Class SecurityHeadersPolicyBuilder
Exposes methods to build a SecurityHeadersPolicy.
Inheritance
Inherited Members
Namespace: Lib.AspNetCore.Security
Assembly: Lib.AspNetCore.Security.dll
Syntax
public class SecurityHeadersPolicyBuilderConstructors
SecurityHeadersPolicyBuilder()
Instantiates a new SecurityHeadersPolicyBuilder.
Declaration
public SecurityHeadersPolicyBuilder()Methods
Build()
Builds a new SecurityHeadersPolicy using the settings added.
Declaration
public SecurityHeadersPolicy Build()Returns
| Type | Description |
|---|---|
| SecurityHeadersPolicy | The constructed SecurityHeadersPolicy. |
WithAllowFromXFrameOptions(String)
Adds the X-Frame-Options with AllowFrom directive.
Declaration
public SecurityHeadersPolicyBuilder WithAllowFromXFrameOptions(string origin)Parameters
| Type | Name | Description |
|---|---|---|
| System.String | origin | The serialized origin. |
Returns
| Type | Description |
|---|---|
| SecurityHeadersPolicyBuilder | The current policy builder. |
WithAllXPermittedCrossDomainPolicies()
Adds the X-Permitted-Cross-Domain-Policies with All directive.
Declaration
public SecurityHeadersPolicyBuilder WithAllXPermittedCrossDomainPolicies()Returns
| Type | Description |
|---|---|
| SecurityHeadersPolicyBuilder | The current policy builder. |
WithBlockXssFiltering()
Adds the X-XSS-Protection with Block mode.
Declaration
public SecurityHeadersPolicyBuilder WithBlockXssFiltering()Returns
| Type | Description |
|---|---|
| SecurityHeadersPolicyBuilder | The current policy builder. |
WithByContentTypeXPermittedCrossDomainPolicies()
Adds the X-Permitted-Cross-Domain-Policies with ByContentType directive.
Declaration
public SecurityHeadersPolicyBuilder WithByContentTypeXPermittedCrossDomainPolicies()Returns
| Type | Description |
|---|---|
| SecurityHeadersPolicyBuilder | The current policy builder. |
WithCsp(ContentSecurityPolicyHeaderValue)
Adds the Content Security Policy to the policy.
Declaration
public SecurityHeadersPolicyBuilder WithCsp(ContentSecurityPolicyHeaderValue csp)Parameters
| Type | Name | Description |
|---|---|---|
| ContentSecurityPolicyHeaderValue | csp | The Content Security Policy. |
Returns
| Type | Description |
|---|---|
| SecurityHeadersPolicyBuilder | The current policy builder. |
WithCsp(String, String, String, String, String, String, String, String, String, String, String, String, Boolean, ContentSecurityPolicySandboxFlags, String, ContentSecurityPolicyInlineExecution, String, ContentSecurityPolicyInlineExecution, Boolean, Boolean, Nullable<ContentSecurityPolicyRequireSriFor>, String, String, String)
Adds the Content Security Policy to the policy.
Declaration
public SecurityHeadersPolicyBuilder WithCsp(string baseUri = null, string childSources = null, string connectSources = null, string defaultSources = "'none'", string fontSources = null, string formAction = null, string frameAncestorsSources = null, string imageSources = null, string manifestSources = null, string mediaSources = null, string objectSources = null, string reportUri = null, bool sandbox = false, ContentSecurityPolicySandboxFlags sandboxFlags = ContentSecurityPolicySandboxFlags.None, string scriptSources = null, ContentSecurityPolicyInlineExecution scriptInlineExecution = ContentSecurityPolicyInlineExecution.Refuse, string styleSources = null, ContentSecurityPolicyInlineExecution styleInlineExecution = ContentSecurityPolicyInlineExecution.Refuse, bool blockAllMixedContent = false, bool upgradeInsecureRequests = false, ContentSecurityPolicyRequireSriFor? requireSriFor = null, string pluginTypes = null, string workerSources = null, string frameSources = null)Parameters
| Type | Name | Description |
|---|---|---|
| System.String | baseUri | The list of URLs that can be used to specify the document base URL. |
| System.String | childSources | The source list for web workers and nested browsing contexts. |
| System.String | connectSources | The source list for fetch, XMLHttpRequest, WebSocket, and EventSource connections. |
| System.String | defaultSources | The default source list for directives which can fall back to the default sources. |
| System.String | fontSources | The source list for fonts loaded using @font-face. |
| System.String | formAction | The valid endpoints for form submissions. |
| System.String | frameAncestorsSources | The valid parents that may embed a page using the frame and iframe elements. |
| System.String | imageSources | The source list for of images and favicons. |
| System.String | manifestSources | The source list for manifest which can be applied to the resource. |
| System.String | mediaSources | The source list for loading media using the audio and video elements. |
| System.String | objectSources | The source list for the object, embed, and applet elements. |
| System.String | reportUri | The URL to which the user agent should send reports about policy violations. |
| System.Boolean | sandbox | The value indicating if sandbox policy should be applied. |
| ContentSecurityPolicySandboxFlags | sandboxFlags | The sandboxing flags (only used when Sandbox is true). |
| System.String | scriptSources | The source list for scripts. |
| ContentSecurityPolicyInlineExecution | scriptInlineExecution | The inline execution mode for scripts. |
| System.String | styleSources | The source list for stylesheets. |
| ContentSecurityPolicyInlineExecution | styleInlineExecution | The inline execution mode for stylesheets. |
| System.Boolean | blockAllMixedContent | The value indicating if block-all-mixed-content directive should be included. |
| System.Boolean | upgradeInsecureRequests | The value indicating if upgrade-insecure-requests directive should be included. |
| System.Nullable<ContentSecurityPolicyRequireSriFor> | requireSriFor | The value indicating if the use of Subresource Integrity is required for scripts or/and styles. |
| System.String | pluginTypes | The types of plugins that can be embedded into a document. |
| System.String | workerSources | The source list for Worker, SharedWorker, or ServiceWorker scripts. |
| System.String | frameSources | The source list for nested browsing contexts loading using elements such as frame and iframe. |
Returns
| Type | Description |
|---|---|
| SecurityHeadersPolicyBuilder | The current policy builder. |
WithDenyXFrameOptions()
Adds the X-Frame-Options with Deny directive.
Declaration
public SecurityHeadersPolicyBuilder WithDenyXFrameOptions()Returns
| Type | Description |
|---|---|
| SecurityHeadersPolicyBuilder | The current policy builder. |
WithExpectCt(UInt32, Boolean, String)
Adds the Expect-CT to the policy.
Declaration
public SecurityHeadersPolicyBuilder WithExpectCt(uint maxAge = 2592000U, bool enforce = false, string reportUri = null)Parameters
| Type | Name | Description |
|---|---|---|
| System.UInt32 | maxAge | The number of seconds after the reception of the Expect-CT header field during which the client should regard the host from whom the message was received as a Known Expect-CT Host. |
| System.Boolean | enforce | The value indicating if compliance to the CT Policy should be enforced. |
| System.String | reportUri | The absolute URI to which the client should report Expect-CT failures. |
Returns
| Type | Description |
|---|---|
| SecurityHeadersPolicyBuilder | The current policy builder. |
WithFeaturePolicy(FeaturePolicy)
Adds the Feature-Policy.
Declaration
[Obsolete("Feature Policy has been replaced with Permissions Policy.")]
public SecurityHeadersPolicyBuilder WithFeaturePolicy(FeaturePolicy policy)Parameters
| Type | Name | Description |
|---|---|---|
| FeaturePolicy | policy | The feature policy. |
Returns
| Type | Description |
|---|---|
| SecurityHeadersPolicyBuilder | The current policy builder. |
WithFeaturePolicy(FeaturePolicy[])
Adds the Feature-Policy.
Declaration
[Obsolete("Feature Policy has been replaced with Permissions Policy.")]
public SecurityHeadersPolicyBuilder WithFeaturePolicy(params FeaturePolicy[] policies)Parameters
| Type | Name | Description |
|---|---|---|
| FeaturePolicy[] | policies | The feature policies. |
Returns
| Type | Description |
|---|---|
| SecurityHeadersPolicyBuilder | The current policy builder. |
WithHsts(UInt32, Boolean, Boolean, Nullable<Int32>)
Adds the HTTP Strict Transport Security to the policy.
Declaration
public SecurityHeadersPolicyBuilder WithHsts(uint maxAge, bool includeSubDomains = false, bool preload = false, int? sslPort = null)Parameters
| Type | Name | Description |
|---|---|---|
| System.UInt32 | maxAge | The time (in seconds) that the browser should remember that this resource is only to be accessed using HTTPS. |
| System.Boolean | includeSubDomains | Tthe value indicating if this rule applies to all subdomains as well. |
| System.Boolean | preload | The value indicating if subscription to HSTS preload list should be confirmed. |
| System.Nullable<System.Int32> | sslPort | The SSL port used by application. |
Returns
| Type | Description |
|---|---|
| SecurityHeadersPolicyBuilder | The current policy builder. |
WithMasterOnlyXPermittedCrossDomainPolicies()
Adds the X-Permitted-Cross-Domain-Policies with MasterOnly directive.
Declaration
public SecurityHeadersPolicyBuilder WithMasterOnlyXPermittedCrossDomainPolicies()Returns
| Type | Description |
|---|---|
| SecurityHeadersPolicyBuilder | The current policy builder. |
WithNoneXPermittedCrossDomainPolicies()
Adds the X-Permitted-Cross-Domain-Policies with None directive.
Declaration
public SecurityHeadersPolicyBuilder WithNoneXPermittedCrossDomainPolicies()Returns
| Type | Description |
|---|---|
| SecurityHeadersPolicyBuilder | The current policy builder. |
WithNoneXssFiltering()
Adds the X-XSS-Protection with None mode.
Declaration
public SecurityHeadersPolicyBuilder WithNoneXssFiltering()Returns
| Type | Description |
|---|---|
| SecurityHeadersPolicyBuilder | The current policy builder. |
WithPermissionsPolicy(PolicyControlledFeature[])
Adds the Permissions-Policy.
Declaration
public SecurityHeadersPolicyBuilder WithPermissionsPolicy(params PolicyControlledFeature[] features)Parameters
| Type | Name | Description |
|---|---|---|
| PolicyControlledFeature[] | features | The features controlled by Permissions Policy. |
Returns
| Type | Description |
|---|---|
| SecurityHeadersPolicyBuilder | The current policy builder. |
WithReferrerPolicy(ReferrerPolicyDirectives)
Adds the Referrer-Policy.
Declaration
public SecurityHeadersPolicyBuilder WithReferrerPolicy(ReferrerPolicyDirectives directive)Parameters
| Type | Name | Description |
|---|---|---|
| ReferrerPolicyDirectives | directive | The directive. |
Returns
| Type | Description |
|---|---|
| SecurityHeadersPolicyBuilder | The current policy builder. |
WithReportOnlyCsp(ContentSecurityPolicyHeaderValue)
Adds the report only Content Security Policy to the policy.
Declaration
public SecurityHeadersPolicyBuilder WithReportOnlyCsp(ContentSecurityPolicyHeaderValue csp)Parameters
| Type | Name | Description |
|---|---|---|
| ContentSecurityPolicyHeaderValue | csp | The Content Security Policy. |
Returns
| Type | Description |
|---|---|
| SecurityHeadersPolicyBuilder | The current policy builder. |
WithReportOnlyCsp(String, String, String, String, String, String, String, String, String, String, String, String, Boolean, ContentSecurityPolicySandboxFlags, String, ContentSecurityPolicyInlineExecution, String, ContentSecurityPolicyInlineExecution, Boolean, Boolean, Nullable<ContentSecurityPolicyRequireSriFor>, String, String, String)
Adds the report only Content Security Policy to the policy.
Declaration
public SecurityHeadersPolicyBuilder WithReportOnlyCsp(string baseUri = null, string childSources = null, string connectSources = null, string defaultSources = "'none'", string fontSources = null, string formAction = null, string frameAncestorsSources = null, string imageSources = null, string manifestSources = null, string mediaSources = null, string objectSources = null, string reportUri = null, bool sandbox = false, ContentSecurityPolicySandboxFlags sandboxFlags = ContentSecurityPolicySandboxFlags.None, string scriptSources = null, ContentSecurityPolicyInlineExecution scriptInlineExecution = ContentSecurityPolicyInlineExecution.Refuse, string styleSources = null, ContentSecurityPolicyInlineExecution styleInlineExecution = ContentSecurityPolicyInlineExecution.Refuse, bool blockAllMixedContent = false, bool upgradeInsecureRequests = false, ContentSecurityPolicyRequireSriFor? requireSriFor = null, string pluginTypes = null, string workerSources = null, string frameSources = null)Parameters
| Type | Name | Description |
|---|---|---|
| System.String | baseUri | The list of URLs that can be used to specify the document base URL. |
| System.String | childSources | The source list for web workers and nested browsing contexts. |
| System.String | connectSources | The source list for fetch, XMLHttpRequest, WebSocket, and EventSource connections. |
| System.String | defaultSources | The default source list for directives which can fall back to the default sources. |
| System.String | fontSources | The source list for fonts loaded using @font-face. |
| System.String | formAction | The valid endpoints for form submissions. |
| System.String | frameAncestorsSources | The valid parents that may embed a page using the frame and iframe elements. |
| System.String | imageSources | The source list for of images and favicons. |
| System.String | manifestSources | The source list for manifest which can be applied to the resource. |
| System.String | mediaSources | The source list for loading media using the audio and video elements. |
| System.String | objectSources | The source list for the object, embed, and applet elements. |
| System.String | reportUri | The URL to which the user agent should send reports about policy violations. |
| System.Boolean | sandbox | The value indicating if sandbox policy should be applied. |
| ContentSecurityPolicySandboxFlags | sandboxFlags | The sandboxing flags (only used when Sandbox is true). |
| System.String | scriptSources | The source list for scripts. |
| ContentSecurityPolicyInlineExecution | scriptInlineExecution | The inline execution mode for scripts. |
| System.String | styleSources | The source list for stylesheets. |
| ContentSecurityPolicyInlineExecution | styleInlineExecution | The inline execution mode for stylesheets. |
| System.Boolean | blockAllMixedContent | The value indicating if block-all-mixed-content directive should be included. |
| System.Boolean | upgradeInsecureRequests | The value indicating if upgrade-insecure-requests directive should be included. |
| System.Nullable<ContentSecurityPolicyRequireSriFor> | requireSriFor | The value indicating if the use of Subresource Integrity is required for scripts or/and styles. |
| System.String | pluginTypes | The types of plugins that can be embedded into a document. |
| System.String | workerSources | The source list for Worker, SharedWorker, or ServiceWorker scripts. |
| System.String | frameSources | The source list for nested browsing contexts loading using elements such as frame and iframe. |
Returns
| Type | Description |
|---|---|
| SecurityHeadersPolicyBuilder | The current policy builder. |
WithReportOnlyExpectCt(String)
Adds the report only Expect-CT to the policy.
Declaration
public SecurityHeadersPolicyBuilder WithReportOnlyExpectCt(string reportUri)Parameters
| Type | Name | Description |
|---|---|---|
| System.String | reportUri | The absolute URI to which the client should report Expect-CT failures. |
Returns
| Type | Description |
|---|---|
| SecurityHeadersPolicyBuilder | The current policy builder. |
WithSameOriginXFrameOptions()
Adds the X-Frame-Options with SameOrigin directive.
Declaration
public SecurityHeadersPolicyBuilder WithSameOriginXFrameOptions()Returns
| Type | Description |
|---|---|
| SecurityHeadersPolicyBuilder | The current policy builder. |
WithSanitizeXssFiltering()
Adds the X-XSS-Protection with Sanitize mode.
Declaration
public SecurityHeadersPolicyBuilder WithSanitizeXssFiltering()Returns
| Type | Description |
|---|---|
| SecurityHeadersPolicyBuilder | The current policy builder. |
WithXContentTypeOptions()
Adds the X-Content-Type-Options.
Declaration
public SecurityHeadersPolicyBuilder WithXContentTypeOptions()Returns
| Type | Description |
|---|---|
| SecurityHeadersPolicyBuilder | The current policy builder. |
WithXDownloadOptions()
Adds the X-Download-Options.
Declaration
public SecurityHeadersPolicyBuilder WithXDownloadOptions()Returns
| Type | Description |
|---|---|
| SecurityHeadersPolicyBuilder | The current policy builder. |