public static void ConfigureSecurity(this IApplicationBuilder app) { #region X-Frame Options app.AddXFrameOptionHeader(); app.AddXFrameOptionHeader(new XFrameOptionsModel() { XFrameOption = XFrameOptionsValues.AllowFrom, Url = "your url" }); app.AddXFrameOptionHeader(new XFrameOptionsModel() { XFrameOption = XFrameOptionsValues.SameOrigin, }); #endregion #region Referrer Policies app.AddReferrerPolicyHeader(); app.AddReferrerPolicyHeader(ReferrerPolicy.NoReferrerWhenDowngrade); #endregion #region Strict transport security app.AddStrictTransportSecurityHeader(); app.AddStrictTransportSecurityHeader(new StrictTransportSecurity() { MaxAge = 1, IncludeSubDomains = true, Preload = true }); #endregion #region XSS Protection app.AddXssProtectionHeader(); app.AddXssProtectionHeader(new XssProtectionModel() { Block = true, EnableXssFiltering = true, }); app.AddXssProtectionHeader(new XssProtectionModel() { ReportUri = "", EnableXssFiltering = true, }); #endregion #region Content type options app.AddContentTypeOptionHeader(); #endregion #region Expect certificate transparency app.AddExpectCertificateTransparencyHeader(); app.AddExpectCertificateTransparencyHeader(new ExpectCertificateTransparency() { MaxAge = 10, Enforce = true, ReportUrl = "abc.com" }); #endregion #region Permitted cross domain policy header app.AddPermittedCrossDomainPolicyHeader(); app.AddPermittedCrossDomainPolicyHeader(PermittedCrossDomainPolicy.All); #endregion #region Permissions policy header app.AddPermissionPolicyHeader(x => x.ConfigureCamera().AllowSelf()); #endregion #region Custom header app.AddCustomHeader("header key", "header value"); #endregion #region Content Security Policy app.AddContentSecurityPolicyHeader(x => { x.AddScripts() .AllowInline() .AllowSelf(); x.AddAlways(); x.AddFrames().DenyAll(); x.AddImages().DenyAll(); x.AddMedia().DenyAll(); x.AddStylesheets() .AllowInline() .AllowSelf(); x.AddConnect() .AllowSelf(); }); #endregion #region X-Powered By app.AddPoweredByHeader(x => x.SetValue("").Remove()); #endregion }