
- User and group sharing support
- Access level management (view, edit, admin)
✅ Storage management
- Facility-level storage quotas
- User-level storage quotas
- Usage tracking and reporting
- Quota enforcement
✅ Security features
- Facility-scoped storage (BOLA/IDOR protection)
- User ownership enforcement
- Content type validation
- Virus scanning support (future integration)
- Secure file path generation

Database Changes:

New Facilities table
New FacilityConfigurations table
New FileMetadata table
New FileFolders table
New FileShares table
New FileStorageQuotas table
Migrations included

Entities Implemented:

Facility - Multi-tenant facility management
FacilityConfiguration - Facility-specific settings
FileMetadata - Complete file tracking with metadata
FileFolder - Virtual folder hierarchy
FileShare - File sharing permissions
FileStorageQuota - Storage quota management

📦 Version 1.5.0 (February 10, 2026)

🚀 Security Completion Milestone:

CSRF Protection (Architecture-Based) ✨

✅ JWT + localStorage provides inherent CSRF protection
✅ No traditional anti-forgery tokens needed
✅ Documented architectural decision
✅ Comprehensive rationale documentation

Documentation Added:

✅ docu/WHY_NO_CSRF_PROTECTION.md - Complete architectural decision document
✅ Updated SECURITY_AUDIT.md - Now showing 100% completion
✅ Updated SECURITY_ITEMS_CHECKLIST.md - All 19 items marked complete

Security & Compliance:

✅ Security Score: 94% → 100% (+6%) 🎉
✅ HIPAA Compliance: 55% (on track)
✅ Items Complete: 18/19 → 19/19 (100% COMPLETE!) 🎉
✅ Risk Level: Very Low
✅ All Security Items: COMPLETE!

📦 Version 1.4.0 (February 2026)

🚀 Major Features:

1. Input Sanitization System Documentation ✨

✅ Comprehensive 30+ page implementation guide
✅ Automatic XSS protection for ALL POST/PUT/PATCH requests
✅ HtmlSanitizer library integration (v8.1.870)
✅ Attribute-based control system
- [SanitizePlainText] - Strip ALL HTML
- [SanitizeRichText] - Allow safe HTML
- [SanitizeNested] - Recursive sanitization
- [SanitizeArray] - Collection sanitization
- [SkipSanitization] - Opt-out mechanism
✅ Two operation modes: Silent (auto-fix) vs Reject (strict)
✅ Threat detection with 5 levels (None, Low, Medium, High, Critical)
✅ Environment-specific configuration
- Development: Strict mode (forces explicit attributes)
- Production: Safe default (automatic protection)
✅ Full audit logging integration
✅ Nested objects, arrays, and dictionaries support

Configuration Added:

appsettings.Development.json - Strict mode configuration
appsettings.Production.json - Safe default configuration

Documentation Added:

✅ docu/INPUT_SANITIZATION_GUIDE.md - Comprehensive 30+ page guide
- Architecture and flow diagrams
- 6 detailed usage examples
- Configuration guide
- Testing procedures
- Best practices
- Troubleshooting guide
- HIPAA compliance section

Security & Compliance:

✅ Security Score: 89% → 94% (+5%)
✅ HIPAA Compliance: 50% → 55% (+5%)
✅ Items Complete: 17/19 → 18/19 security items
✅ Risk Level: Low
✅ XSS Protection: Comprehensive

📦 Version 1.3.0 (January 2026)

🚀 Major Features:

1. Security Headers System ✨

✅ Content Security Policy (CSP) with report-only mode
✅ X-Frame-Options (clickjacking protection)
✅ X-Content-Type-Options (MIME sniffing prevention)
✅ Referrer-Policy (privacy protection for PHI)
✅ Permissions-Policy (feature control)
✅ X-XSS-Protection (legacy browser support)
✅ Server header removal (information disclosure prevention)
✅ Kestrel configuration for header removal
✅ Environment-specific configurations (Dev/Prod/OnPremise/Docker)
✅ Configurable via appsettings.json

2. External Origin Validation ✨

✅ Non-browser application support (mobile apps, partner APIs, microservices)
✅ Header-based validation (X-External-Origin, X-API-Client)
✅ Automatic mobile app detection
✅ Wildcard pattern support
✅ Audit logging for all external requests
✅ 403 Forbidden for invalid origins
✅ HttpContext integration for downstream use

3. Proxy Configuration & Security ✨

✅ Configurable proxy support (no hardcoded IPs!)
✅ Header poisoning protection
✅ Known proxy IP/network validation
✅ Forward limit (chain attack prevention)
✅ Localhost trust configuration
✅ Docker network trust
✅ X-Forwarded-Host disabled by default (security)
✅ IIS, Nginx, Docker deployment support

4. SSL Certificate Generation

✅ Multi-server certificate generator (.bat and .ps1)
✅ Self-signed certificates with SAN support
✅ One certificate for multiple servers
✅ 5-year validity period
✅ Perfect for on-premise deployments

Code Quality Improvements:

✅ Refactored Program.cs (150+ lines → 50 lines!)
✅ Clean configuration classes
✅ Separated concerns (SecurityHeadersConfiguration.cs)
✅ Environment-specific configuration files

New Configuration Files:

appsettings.Docker.json - Docker-specific settings
appsettings.OnPremise.json - On-premise deployment
SecurityHeadersOptions.cs - Type-safe configuration
ProxyOptions.cs - Configurable proxy settings

New Middleware:

SecurityHeadersMiddleware.cs - HTTP security headers
ExternalOriginValidationMiddleware.cs - Non-browser app validation
SecurityHeadersConfiguration.cs - Clean configuration helper

Documentation Added:

✅ SECURITY_HEADERS_GUIDE.md - Comprehensive security headers guide
✅ PROXY_CONFIGURATION.md - Proxy setup and configuration
✅ EXTERNAL_ORIGINS_GUIDE.md - Mobile/API integration guide
✅ TESTING_CHECKLIST.md - Complete testing procedures
✅ Updated .gitignore - Certificate exclusion

Security & Compliance:

✅ Security Score: 82% → 89% (+7%)
✅ HIPAA Compliance: 50% (no change, transport security already complete)
✅ Items Complete: 16/19 → 17/19 security items
✅ Risk Level: Low
✅ Browser Protection: Comprehensive
✅ API Security: Enhanced for mobile/external integrations

📦 Version 1.2.0 (January 2026)

🚀 Major Features:

1. Token Blacklist System ✨

✅ Immediate token invalidation on logout
✅ "Logout all devices" with bulk token blacklisting
✅ Database-backed blacklist (PostgreSQL)
✅ Token blacklist middleware (validates on every request)
✅ Background cleanup service (removes expired tokens hourly)
✅ Configurable cleanup interval and batch size
✅ Works across load-balanced servers
✅ Solves the "JWT tokens can't be revoked" problem! 🎉

2. Refresh Token Implementation ✨

✅ Long-lived sessions (30 days) with short-lived JWTs (60 min)
✅ Automatic token rotation on every use (security best practice)
✅ SHA-256 hashing for secure database storage
✅ Token reuse detection for security breach identification
✅ Token version validation prevents concurrent session attacks
✅ Session mode support (Single/Multiple/Limited)
✅ IP address and User-Agent tracking
✅ Comprehensive revocation mechanisms

New Endpoints:

POST /api/auth/logout - Logout from current device (blacklists token)
POST /api/auth/logout-all-devices - Logout from all devices (bulk blacklist)
POST /api/auth/refresh-token - Refresh access token with rotation

Database Changes:

New TokenBlacklist table with performance indexes
New UserRefreshTokens table with SHA-256 hashed tokens
Automatic migrations included
Configurable via appsettings.json

Documentation Added:

✅ TOKEN_BLACKLIST_GUIDE.md - Complete implementation guide (500+ lines)
✅ REFRESH_TOKEN_GUIDE.md - Comprehensive refresh token guide (400+ lines)
✅ Updated AUDIT_LOGGING_GUIDE.md - Enhanced to 700+ lines
✅ Updated ACCOUNT_LOCKOUT_DOCUMENTATION.md - Enhanced to 850+ lines
✅ Updated CHANGELOG.md with v1.2.0 entry
✅ Updated SECURITY_AUDIT.md and SECURITY_ITEMS_CHECKLIST.md

Security & Compliance:

✅ Security Score: 78% → 82% (+4%)
✅ HIPAA Compliance: 45% → 50% (+5%)
✅ Items Complete: 15/19 → 16/19 security items
✅ Risk Level: Low-Medium → Low

📦 Version 1.1.0 (November 2025 - January 2026)

Major Features:

✅ Comprehensive Audit Logging System
✅ Account Lockout System (TESTED ✓)
✅ Configurable Identity Settings
✅ 12-Factor App Methodology (12/12 complete)

Security:

Security Score: 60% → 78% (+18%)
HIPAA Compliance: 30% → 45% (+15%)
Items Complete: 13/19 → 15/19

📦 Version 1.0.0 (December 2024)

Initial Release:

JWT authentication & authorization
Rate limiting
SignalR real-time messaging
Session management
Clean architecture foundation
Published to NuGet

🗺️ Roadmap

✅ Version 1.5.0 (Current - February 10, 2026) - COMPLETE! 🎉

Security Completion Milestone:

CSRF Protection (Architecture-Based)
- JWT + localStorage provides inherent protection
- No traditional anti-forgery tokens needed
- Documented architectural decision
- See WHY_NO_CSRF_PROTECTION.md

Achieved Metrics:

Security Score: 94% → 100% 🎉 ALL 19 ITEMS COMPLETE!
HIPAA Compliance: 55% (on track)
Items Complete: 18/19 → 19/19 (COMPLETE!) 🎉

📋 Version 2.0 (Q2-Q3 2026)

Planned Features:

Two-Factor Authentication (2FA) (1-2 weeks)
- TOTP-based implementation
- QR code generation
- Backup codes
Encryption at Rest (field-level)
- Database field-level encryption
- AES-256 encryption for PHI
- Secure key management
Full HIPAA compliance (95%+)
OAuth/OIDC integration
Advanced monitoring dashboard
SOC 2 compliance ready

🤝 Support & Contributing

Getting Help

📖 Documentation: docu/ folder - 3,000+ lines of comprehensive guides
🐛 Bug Reports: GitHub Issues
💬 Discussions: GitHub Discussions

Contributing

We welcome contributions! Please:

Fork the repository
Create a feature branch
Follow our coding standards
Write/update tests
Update documentation
Submit a pull request

📄 License

This project is licensed under the MIT License.

Made with ❤️ and 🔐 by the BizBox Team

⭐ Star us on GitHub if this template helps your project!

🛡️ Security First. HIPAA Ready. Production Proven.

v1.6.0 - Enterprise Features + 100% Security Complete! 🎉

📚 Documentation Excellence

6 Comprehensive Implementation Guides (⭐⭐⭐⭐⭐)

CSRF Protection Rationale (NEW!)
Security Headers (Comprehensive)
Input Sanitization (30+ pages)
Token Blacklist (500+ lines)
Refresh Tokens (400+ lines)
Account Lockout (850+ lines)
Audit Logging (700+ lines)

Total: 3,000+ lines of professional documentation!

100% Security Complete | 55% HIPAA Compliant | Production Ready ✅

</div>

This package has no dependencies.

NuGet packages

This package is not used by any NuGet packages.

GitHub repositories

This package is not used by any popular GitHub repositories.

Version	Downloads	Last Updated
1.6.0	115	2/12/2026
1.5.0	105	2/12/2026
1.2.0	158	1/7/2026
1.0.0	300	10/21/2025

Version 1.6.0 - Enterprise Features Release (Facility Management + File Storage) 🎉

🚀 MAJOR FEATURES ADDED:
• Facility Management System
- Multi-tenant facility architecture (hospitals, warehouses, offices)
- Complete facility isolation with BOLA/IDOR protection
- Users can belong to multiple facilities
- Comprehensive facility information (address, contact, type, logo)
- Active/inactive status, primary designation, soft delete
- Facility-specific configurations

• File Storage System
- Enterprise-grade file storage with GUID-based physical storage
- Virtual folder hierarchy for user-friendly organization
- Multiple file types: Images (JPG, PNG, GIF), Documents (PDF, DOCX, XLSX), Text
- Automatic thumbnail generation for images
- MD5 content hashing for integrity verification
- Duplicate detection capability
- Soft delete with 30-day trash retention
- Access tracking and analytics
- File sharing with granular permissions
- Storage quota management (facility and user level)
- Facility-scoped storage (BOLA/IDOR protection)
- Content type validation and size enforcement
- Provider-agnostic design (Local/Azure Blob/AWS S3 ready)

📦 DATABASE CHANGES:
• New Facilities table
• New FacilityConfigurations table
• New FileMetadata table
• New FileFolders table
• New FileShares table
• New FileStorageQuotas table

✅ ENTITIES IMPLEMENTED:
• Facility - Multi-tenant facility management
• FacilityConfiguration - Facility-specific settings
• FileMetadata - Complete file tracking with metadata
• FileFolder - Virtual folder hierarchy
• FileShare - File sharing permissions
• FileStorageQuota - Storage quota management

🔒 SECURITY MAINTAINED:
• 100% Security Completion maintained from v1.5.0
• Facility-scoped data isolation (BOLA/IDOR protection)
• User ownership enforcement for files
• Content type validation for uploads
• Secure file path generation

---

Version 1.5.0 - Security Completion Milestone (100% Security Complete!) 🎉

🎉 SECURITY MILESTONE ACHIEVED:
• ALL 19 SECURITY ITEMS COMPLETE! (19/19 - 100%) 🎉
• CSRF Protection (Architecture-Based) - February 10, 2026
- JWT + localStorage provides inherent CSRF protection
- No traditional anti-forgery tokens needed
- Documented architectural decision
- See WHY_NO_CSRF_PROTECTION.md

✅ VERSION 1.4.0 FEATURES (February 2026):
• Input Sanitization System
- Automatic XSS protection for all POST/PUT/PATCH requests
- HtmlSanitizer library integration (v8.1.870)
- Attribute-based control system ([SanitizePlainText], [SanitizeRichText])
- Two operation modes: Silent (auto-fix) vs Reject (strict)
- Threat detection with 5 levels (None to Critical)
- Environment-specific configuration (Dev strict, Prod safe)
- Full audit logging integration
- Comprehensive 30+ page implementation guide

✅ VERSION 1.3.0 FEATURES (January 2026):
• Security Headers System
- Content Security Policy (CSP) with report-only mode
- X-Frame-Options (clickjacking protection)
- X-Content-Type-Options (MIME sniffing prevention)
- Referrer-Policy (privacy protection)
- Permissions-Policy and X-XSS-Protection
- Server header removal
- Environment-specific configurations

• External Origin Validation
- Non-browser app support (mobile, APIs, microservices)
- Header-based validation (X-External-Origin, X-API-Client)
- Wildcard pattern support with audit logging

• Proxy Configuration & Security
- Configurable proxy support (no hardcoded IPs)
- Header poisoning protection
- Known proxy IP/network validation
- IIS, Nginx, Docker deployment support

✅ VERSION 1.2.0 FEATURES:
• Token Blacklist - Proper logout functionality
- Immediate token invalidation on logout
- "Logout all devices" functionality
- Database-backed with automatic cleanup
- Background cleanup service (hourly)

✅ VERSION 1.1.0 FEATURES:
• Comprehensive Audit Logging (separate PostgreSQL database)
• Account Lockout System (5 failed attempts, 15-min lockout)
• Configurable Identity Settings
• 12-Factor App Methodology (12/12 complete)

📈 COMPREHENSIVE SECURITY FEATURES (19/19 COMPLETE):
1. ✅ JWT Authentication (HS256/RS256, encrypted payloads AES-256)
2. ✅ Token Blacklist (proper logout, automatic cleanup)
3. ✅ Refresh Token System (30-day sessions, automatic rotation)
4. ✅ Account Lockout (brute force protection)
5. ✅ Comprehensive Audit Logging (separate database, HIPAA-compliant)
6. ✅ Token Versioning (concurrent session detection)
7. ✅ Encrypted Ticket System (BOLA/IDOR protection)
8. ✅ Rate Limiting (AspNetCoreRateLimit with IP-based)
9. ✅ Secrets Management (User Secrets, Environment Variables, Key Vault)
10. ✅ Session Management (Single/Multiple/Limited modes)
11. ✅ Role-based Authorization (Admin, SuperAdmin, Finance)
12. ✅ HTTPS/TLS Enforcement (HSTS headers)
13. ✅ CORS Configuration (secure defaults)
14. ✅ Password Security (PBKDF2 with salt)
15. ✅ Email Confirmation & Invitations
16. ✅ SignalR Authentication (JWT-based WebSocket)
17. ✅ Security Headers (CSP, X-Frame-Options, etc.)
18. ✅ Input Sanitization (XSS protection)
19. ✅ CSRF Protection (Architecture-Based)

📊 METRICS:
• Security Score: 100% COMPLETE (19/19 items) 🎉
• HIPAA Compliance: 55% Complete
• Production Ready: ✅ Yes
• HIPAA PHI Ready: 🚧 Pending (encryption at rest)
• Documentation: 3,000+ lines of professional guides

🏗️ ARCHITECTURE:
• Clean Architecture (5 layers: API, Application, Domain, Persistence, Services)
• CQRS pattern with MediatR
• Repository pattern with EF Core
• PostgreSQL databases (main + audit)
• Background services for cleanup tasks
• Defense-in-depth security (12 layers)

📚 COMPREHENSIVE DOCUMENTATION (3,000+ lines):
• Input Sanitization Guide (30+ pages)
• Security Headers Guide
• Token Blacklist Guide (500+ lines)
• Refresh Token Guide (400+ lines)
• Account Lockout Documentation (850+ lines)
• Audit Logging Guide (700+ lines)
• CSRF Architecture Decision
• External Origins Guide
• Proxy Configuration Guide
• Quick Start Guide
• Clean Architecture Guide
• And 20+ more guides

🚧 ROADMAP v2.0 (Q2-Q3 2026):
• Two-Factor Authentication (2FA)
• Encryption at Rest (field-level)
• Full HIPAA compliance (95%+)
• OAuth/OIDC integration
• SOC 2 compliance ready

📦 WHAT'S INCLUDED:
• Complete source code with all migrations
• All security systems implemented
• Input sanitization with XSS protection
• Security headers middleware
• External origin validation
• Token blacklist implementation
• Refresh token system
• Audit logging system
• Account lockout system
• Generate-Secrets scripts (.bat & .ps1)
• Generate-Multi-Server-Certificate scripts
• 3,000+ lines of documentation
• Environment-specific configurations
• Test controllers for debugging
• Sample implementations
• HIPAA-ready features

🎯 PERFECT FOR:
• Healthcare applications (HIPAA-ready)
• Financial systems
• Enterprise SaaS applications
• High-security web APIs
• Multi-tenant systems
• Real-time applications with SignalR
• Applications requiring comprehensive audit trails