I would recommend deploying your Web services using the new C# Web API feature to be released in PB 2018 on Dec 31, 2018.  It supports OAuth, which is more secure way to do authentication than passing username/password.  https://www.appeon.com/pb2018.html

Also, added to PB 2017 R3 is a number of security features, such as symmetric/asymmetric encryption, key generation, and hashing.  Of course, HTTPS (TLS 1.2) has been supported since the first release of PB 2017, and it goes without saying all your HTTP communication should be using TLS 1.2 or higher for security reasons.  

The .NET core webservice has a feature called Middleware. You can use built-in middleware provided by Microsoft or create your own as well. https://docs.microsoft.com/en-us/aspnet/core/fundamentals/middleware/?view=aspnetcore-2.1 . The middleware is a series of steps the request goes through before/while hitting your actual endpoints, and allows you to stop the request should something go wrong.

Any official or custom middleware you use is added in the Configure() method of the Startup.cs object, for example "app.UseMiddleware<BasicAuthenticationMiddleware>();" to use a custom one you've created or downloaded. We're using a custom-created middleware at my shop that does API key-based authentication. When your endpoint is hit for the running webservice, the HttpContext steps through each middleware's Invoke() method, where you can specify if the request should continue or fail. Here's an example:

/// <summary>
/// Handles basic authentication
/// </summary>
public class BasicAuthenticationMiddleware
{
    private readonly RequestDelegate next;

    // A collection of API keys for use with BasicAuthorization with API keys
    private readonly IEnumerable<string> apiKeys;

    public BasicAuthenticationMiddleware(RequestDelegate next, IEnumerable<string> apiKeys )
    {
        this.next = next;
        this.apiKeys = apiKeys;
    }

    public async Task Invoke(HttpContext context)
    {
        string authorizationHeader = context.Request.Headers["Authorization"];

        if (authorizationHeader == null || !authorizationHeader.StartsWith("Basic")
        || !BasicAuthentication.AuthenticateApiKey(authorizationHeader, apiKeys))
        {
            // authentication has failed, exit request and return a status code + headers

            context.Response.Headers.Add("WWW-Authenticate", "Basic realm=\"realm\"");
            context.Response.StatusCode = 401;
            return;
        }

        // we're good to go - call the next Middlware's Invoke() method
        await next.Invoke(context);
    }
}

The order that the middleware runs in is the same order that you've specified them in the Configure() method of Startup.cs, so you'll likely want an error handling middleware first and then some authentication middleware to add security to the service.