Security Headers
The main functionality of Lib.AspNetCore.Security is support for security headers configuration. The support comes in three ways:
Below table summarizes which options are available for specific headers.
Header | Header Value Class | HttpResponse Extension | Middleware |
---|---|---|---|
Clear-Site-Data | Yes | Yes | No |
Content-Security-Policy(-Report-Only) | Yes | No | Yes |
Expect-CT | Yes | Yes | Yes |
Permissions-Policy | Yes | Yes | Yes |
Referrer-Policy | Yes | Yes | Yes |
Strict-Transport-Security | Yes | Yes | Yes |
X-Content-Type-Options | No | Yes | Yes |
X-Download-Options | No | Yes | Yes |
X-Frame-Options | Yes | Yes | Yes |
X-Permitted-Cross-Domain-Policies | Yes | Yes | Yes |
X-XSS-Protection | Yes | Yes | Yes |
Configuring security headers with middleware
To configure security headers for entire application add the middleware to request pipeline using the UseSecurityHeaders
extension method. Note that the middleware must precede any defined endpoints in application that are supposed to be protected (for example before call to UseMvc
).
The security headers can be configured when adding the middleware using the SecurityHeadersPolicyBuilder
class by calling UseSecurityHeaders
with a lambda which takes a SecurityHeadersPolicyBuilder
as parameter.
public void Configure(IApplicationBuilder app)
{
...
app.UseSecurityHeaders(builder =>
{
builder.WithCsp(
fontSources: "fonts.gstatic.com",
imageSources: ContentSecurityPolicyHeaderValue.SelfSource,
scriptSources: (new ContentSecurityPolicySourceListBuilder())
.WithSelfKeyword()
.WithUrls("cdnjs.cloudflare.com")
.Build(),
scriptInlineExecution: ContentSecurityPolicyInlineExecution.Hash,
styleSources: (new ContentSecurityPolicySourceListBuilder())
.WithSelfKeyword()
.WithUrls("fonts.googleapis.com")
.Build(),
styleInlineExecution: ContentSecurityPolicyInlineExecution.Hash
)
.WithDenyXFrameOptions()
.WithBlockXssFiltering()
.WithXContentTypeOptions()
.WithXDownloadOptions()
.WithReferrerPolicy(ReferrerPolicyDirectives.NoReferrer)
.WithNoneXPermittedCrossDomainPolicies()
.WithFeaturePolicy(new FeaturePolicy
{
Camera = new[] { "https://other.com" },
Microphone = new [] { "https://other.com" }
});
});
...
}
There is also an option for overriding some of the headers values when MVC is being used through attributes available in Lib.AspNetCore.Mvc.Security.