dotnet add package PeterJuhasz.AspNetCore.Security.Extensions
Contains a set of extensions which help you make your web applications more secure.
Note: for ASP.NET Core 1.0 use package version 1.0.0
, otherwise for ASP.NET Core 2.0 use 2.0.0
.
Adds the Content-Security-Policy
, X-Content-Security-Policy
and X-Webkit-CSP
headers to responses with content type text/html
.
app.UseContentSecurityPolicy(new CspOptions
{
DefaultSrc = CspDirective.None,
StyleSrc = StyleCspDirective.Self,
ScriptSrc = ScriptCspDirective.Self
.AddSource(new Uri("https://az416426.vo.msecnd.net/")), // Application Insights
ImgSrc = CspDirective.Self
.AddDataScheme(),
FontSrc = CspDirective.Self,
ConnectSrc = CspDirective.Empty
.AddSource(new Uri("https://dc.services.visualstudio.com/")),
});
Adds the Frame-Options
and X-Frame-Options
headers to responses with content type text/html
.
app.UseFrameOptions(FrameOptionsPolicy.Deny);
If you want to enable displaying the page in a frame on a particular origin, you can set it like this:
app.UseFrameOptions(new Uri("https://www.example.org"));
Adds the Strict-Transport-Security
header to all responses.
app.UseHttpStrictTransportSecurity();
Adds the Public-Key-Pinning
header to all responses.
app.UseHttpPublicKeyPinning(options => options
.Pin(fingerprint1, HttpPublicKeyPinningHashAlgorithm.Sha256)
.Pin(fingerprint2, HttpPublicKeyPinningHashAlgorithm.Sha256)
);
Restricts server-side redirects only to trusted origins.
app.UseRedirectPolicy();
You can also specify the trusted origins:
app.UseRedirectPolicy(allowedBaseUris: "https://www.example.org");
Adds the Referrer-Policy
header to all responses.
app.UseReferrerPolicy(ReferrerPolicy.SameOrigin);
Adds the X-Content-Type-Options
header to all responses.
app.UseXContentTypeOptions(XContentTypeOptions.NoSniff);
Adds the X-Download-Options
header to each file download.
app.UseXDownloadOptions(XDownloadOptions.NoOpen);
Adds X-Permitted-Cross-Domain-Policies
header to all responses.
app.UseXPermittedCrossDomainPolicies(PermittedCrossDomainPolicy.None);
Adds the X-Robots-Tag
header to all responses.
app.UseXRobotsTag(noIndex: true, noFollow: true);
Adds the X-UA-Compatible
header to each response with text/html
media type.
app.UseXUACompatible(InternetExplorerCompatibiltyMode.Edge);
Adds the X-XSS-Protection
header to each response with text/html
media type. The default setting enables protection and sets it to block
mode.
app.UseXXSSProtection();