Show / Hide Table of Contents

Class SecurityHeadersPolicyBuilder

Exposes methods to build a SecurityHeadersPolicy.

Inheritance
System.Object
SecurityHeadersPolicyBuilder
Inherited Members
System.Object.Equals(System.Object)
System.Object.Equals(System.Object, System.Object)
System.Object.GetHashCode()
System.Object.GetType()
System.Object.MemberwiseClone()
System.Object.ReferenceEquals(System.Object, System.Object)
System.Object.ToString()
Namespace: Lib.AspNetCore.Security
Assembly: Lib.AspNetCore.Security.dll
Syntax
public class SecurityHeadersPolicyBuilder

Constructors

SecurityHeadersPolicyBuilder()

Instantiates a new SecurityHeadersPolicyBuilder.

Declaration
public SecurityHeadersPolicyBuilder()

Methods

Build()

Builds a new SecurityHeadersPolicy using the settings added.

Declaration
public SecurityHeadersPolicy Build()
Returns
Type Description
SecurityHeadersPolicy

The constructed SecurityHeadersPolicy.

WithAllowFromXFrameOptions(String)

Adds the X-Frame-Options with AllowFrom directive.

Declaration
public SecurityHeadersPolicyBuilder WithAllowFromXFrameOptions(string origin)
Parameters
Type Name Description
System.String origin

The serialized origin.

Returns
Type Description
SecurityHeadersPolicyBuilder

The current policy builder.

WithAllXPermittedCrossDomainPolicies()

Adds the X-Permitted-Cross-Domain-Policies with All directive.

Declaration
public SecurityHeadersPolicyBuilder WithAllXPermittedCrossDomainPolicies()
Returns
Type Description
SecurityHeadersPolicyBuilder

The current policy builder.

WithBlockXssFiltering()

Adds the X-XSS-Protection with Block mode.

Declaration
public SecurityHeadersPolicyBuilder WithBlockXssFiltering()
Returns
Type Description
SecurityHeadersPolicyBuilder

The current policy builder.

WithByContentTypeXPermittedCrossDomainPolicies()

Adds the X-Permitted-Cross-Domain-Policies with ByContentType directive.

Declaration
public SecurityHeadersPolicyBuilder WithByContentTypeXPermittedCrossDomainPolicies()
Returns
Type Description
SecurityHeadersPolicyBuilder

The current policy builder.

WithCsp(ContentSecurityPolicyHeaderValue)

Adds the Content Security Policy to the policy.

Declaration
public SecurityHeadersPolicyBuilder WithCsp(ContentSecurityPolicyHeaderValue csp)
Parameters
Type Name Description
ContentSecurityPolicyHeaderValue csp

The Content Security Policy.

Returns
Type Description
SecurityHeadersPolicyBuilder

The current policy builder.

WithCsp(String, String, String, String, String, String, String, String, String, String, String, String, Boolean, ContentSecurityPolicySandboxFlags, String, ContentSecurityPolicyInlineExecution, String, ContentSecurityPolicyInlineExecution, Boolean, Boolean, Nullable<ContentSecurityPolicyRequireSriFor>, String, String, String)

Adds the Content Security Policy to the policy.

Declaration
public SecurityHeadersPolicyBuilder WithCsp(string baseUri = null, string childSources = null, string connectSources = null, string defaultSources = "'none'", string fontSources = null, string formAction = null, string frameAncestorsSources = null, string imageSources = null, string manifestSources = null, string mediaSources = null, string objectSources = null, string reportUri = null, bool sandbox = false, ContentSecurityPolicySandboxFlags sandboxFlags = ContentSecurityPolicySandboxFlags.None, string scriptSources = null, ContentSecurityPolicyInlineExecution scriptInlineExecution = ContentSecurityPolicyInlineExecution.Refuse, string styleSources = null, ContentSecurityPolicyInlineExecution styleInlineExecution = ContentSecurityPolicyInlineExecution.Refuse, bool blockAllMixedContent = false, bool upgradeInsecureRequests = false, ContentSecurityPolicyRequireSriFor? requireSriFor = null, string pluginTypes = null, string workerSources = null, string frameSources = null)
Parameters
Type Name Description
System.String baseUri

The list of URLs that can be used to specify the document base URL.

System.String childSources

The source list for web workers and nested browsing contexts.

System.String connectSources

The source list for fetch, XMLHttpRequest, WebSocket, and EventSource connections.

System.String defaultSources

The default source list for directives which can fall back to the default sources.

System.String fontSources

The source list for fonts loaded using @font-face.

System.String formAction

The valid endpoints for form submissions.

System.String frameAncestorsSources

The valid parents that may embed a page using the frame and iframe elements.

System.String imageSources

The source list for of images and favicons.

System.String manifestSources

The source list for manifest which can be applied to the resource.

System.String mediaSources

The source list for loading media using the audio and video elements.

System.String objectSources

The source list for the object, embed, and applet elements.

System.String reportUri

The URL to which the user agent should send reports about policy violations.

System.Boolean sandbox

The value indicating if sandbox policy should be applied.

ContentSecurityPolicySandboxFlags sandboxFlags

The sandboxing flags (only used when Sandbox is true).

System.String scriptSources

The source list for scripts.

ContentSecurityPolicyInlineExecution scriptInlineExecution

The inline execution mode for scripts.

System.String styleSources

The source list for stylesheets.

ContentSecurityPolicyInlineExecution styleInlineExecution

The inline execution mode for stylesheets.

System.Boolean blockAllMixedContent

The value indicating if block-all-mixed-content directive should be included.

System.Boolean upgradeInsecureRequests

The value indicating if upgrade-insecure-requests directive should be included.

System.Nullable<ContentSecurityPolicyRequireSriFor> requireSriFor

The value indicating if the use of Subresource Integrity is required for scripts or/and styles.

System.String pluginTypes

The types of plugins that can be embedded into a document.

System.String workerSources

The source list for Worker, SharedWorker, or ServiceWorker scripts.

System.String frameSources

The source list for nested browsing contexts loading using elements such as frame and iframe.

Returns
Type Description
SecurityHeadersPolicyBuilder

The current policy builder.

WithDenyXFrameOptions()

Adds the X-Frame-Options with Deny directive.

Declaration
public SecurityHeadersPolicyBuilder WithDenyXFrameOptions()
Returns
Type Description
SecurityHeadersPolicyBuilder

The current policy builder.

WithExpectCt(UInt32, Boolean, String)

Adds the Expect-CT to the policy.

Declaration
public SecurityHeadersPolicyBuilder WithExpectCt(uint maxAge = 2592000U, bool enforce = false, string reportUri = null)
Parameters
Type Name Description
System.UInt32 maxAge

The number of seconds after the reception of the Expect-CT header field during which the client should regard the host from whom the message was received as a Known Expect-CT Host.

System.Boolean enforce

The value indicating if compliance to the CT Policy should be enforced.

System.String reportUri

The absolute URI to which the client should report Expect-CT failures.

Returns
Type Description
SecurityHeadersPolicyBuilder

The current policy builder.

WithFeaturePolicy(FeaturePolicy)

Adds the Feature-Policy.

Declaration
[Obsolete("Feature Policy has been replaced with Permissions Policy.")]
public SecurityHeadersPolicyBuilder WithFeaturePolicy(FeaturePolicy policy)
Parameters
Type Name Description
FeaturePolicy policy

The feature policy.

Returns
Type Description
SecurityHeadersPolicyBuilder

The current policy builder.

WithFeaturePolicy(FeaturePolicy[])

Adds the Feature-Policy.

Declaration
[Obsolete("Feature Policy has been replaced with Permissions Policy.")]
public SecurityHeadersPolicyBuilder WithFeaturePolicy(params FeaturePolicy[] policies)
Parameters
Type Name Description
FeaturePolicy[] policies

The feature policies.

Returns
Type Description
SecurityHeadersPolicyBuilder

The current policy builder.

WithHsts(UInt32, Boolean, Boolean, Nullable<Int32>)

Adds the HTTP Strict Transport Security to the policy.

Declaration
public SecurityHeadersPolicyBuilder WithHsts(uint maxAge, bool includeSubDomains = false, bool preload = false, int? sslPort = null)
Parameters
Type Name Description
System.UInt32 maxAge

The time (in seconds) that the browser should remember that this resource is only to be accessed using HTTPS.

System.Boolean includeSubDomains

Tthe value indicating if this rule applies to all subdomains as well.

System.Boolean preload

The value indicating if subscription to HSTS preload list should be confirmed.

System.Nullable<System.Int32> sslPort

The SSL port used by application.

Returns
Type Description
SecurityHeadersPolicyBuilder

The current policy builder.

WithMasterOnlyXPermittedCrossDomainPolicies()

Adds the X-Permitted-Cross-Domain-Policies with MasterOnly directive.

Declaration
public SecurityHeadersPolicyBuilder WithMasterOnlyXPermittedCrossDomainPolicies()
Returns
Type Description
SecurityHeadersPolicyBuilder

The current policy builder.

WithNoneXPermittedCrossDomainPolicies()

Adds the X-Permitted-Cross-Domain-Policies with None directive.

Declaration
public SecurityHeadersPolicyBuilder WithNoneXPermittedCrossDomainPolicies()
Returns
Type Description
SecurityHeadersPolicyBuilder

The current policy builder.

WithNoneXssFiltering()

Adds the X-XSS-Protection with None mode.

Declaration
public SecurityHeadersPolicyBuilder WithNoneXssFiltering()
Returns
Type Description
SecurityHeadersPolicyBuilder

The current policy builder.

WithPermissionsPolicy(PolicyControlledFeature[])

Adds the Permissions-Policy.

Declaration
public SecurityHeadersPolicyBuilder WithPermissionsPolicy(params PolicyControlledFeature[] features)
Parameters
Type Name Description
PolicyControlledFeature[] features

The features controlled by Permissions Policy.

Returns
Type Description
SecurityHeadersPolicyBuilder

The current policy builder.

WithReferrerPolicy(ReferrerPolicyDirectives)

Adds the Referrer-Policy.

Declaration
public SecurityHeadersPolicyBuilder WithReferrerPolicy(ReferrerPolicyDirectives directive)
Parameters
Type Name Description
ReferrerPolicyDirectives directive

The directive.

Returns
Type Description
SecurityHeadersPolicyBuilder

The current policy builder.

WithReportOnlyCsp(ContentSecurityPolicyHeaderValue)

Adds the report only Content Security Policy to the policy.

Declaration
public SecurityHeadersPolicyBuilder WithReportOnlyCsp(ContentSecurityPolicyHeaderValue csp)
Parameters
Type Name Description
ContentSecurityPolicyHeaderValue csp

The Content Security Policy.

Returns
Type Description
SecurityHeadersPolicyBuilder

The current policy builder.

WithReportOnlyCsp(String, String, String, String, String, String, String, String, String, String, String, String, Boolean, ContentSecurityPolicySandboxFlags, String, ContentSecurityPolicyInlineExecution, String, ContentSecurityPolicyInlineExecution, Boolean, Boolean, Nullable<ContentSecurityPolicyRequireSriFor>, String, String, String)

Adds the report only Content Security Policy to the policy.

Declaration
public SecurityHeadersPolicyBuilder WithReportOnlyCsp(string baseUri = null, string childSources = null, string connectSources = null, string defaultSources = "'none'", string fontSources = null, string formAction = null, string frameAncestorsSources = null, string imageSources = null, string manifestSources = null, string mediaSources = null, string objectSources = null, string reportUri = null, bool sandbox = false, ContentSecurityPolicySandboxFlags sandboxFlags = ContentSecurityPolicySandboxFlags.None, string scriptSources = null, ContentSecurityPolicyInlineExecution scriptInlineExecution = ContentSecurityPolicyInlineExecution.Refuse, string styleSources = null, ContentSecurityPolicyInlineExecution styleInlineExecution = ContentSecurityPolicyInlineExecution.Refuse, bool blockAllMixedContent = false, bool upgradeInsecureRequests = false, ContentSecurityPolicyRequireSriFor? requireSriFor = null, string pluginTypes = null, string workerSources = null, string frameSources = null)
Parameters
Type Name Description
System.String baseUri

The list of URLs that can be used to specify the document base URL.

System.String childSources

The source list for web workers and nested browsing contexts.

System.String connectSources

The source list for fetch, XMLHttpRequest, WebSocket, and EventSource connections.

System.String defaultSources

The default source list for directives which can fall back to the default sources.

System.String fontSources

The source list for fonts loaded using @font-face.

System.String formAction

The valid endpoints for form submissions.

System.String frameAncestorsSources

The valid parents that may embed a page using the frame and iframe elements.

System.String imageSources

The source list for of images and favicons.

System.String manifestSources

The source list for manifest which can be applied to the resource.

System.String mediaSources

The source list for loading media using the audio and video elements.

System.String objectSources

The source list for the object, embed, and applet elements.

System.String reportUri

The URL to which the user agent should send reports about policy violations.

System.Boolean sandbox

The value indicating if sandbox policy should be applied.

ContentSecurityPolicySandboxFlags sandboxFlags

The sandboxing flags (only used when Sandbox is true).

System.String scriptSources

The source list for scripts.

ContentSecurityPolicyInlineExecution scriptInlineExecution

The inline execution mode for scripts.

System.String styleSources

The source list for stylesheets.

ContentSecurityPolicyInlineExecution styleInlineExecution

The inline execution mode for stylesheets.

System.Boolean blockAllMixedContent

The value indicating if block-all-mixed-content directive should be included.

System.Boolean upgradeInsecureRequests

The value indicating if upgrade-insecure-requests directive should be included.

System.Nullable<ContentSecurityPolicyRequireSriFor> requireSriFor

The value indicating if the use of Subresource Integrity is required for scripts or/and styles.

System.String pluginTypes

The types of plugins that can be embedded into a document.

System.String workerSources

The source list for Worker, SharedWorker, or ServiceWorker scripts.

System.String frameSources

The source list for nested browsing contexts loading using elements such as frame and iframe.

Returns
Type Description
SecurityHeadersPolicyBuilder

The current policy builder.

WithReportOnlyExpectCt(String)

Adds the report only Expect-CT to the policy.

Declaration
public SecurityHeadersPolicyBuilder WithReportOnlyExpectCt(string reportUri)
Parameters
Type Name Description
System.String reportUri

The absolute URI to which the client should report Expect-CT failures.

Returns
Type Description
SecurityHeadersPolicyBuilder

The current policy builder.

WithSameOriginXFrameOptions()

Adds the X-Frame-Options with SameOrigin directive.

Declaration
public SecurityHeadersPolicyBuilder WithSameOriginXFrameOptions()
Returns
Type Description
SecurityHeadersPolicyBuilder

The current policy builder.

WithSanitizeXssFiltering()

Adds the X-XSS-Protection with Sanitize mode.

Declaration
public SecurityHeadersPolicyBuilder WithSanitizeXssFiltering()
Returns
Type Description
SecurityHeadersPolicyBuilder

The current policy builder.

WithXContentTypeOptions()

Adds the X-Content-Type-Options.

Declaration
public SecurityHeadersPolicyBuilder WithXContentTypeOptions()
Returns
Type Description
SecurityHeadersPolicyBuilder

The current policy builder.

WithXDownloadOptions()

Adds the X-Download-Options.

Declaration
public SecurityHeadersPolicyBuilder WithXDownloadOptions()
Returns
Type Description
SecurityHeadersPolicyBuilder

The current policy builder.

Back to top Copyright © 2016 - 2023 Tomasz Pęczek