/// <summary>
/// Add Strict-Transport-Security to all HTTPS requests.
/// Tells the user-agent to cache the domain in the STS list for the number of seconds provided.
/// </summary>
/// <param name="policies">The collection of policies</param>
/// <param name="maxAgeInSeconds">The maximum number of seconds to cache the domain</param>
/// <param name="includeSubdomains">If true, includes sub-domains in the STS list</param>
/// <param name="preload">If true, enable preloading of the site in the HSTS preload list
/// WARNING:Sending the preload directive from your site can have PERMANENT CONSEQUENCES and prevent users from accessing your site and any of its subdomains if you find you need to switch back to HTTP.</param>
/// <param name="excludedHosts">A collection of host names that will not add the HSTS header</param>
/// <returns>The <see cref="HeaderPolicyCollection"/> for method chaining</returns>
public static HeaderPolicyCollection AddStrictTransportSecurity(this HeaderPolicyCollection policies, int maxAgeInSeconds, bool includeSubdomains, bool preload, params string[] excludedHosts)
{
var subdomainsDirective = includeSubdomains ? "; includeSubDomains" : string.Empty;
var preloadDirective = preload ? "; preload" : string.Empty;
return(policies.ApplyPolicy(new StrictTransportSecurityHeader($"max-age={maxAgeInSeconds}{subdomainsDirective}{preloadDirective}", excludedHosts)));
}
/// <summary>
/// Add Expect-CT max-age=<see paramref="maxAge"/> to all HTTPS requests.
/// Allows sites to opt in to reporting and/or enforcement of Certificate Transparency requirements.
/// Tells the user-agent to cache the domain in the Expect-CT list for the number of seconds provided.
/// </summary>
/// <param name="policies">The collection of policies</param>
/// <param name="maxAgeInSeconds">Specifies the number of seconds after reception of the Expect-CT header field during
/// which the user agent should regard the host from whom the message was received as a known Expect-CT host.</param>
/// <param name="reportUri">Specifies the URI to which the user agent should report Expect-CT failures.</param>
/// <param name="enforce">If true, signals to the user agent that compliance with the Certificate Transparency policy should be enforced
/// (rather than only reporting compliance) and that the user agent should refuse future connections that violate its
/// Certificate Transparency policy.</param>
/// <param name="excludedHosts">A collection of host names that will not add the Expect-CT header</param>
/// <remarks>When both the enforce directive and the report-uri directive are present, the configuration is referred to as an "enforce-and-report" configuration, signalling
/// to the user agent both that compliance to the Certificate Transparency policy should be enforced and that violations should be reported.</remarks>
/// <returns>The <see cref="HeaderPolicyCollection"/> for method chaining</returns>
public static HeaderPolicyCollection AddExpectCT(
this HeaderPolicyCollection policies, int maxAgeInSeconds, string reportUri, bool enforce, params string[] excludedHosts)
{
var enforceDirective = enforce ? ", enforce" : string.Empty;
var reportUriDirective = string.IsNullOrEmpty(reportUri) ? string.Empty : $", report-uri=\"{reportUri}\"";
return(policies.ApplyPolicy(new ExpectCTHeader($"max-age={maxAgeInSeconds}{enforceDirective}{reportUriDirective}", excludedHosts)));
}
/// <summary>
/// Add a custom header to all requests
/// </summary>
/// <param name="policies">The collection of policies</param>
/// <param name="header">The header value to use</param>
/// <param name="value">The value to set for the given header</param>
/// <returns>The <see cref="HeaderPolicyCollection" /> for method chaining</returns>
public static HeaderPolicyCollection AddCustomHeader(this HeaderPolicyCollection policies, string header, string value)
{
if (string.IsNullOrEmpty(header))
{
throw new ArgumentNullException(nameof(header));
}
return(policies.ApplyPolicy(new CustomHeader(header, value)));
}
/// <summary>
/// Add Strict-Transport-Security max-age=<see paramref="maxAge"/>; includeSubDomains to all requests.
/// Tells the user-agent to cache the domain in the STS list for the number of seconds provided and include any sub-domains.
/// </summary>
/// <param name="policies">The collection of policies</param>
/// <param name="maxAge">The maximum number of seconds to cache the domain</param>
public static HeaderPolicyCollection AddStrictTransportSecurityMaxAgeIncludeSubDomains(this HeaderPolicyCollection policies, int maxAge = StrictTransportSecurityHeader.OneYearInSeconds)
{
return(policies.ApplyPolicy(StrictTransportSecurityHeader.MaxAgeIncludeSubdomains(maxAge)));
}
/// <summary>
/// Add Strict-Transport-Security max-age=0 to all requests.
/// Tells the user-agent to remove, or not cache the host in the STS cache
/// </summary>
/// <param name="policies">The collection of policies</param>
public static HeaderPolicyCollection AddStrictTransportSecurityNoCache(this HeaderPolicyCollection policies)
{
return(policies.ApplyPolicy(StrictTransportSecurityHeader.NoCache()));
}
/// <summary>
/// The browser will always set the referrer header to the origin from which the request was made.
/// This will strip any path information from the referrer information.
/// </summary>
/// <param name="policies">The collection of policies</param>
/// <returns>The <see cref="HeaderPolicyCollection"/> for method chaining</returns>
public static HeaderPolicyCollection AddReferrerPolicyOrigin(this HeaderPolicyCollection policies)
{
return(policies.ApplyPolicy(new ReferrerPolicyHeader("origin")));
}
/// <summary>
/// Add X-XSS-Protection 1; report=http://site.com/report to all requests.
/// A partially supported directive that tells the user-agent to report potential XSS attacks to a single URL. Data will be POST'd to the report URL in JSON format.
/// </summary>
/// <param name="policies">The collection of policies</param>
/// <param name="reportUrl">The url to report potential XSS attacks to</param>
public static HeaderPolicyCollection AddXssProtectionReport(this HeaderPolicyCollection policies, string reportUrl)
{
return(policies.ApplyPolicy(XssProtectionHeader.Block()));
}
/// <summary>
/// The browser will always send the full URL with any request to any origin.
/// </summary>
/// <param name="policies">The collection of policies</param>
/// <returns>The <see cref="HeaderPolicyCollection"/> for method chaining</returns>
public static HeaderPolicyCollection AddReferrerPolicyUnsafeUrl(this HeaderPolicyCollection policies)
{
return(policies.ApplyPolicy(new ReferrerPolicyHeader("unsafe-url")));
}
/// <summary>
/// Instructs the browser to never send the referrer header with requests
/// that are made from your site. This also include links to pages on your own site.
/// </summary>
/// <param name="policies">The collection of policies</param>
/// <returns>The <see cref="HeaderPolicyCollection"/> for method chaining</returns>
public static HeaderPolicyCollection AddReferrerPolicyNoReferrer(this HeaderPolicyCollection policies)
{
return(policies.ApplyPolicy(new ReferrerPolicyHeader("no-referrer")));
}
/// <summary>
/// Add X-XSS-Protection 0 to all requests.
/// Disables the XSS Protections offered by the user-agent.
/// </summary>
/// <param name="policies">The collection of policies</param>
public static HeaderPolicyCollection AddXssProtectionDisabled(this HeaderPolicyCollection policies)
{
return(policies.ApplyPolicy(new XssProtectionHeader("0")));
}
/// <summary>
/// Add X-XSS-Protection 1; report=http://site.com/report to all requests.
/// A partially supported directive that tells the user-agent to report potential XSS attacks to a single URL. Data will be POST'd to the report URL in JSON format.
/// </summary>
/// <param name="policies">The collection of policies</param>
/// <param name="reportUrl">The url to report potential XSS attacks to</param>
public static HeaderPolicyCollection AddXssProtectionReport(this HeaderPolicyCollection policies, string reportUrl)
{
return(policies.ApplyPolicy(new XssProtectionHeader($"1; report={reportUrl}")));
}
/// <summary>
/// Add a custom header to all requests
/// </summary>
/// <param name="policies">The collection of policies</param>
/// <param name="header">The header value to use</param>
/// <param name="value">The value to set for the given header</param>
public static HeaderPolicyCollection AddCustomHeader(this HeaderPolicyCollection policies, string header, string value)
{
return(policies.ApplyPolicy(new CustomHeader(header, value)));
}
/// <summary>
/// Add X-Content-Type-Options nosniff to all requests.
/// Disables content sniffing
/// Can be set to protect against MIME type confusion attacks.
/// </summary>
/// <param name="policies">The collection of policies</param>
public static HeaderPolicyCollection AddContentTypeOptionsNoSniff(this HeaderPolicyCollection policies)
{
return(policies.ApplyPolicy(new XContentTypeOptionsHeader("nosniff")));
}
/// <summary>
/// Add a Cross-Origin-Opener-Policy Header to all requests
/// </summary>
/// <param name="policies">The collection of policies</param>
/// <param name="configure">Configure the COOP</param>
/// <param name="asReportOnly">If true, the COOP header is addded as "Cross-Origin-Opener-Policy-Report-Only". If false, it's set to "Cross-Origin-Opener-Policy";</param>
/// <returns>The <see cref="HeaderPolicyCollection"/> for method chaining</returns>
public static HeaderPolicyCollection AddCrossOriginOpenerPolicy(this HeaderPolicyCollection policies, Action <CrossOriginOpenerPolicyBuilder> configure, bool asReportOnly = false)
{
return(policies.ApplyPolicy(CrossOriginOpenerPolicyHeader.Build(configure, asReportOnly)));
}
/// <summary>
/// The browser will always send the full URL with any request to any origin.
/// </summary>
/// <param name="policies">The collection of policies</param>
public static HeaderPolicyCollection AddReferrerPolicyUnsafeUrl(this HeaderPolicyCollection policies)
{
return(policies.ApplyPolicy(ReferrerPolicyHeader.UnsafeUrl()));
}
/// <summary>
/// The browser will send the full URL to requests to the same origin but
/// only send the origin when requests are cross-origin, as long as a scheme
/// downgrade has not happened (i.e. you are not moving from HTTPS to HTTP)
/// </summary>
/// <param name="policies">The collection of policies</param>
public static HeaderPolicyCollection AddReferrerPolicyStrictOriginWhenCrossOrigin(this HeaderPolicyCollection policies)
{
return(policies.ApplyPolicy(ReferrerPolicyHeader.StrictOriginWhenCrossOrigin()));
}
/// <summary>
/// The browser will only set the referrer header on requests to the same origin.
/// If the destination is another origin then no referrer information will be sent.
/// </summary>
/// <param name="policies">The collection of policies</param>
public static HeaderPolicyCollection AddReferrerPolicySameOrigin(this HeaderPolicyCollection policies)
{
return(policies.ApplyPolicy(ReferrerPolicyHeader.SameOrigin()));
}
/// <summary>
/// The browser will not send the referrer header when navigating from HTTPS to HTTP,
/// but will always send the full URL in the referrer header when navigating
/// from HTTP to any origin.
/// </summary>
/// <param name="policies">The collection of policies</param>
public static HeaderPolicyCollection AddReferrerPolicyNoReferrerWhenDowngrade(this HeaderPolicyCollection policies)
{
return(policies.ApplyPolicy(ReferrerPolicyHeader.NoReferrerWhenDowngrade()));
}
/// <summary>
/// Add a Feature-Policy header to all requests
/// </summary>
/// <param name="policies">The collection of policies</param>
/// <param name="configure">Configure the Feature-Policy</param>
/// <returns>The <see cref="HeaderPolicyCollection"/> for method chaining</returns>
public static HeaderPolicyCollection AddFeaturePolicy(this HeaderPolicyCollection policies, Action <FeaturePolicyBuilder> configure)
{
return(policies.ApplyPolicy(FeaturePolicyHeader.Build(configure)));
}
/// <summary>
/// Removes the Server header from all responses
/// </summary>
/// <param name="policies">The collection of policies</param>
/// <returns>The <see cref="HeaderPolicyCollection"/> for method chaining</returns>
public static HeaderPolicyCollection RemoveServerHeader(this HeaderPolicyCollection policies)
{
return(policies.ApplyPolicy(new ServerHeader(null)));
}
/// <summary>
/// Add X-XSS-Protection 1; mode=block to all requests.
/// Enables XSS protections and instructs the user-agent to block the response in the event that script has been inserted from user input, instead of sanitizing.
/// </summary>
/// <param name="policies">The collection of policies</param>
public static HeaderPolicyCollection AddXssProtectionBlock(this HeaderPolicyCollection policies)
{
return(policies.ApplyPolicy(new XssProtectionHeader("1; mode=block")));
}
/// <summary>
/// Add X-Frame-Options DENY to all requests.
/// The page cannot be displayed in a frame, regardless of the site attempting to do so
/// </summary>
/// <param name="policies">The collection of policies</param>
/// <returns>The <see cref="HeaderPolicyCollection"/> for method chaining</returns>
public static HeaderPolicyCollection AddFrameOptionsDeny(this HeaderPolicyCollection policies)
{
return(policies.ApplyPolicy(new XFrameOptionsHeader("DENY")));
}
/// <summary>
/// Add a Content-Security-Header-Report-Only to all requests
/// </summary>
/// <param name="policies">The collection of policies</param>
/// <param name="configure">Configure the CSP</param>
/// <returns>The <see cref="HeaderPolicyCollection"/> for method chaining</returns>
public static HeaderPolicyCollection AddContentSecurityPolicyReportOnly(this HeaderPolicyCollection policies, Action <CspBuilder> configure)
{
return(policies.ApplyPolicy(ContentSecurityPolicyHeader.Build(configure, asReportOnly: true)));
}
/// <summary>
/// Add X-Frame-Options SAMEORIGIN to all requests.
/// The page can only be displayed in a frame on the same origin as the page itself.
/// </summary>
/// <param name="policies">The collection of policies</param>
/// <returns>The <see cref="HeaderPolicyCollection"/> for method chaining</returns>
public static HeaderPolicyCollection AddFrameOptionsSameOrigin(this HeaderPolicyCollection policies)
{
return(policies.ApplyPolicy(new XFrameOptionsHeader("SAMEORIGIN")));
}
/// <summary>
/// Indicates that the site doesn't want to set a Referrer Policy
/// here and the browser should fallback to a Referrer Policy defined
/// via other mechanisms elsewhere
/// </summary>
/// <param name="policies">The collection of policies</param>
/// <returns>The <see cref="HeaderPolicyCollection"/> for method chaining</returns>
public static HeaderPolicyCollection AddReferrerPolicyNone(this HeaderPolicyCollection policies)
{
return(policies.ApplyPolicy(new ReferrerPolicyHeader(string.Empty)));
}
/// <summary>
/// Add X-Frame-Options ALLOW-FROM {uri} to all requests, where the uri is provided
/// The page can only be displayed in a frame on the specified origin.
/// </summary>
/// <param name="policies">The collection of policies</param>
/// <param name="uri">The uri of the origin in which the page may be displayed in a frame</param>
/// <returns>The <see cref="HeaderPolicyCollection"/> for method chaining</returns>
public static HeaderPolicyCollection AddFrameOptionsSameOrigin(this HeaderPolicyCollection policies, string uri)
{
return(policies.ApplyPolicy(new XFrameOptionsHeader($"ALLOW-FROM {uri}")));
}
/// <summary>
/// The browser will not send the referrer header when navigating from HTTPS to HTTP,
/// but will always send the full URL in the referrer header when navigating
/// from HTTP to any origin.
/// </summary>
/// <param name="policies">The collection of policies</param>
/// <returns>The <see cref="HeaderPolicyCollection"/> for method chaining</returns>
public static HeaderPolicyCollection AddReferrerPolicyNoReferrerWhenDowngrade(this HeaderPolicyCollection policies)
{
return(policies.ApplyPolicy(new ReferrerPolicyHeader("no-referrer-when-downgrade")));
}
/// <summary>
/// Add a Cross-Origin-Embedder-Policy Header Report-Only to all requests
/// </summary>
/// <param name="policies">The collection of policies</param>
/// <param name="configure">Configure the COEP</param>
/// <returns>The <see cref="HeaderPolicyCollection"/> for method chaining</returns>
public static HeaderPolicyCollection AddCrossOriginEmbedderPolicyReportOnly(this HeaderPolicyCollection policies, Action <CrossOriginEmbedderPolicyBuilder> configure)
{
return(policies.ApplyPolicy(CrossOriginEmbedderPolicyHeader.Build(configure, asReportOnly: true)));
}
/// <summary>
/// The browser will send the full URL to requests to the same origin but
/// only send the origin when requests are cross-origin, as long as a scheme
/// downgrade has not happened (i.e. you are not moving from HTTPS to HTTP)
/// </summary>
/// <param name="policies">The collection of policies</param>
/// <returns>The <see cref="HeaderPolicyCollection"/> for method chaining</returns>
public static HeaderPolicyCollection AddReferrerPolicyStrictOriginWhenCrossOrigin(this HeaderPolicyCollection policies)
{
return(policies.ApplyPolicy(new ReferrerPolicyHeader("strict-origin-when-cross-origin")));
}
/// <summary>
/// Add X-XSS-Protection 1; mode=block to all requests.
/// Enables XSS protections and instructs the user-agent to block the response in the event that script has been inserted from user input, instead of sanitizing.
/// </summary>
/// <param name="policies">The collection of policies</param>
public static HeaderPolicyCollection AddXssProtectionBlock(this HeaderPolicyCollection policies)
{
return(policies.ApplyPolicy(XssProtectionHeader.Block()));
}
