Will these actions better secure my web app
I'm trying to figure out what else I should (not) do to reduce the possibility of my web app getting hacked. And like most development efforts, while it would be great to have a security expert on the team, we don't have it.
My app is written in Blazor server side using Entity Framework. It uses the ASP.NET Core Identity library for authentication & authorization. And I'm about to enable 2FA in the identity library and require it for admin users.
It then uses the identity library claims to determine what pages a user can view. And on those pages, what data they can see and what actions they can take. The app has no API, it's just razor pages.
This app has virtually no confidential data. It manages volunteer opportunities for political campaigns. So most of the data is very public. And the remaining data is available to all admins, and there are a lot, so not terribly private. What is at risk is bad actors creating false events, updating or deleting good events, etc. And as a political website, it could well be attacked by Russia, China, Iran, etc.
So a couple of specific questions on this framework:
- Is there any security value is saving what user from what IP address made every change to the database (using SQL Server Temporal Tables)? My thought is that this is of marginal use.
- Is there value in watching failed logins, disabling a user after N failures in 24 hours and disabling a remote IP address after N failures across all users in 24 hours?
- How valuable is it to require a new 2FA login when the user's remote IP address changes?
- What else should I watch for/do?
- If I have been hacked, or think I have, what data will the people figuring it out hope I have saved?
I say this based on a previous response I got to a question here. Yes it would be good if we had the time & resources to implement amazing security. Unfortunately, we don't and wishing won't change that.
