Improve Data Security by Doing a Secure User Data Download in .NET
Author - Abdul Rahman (Content Writer)
Security
4 Articles
Table of Contents
What we gonna do?
Think giving users a download link for their data is enough? Think again. GDPR compliance is a minefield, and one wrong step could mean a data breach. In this article, we'll show you how to lock down your .NET data export endpoints—no more sleepless nights.
Why we gonna do?
Exporting user data isn't just a feature—it's a security risk waiting to happen. GDPR requires that users can access and download all their personal data, but it also demands that you protect that data at every step. If you store or deliver user data carelessly, you could be exposing sensitive information to unauthorized parties, risking legal trouble and reputational damage.
A common misconception? That a one-time link or expiring URL is enough. In reality, authentication alone is not sufficient—you must also verify that the requesting user is the data owner. And don't forget: storing unencrypted zip files on disk, or leaving PII in logs, is a clear violation of GDPR.
How we gonna do?
Here's how to implement a secure, GDPR-compliant user data download in your .NET application:
Step 1: Require Authentication and Authorization
Your data export endpoint must require authentication, and you must verify that the authenticated user is requesting their own data—not someone else's. Use ClaimsPrincipal to extract the user's identity from the token or cookie.
[Authorize]
[HttpGet("/api/users/download-data")]
public async Task<IActionResult> DownloadUserData()
{
var email = User.FindFirst(ClaimTypes.Email)?.Value;
if (string.IsNullOrEmpty(email))
return Unauthorized();
// ...existing code to collect and package user data...
}
Step 2: Encrypt Data Before Storing
Never store the generated zip file unencrypted on disk or in cloud storage. Use an AESEncryptor to encrypt the zip data before saving. Store the encrypted blob in a secure location (like Azure Blob Storage), and only decrypt it when serving the download.
// Encrypt the zip data before saving
var encryptedData = AesEncryptor.Encrypt(zipStream.ToArray(), EncryptionKey);
await _blobStorage.SaveAsync(userId, encryptedData.IV.ToArray());
await _blobStorage.SaveAsync(userId, encryptedData.Cipher.ToArray());
Step 3: Secure the Download Endpoint
When the user requests their data, require authentication again (consider re-authentication for extra security). Decrypt the data in-memory and deliver it only over HTTPS. Validate that the download request matches the authenticated user.
[Authorize]
[HttpGet("/api/users/download-data/{downloadId}")]
public async Task<IActionResult> DownloadData(string downloadId)
{
var userId = User.FindFirst(ClaimTypes.NameIdentifier)?.Value;
var (cipherData, iv) = await _blobStorage.GetAsync(userId);
var zipStream = AesEncryptor.Decrypt(cipherData, EncryptionKey, iv);
// ...validate ownership and serve file...
return File(zipStream, "application/zip", "userdata.zip");
}
Step 4: Remove PII from Logs and Requests
Never log PII, even in request logs, headers, or error logs. Scrub all sensitive data before logging, and avoid storing unencrypted temp files on disk. Keep unencrypted data in memory for as short a time as possible.
// Instead of logging raw PII:
_logger.LogInformation($"User data export for {user.Email}");
// Log anonymized info:
_logger.LogInformation($"User data export for userId: {user.Id}");
Step 5: (Optional) Password-Protect the Zip
While GDPR does not require password-protected zip files, it's a best practice. .NET does not natively support encrypted zip files, so use a reputable third-party library (like ProDotNetZip ) if you need this feature. Always monitor third-party libraries for vulnerabilities.
Summary
Secure data export is more than just a download link—it's a critical part of GDPR compliance. Encrypt user data at rest, require strong authentication and authorization, and never expose PII in logs or temp files. By following these steps, you'll protect your users—and your organization—from costly mistakes. When in doubt, secure more, not less.