JKL Health - Secure Appointment System

Project Overview

This project is a comprehensive healthcare appointment management system designed with a "security-first" mindset. It serves patients, doctors, and administrators through a system that not only provides an intuitive user experience but also implements a multi-layered defense-in-depth security strategy to protect sensitive user data.

Multi-user system with role-based access

Comprehensive appointment scheduling

OWASP Top 10 security compliance

Technology Stack

Backend:

ASP.NET Core C# Entity Framework

Frontend:

HTML5 CSS3 JavaScript Bootstrap

Database:

MS SQL Server Entity Framework Core

Architecture:

MVC Pattern Repository Pattern

Development Methodology

The project followed an Agile development approach, breaking down complex requirements into manageable user stories and iterative development cycles.

Agile Methodology

Iterative development with continuous improvement and flexibility

User Stories

Feature-focused development: "As a patient, I can register for an account"

Security-First Design

Security requirements integrated into each development sprint

Version Control

Git-based workflow with feature branches and code reviews

Security Architecture: A Defense-in-Depth Approach

From the ground up, this application was built to be resilient against common web vulnerabilities. Here's a breakdown of the key security controls implemented:

1. Secure User Authentication & Credential Storage

Leveraged ASP.NET Core Identity for industry-standard authentication with automatic password hashing using PBKDF2 and unique salt per user.

                                            await _userManager.CreateAsync(user, model.Password);
// Password automatically hashed and salted
                                        

2. Granular Role-Based Access Control (RBAC)

Implemented strict RBAC following the Principle of Least Privilege, enforced at controller level with [Authorize] attributes.

                                            [Authorize(Roles = Roles.Admin)]
public class DoctorController : Controller { ... }
                                        

3. Preventing Injection Attacks

Complete protection from SQL injection through exclusive use of Entity Framework Core with parameterized queries via LINQ.

                                            var doctors = (from user in _db.Users
                join userRoles in _db.UserRoles 
                on user.Id equals userRoles.UserId
                where roles.Name == Helper.Roles.Doctor
                select new DoctorViewModel { ... }).ToList();
                                        

4. OWASP Top 10 Compliance

Comprehensive mitigation of all OWASP Top 10 vulnerabilities including HTTPS enforcement, CSRF protection, and secure session management.

                                            app.UseHttpsRedirection();
app.UseHsts(); // Enforces HTTPS
                                        

System Architecture

The application follows a layered architecture based on the ASP.NET Core MVC pattern, with an additional Service Layer for clean separation of concerns.

Presentation Layer (Views)

Built using Razor Views, HTML, CSS, and JavaScript. All data is HTML-encoded by default to prevent XSS attacks.

Razor Views HTML5 CSS3 JavaScript

Business Logic Layer

Controllers handle HTTP requests and orchestrate actions, while Services contain core business logic for better separation of concerns.

ASP.NET Core Controllers Service Layer Dependency Injection

Data Access Layer

Entity Framework Core provides object-relational mapping, abstracting database operations and working with C# objects.

Entity Framework Core ApplicationDbContext LINQ Queries