Brock Allen’s ASP.NET security: the tl:dr;


– If it’s on an HTTP address, consider it public info — usernames, passwords, HTML, and JSON results are all interceptable.
– unless you’ve secured it, your database usernames, passwords, and data are ALSO being sent in plain text.

Dominick Baier’s ‘Securing WebAPI’ presentation and sample code

Dominic Baier, who gave a great presentation on the security pipeline in WebAPI, has published his slides here and his source code here. Not going to say much else, but this is going to be a great help for us in getting our API secured.