Security Headers

The main functionality of Lib.AspNetCore.Security is support for security headers configuration. The support comes in three ways:

• Header value classes
• HttpResponse extensions
• Middleware

Below table summarizes which options are available for specific headers.

Header	Header Value Class	HttpResponse Extension	Middleware
Clear-Site-Data	Yes	Yes	No
Content-Security-Policy(-Report-Only)	Yes	No	Yes
Expect-CT	Yes	Yes	Yes
Permissions-Policy	Yes	Yes	Yes
Referrer-Policy	Yes	Yes	Yes
Strict-Transport-Security	Yes	Yes	Yes
X-Content-Type-Options	No	Yes	Yes
X-Download-Options	No	Yes	Yes
X-Frame-Options	Yes	Yes	Yes
X-Permitted-Cross-Domain-Policies	Yes	Yes	Yes
X-XSS-Protection	Yes	Yes	Yes

Configuring security headers with middleware

To configure security headers for entire application add the middleware to request pipeline using the UseSecurityHeaders extension method. Note that the middleware must precede any defined endpoints in application that are supposed to be protected (for example before call to UseMvc).

The security headers can be configured when adding the middleware using the SecurityHeadersPolicyBuilder class by calling UseSecurityHeaders with a lambda which takes a SecurityHeadersPolicyBuilder as parameter.

public void Configure(IApplicationBuilder app)
{
    ...

    app.UseSecurityHeaders(builder =>
    {
        builder.WithCsp(
            fontSources: "fonts.gstatic.com",
            imageSources: ContentSecurityPolicyHeaderValue.SelfSource,
            scriptSources: (new ContentSecurityPolicySourceListBuilder())
                .WithSelfKeyword()
                .WithUrls("cdnjs.cloudflare.com")
                .Build(),
            scriptInlineExecution: ContentSecurityPolicyInlineExecution.Hash,
            styleSources: (new ContentSecurityPolicySourceListBuilder())
                .WithSelfKeyword()
                .WithUrls("fonts.googleapis.com")
                .Build(),
            styleInlineExecution: ContentSecurityPolicyInlineExecution.Hash
        )
        .WithDenyXFrameOptions()
        .WithBlockXssFiltering()
        .WithXContentTypeOptions()
        .WithXDownloadOptions()
        .WithReferrerPolicy(ReferrerPolicyDirectives.NoReferrer)
        .WithNoneXPermittedCrossDomainPolicies()
        .WithFeaturePolicy(new FeaturePolicy
        {
            Camera = new[] { "https://other.com" },
            Microphone = new [] { "https://other.com" }
        });
    });

    ...
}

There is also an option for overriding some of the headers values when MVC is being used through attributes available in Lib.AspNetCore.Mvc.Security.