How to add security headers to your ASP.NET Core
By FoxLearn 11/8/2024 11:29:04 PM 120
You can make a section in your web.config that looks something like this.
<configuration> <system.webServer> <httpProtocol> <customHeaders> <add name="Strict-Transport-Security" value="max-age=31536000"/> <add name="X-Content-Type-Options" value="nosniff"/> <add name="X-Xss-Protection" value="1; mode=block"/> <add name="X-Frame-Options" value="SAMEORIGIN"/> <add name="Content-Security-Policy" value="default-src https:; img-src * 'self' data: https:; style-src 'self' 'unsafe-inline' www.google.com platform.twitter.com cdn.syndication.twimg.com fonts.googleapis.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' www.google.com cse.google.com cdn.syndication.twimg.com platform.twitter.com platform.instagram.com www.instagram.com cdn1.developermedia.com cdn2.developermedia.com apis.google.com www.googletagservices.com adservice.google.com securepubads.g.doubleclick.net ajax.aspnetcdn.com ssl.google-analytics.com az416426.vo.msecnd.net/;"/> <add name="Referrer-Policy" value="no-referrer-when-downgrade"/> <add name="Feature-Policy" value="geolocation 'none';midi 'none';notifications 'none';push 'none';sync-xhr 'none';microphone 'none';camera 'none';magnetometer 'none';gyroscope 'none';speaker 'self';vibrate 'none';fullscreen 'self';payment 'none';"/> <remove name="X-Powered-By" /> <remove name="X-AspNet-Version" /> <remove name="Server" /> </customHeaders> </httpProtocol> </configuration>
You can also use NWebsec to help you add security headers to ASP.NET Core by translating it to Startup.cs configure Pipeline like this:
app.UseHsts(options => options.MaxAge(days: 30)); app.UseXContentTypeOptions(); app.UseXXssProtection(options => options.EnabledWithBlockMode()); app.UseXfo(options => options.SameOrigin()); app.UseReferrerPolicy(opts => opts.NoReferrerWhenDowngrade()); app.UseCsp(options => options .DefaultSources(s => s.Self() .CustomSources("data:") .CustomSources("https:")) .StyleSources(s => s.Self() .CustomSources("cdn.datatables.net","cdnjs.cloudflare.com","cdn.jsdelivr.net","fonts.googleapis.com") .UnsafeInline() ) .ScriptSources(s => s.Self() .CustomSources("cdn.datatables.net","cdn.jsdelivr.net","www.googletagmanager.com","cdn.syndication.twimg.com","cdnjs.cloudflare.com") .UnsafeInline() .UnsafeEval() ) );
NWebSec is a popular open-source library designed to enhance the security of ASP.NET Core applications by providing middleware for automatically adding a wide range of HTTP security headers. These headers are essential for defending against various web security vulnerabilities, such as Cross-Site Scripting (XSS), clickjacking, and content injection.
NWebSec does not yet support the experimental HTTP header Feature-Policy
, which is used to declare server-side restrictions on certain browser features.
For example, you can use Feature-Policy
to prevent the use of the webcam or other client-side features, helping to protect your site from malicious scripts that might try to access these features.
Feature-Policy: camera 'none';
This would block the use of the webcam on your site, reducing the risk of exploitation by injected scripts.
You can add the Feature-Policy header to all responses as shown below.
//Feature-Policy app.Use(async (context, next) => { context.Response.Headers.Append("Feature-Policy", "xr-spatial-tracking 'none';wake-lock 'none';publickey-credentials-get 'none';picture-in-picture 'none';payment 'none';navigation-override 'none';execution-while-out-of-viewport 'none';execution-while-not-rendered 'none';encrypted-media 'none';document-domain 'none';display-capture 'none';autoplay 'none';ambient-light-sensor 'none';accelerometer 'none';geolocation 'none';midi 'none';notifications 'none';push 'none';sync-xhr 'none';microphone 'none';camera 'none';magnetometer 'none';gyroscope 'none';speaker 'self';vibrate 'none';fullscreen 'self';payment 'none';usb 'none'"); await next.Invoke(); });
- How to enable CORS in ASP.NET Core WebAPI
- How to fix 'DbContextOptionsBuilder' does not contain a definition for 'UseSqlServer'
- Unable to resolve service for type 'Microsoft.AspNetCore.Identity.RoleManager'
- HTTP Error 500.30 ASP.NET Core app failed to start
- How to Use IExceptionHandler in ASP.NET Core
- How to custom exception handling in ASP.NET Core
- How to create a custom AuthorizeAttribute in ASP.NET Core
- How to manually resolve a type using the ASP.NET Core MVC