Security Headers

The main functionality of Lib.AspNetCore.Security is support for security headers configuration. The support comes in three ways:

  • Header value classes
  • HttpResponse extensions
  • Middleware

Below table summarizes which options are available for specific headers.

Header Header Value Class HttpResponse Extension Middleware
Clear-Site-Data Yes Yes No
Content-Security-Policy(-Report-Only) Yes No Yes
Expect-CT Yes Yes Yes
Permissions-Policy Yes Yes Yes
Referrer-Policy Yes Yes Yes
Strict-Transport-Security Yes Yes Yes
X-Content-Type-Options No Yes Yes
X-Download-Options No Yes Yes
X-Frame-Options Yes Yes Yes
X-Permitted-Cross-Domain-Policies Yes Yes Yes
X-XSS-Protection Yes Yes Yes

Configuring security headers with middleware

To configure security headers for entire application add the middleware to request pipeline using the UseSecurityHeaders extension method. Note that the middleware must precede any defined endpoints in application that are supposed to be protected (for example before call to UseMvc).

The security headers can be configured when adding the middleware using the SecurityHeadersPolicyBuilder class by calling UseSecurityHeaders with a lambda which takes a SecurityHeadersPolicyBuilder as parameter.

public void Configure(IApplicationBuilder app)
{
    ...

    app.UseSecurityHeaders(builder =>
    {
        builder.WithCsp(
            fontSources: "fonts.gstatic.com",
            imageSources: ContentSecurityPolicyHeaderValue.SelfSource,
            scriptSources: (new ContentSecurityPolicySourceListBuilder())
                .WithSelfKeyword()
                .WithUrls("cdnjs.cloudflare.com")
                .Build(),
            scriptInlineExecution: ContentSecurityPolicyInlineExecution.Hash,
            styleSources: (new ContentSecurityPolicySourceListBuilder())
                .WithSelfKeyword()
                .WithUrls("fonts.googleapis.com")
                .Build(),
            styleInlineExecution: ContentSecurityPolicyInlineExecution.Hash
        )
        .WithDenyXFrameOptions()
        .WithBlockXssFiltering()
        .WithXContentTypeOptions()
        .WithXDownloadOptions()
        .WithReferrerPolicy(ReferrerPolicyDirectives.NoReferrer)
        .WithNoneXPermittedCrossDomainPolicies()
        .WithFeaturePolicy(new FeaturePolicy
        {
            Camera = new[] { "https://other.com" },
            Microphone = new [] { "https://other.com" }
        });
    });

    ...
}

There is also an option for overriding some of the headers values when MVC is being used through attributes available in Lib.AspNetCore.Mvc.Security.

Back to top Copyright © 2016 - 2023 Tomasz Pęczek