Skip to content
/ Vecc.WebSecurity Public

Easy implementation of a bunch of anti cross site scripting headers for asp.net

License

MIT license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

veccsolutions/Vecc.WebSecurity

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits

src

src

 
 

.gitignore

.gitignore

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

Repository files navigation

Vecc.WebSecurity

Easy implementation of a bunch of anti cross site scripting headers for asp.net

Simply add a reference to the library, a few lines to global.asax.cs and thats about it. The example site in here shows it all along with a little, albeit quirky, playground to test and see what the different settings will do.

I will leave it up to you to figure out what browsers supports what as that changes frequently. But, Internet Explorer doesn't seem to do anything with content-security-policy header or the x-strict-transport-security header. Chrome works with them all though.

As I learn more about not-out-of-the-box security controls like the following, I will update this library to make them easy to implement.

Curent Features

###Library

  • Each "policy" is easily enabled and disabled. They all have a bool option, Enabled.
  • There is a main Security class, that contains all of the "policies". Makes it so you only call one method to apply them all.
  • Absolutely no dependencies on 3rd party libraries.
  • MIT License, security should be easy for everyone.

###x-strict-transport-security Current browser support: http://caniuse.com/#feat=stricttransportsecurity

  • Allows auto redirect to https if on http
  • Adds header only if https
  • Customizable way of determining http/https (usually for ssl offloaders/load balancers)
  • Customizable way of determining absolute url (usually for ssl offloaders/load balancers)
  • Defaults to using the easy .net way of determining the http/https/absolute urls.
  • Easy to access maxcache for length of browser to cache

###content-security-policy Current browser support: http://caniuse.com/#feat=contentsecuritypolicy

  • Includes current 1.0 spec's directives
  • Can add custom directives (though they will probably never get used)
  • Prebuilt sources, 'self', https:, 'none', 'inline-eval' etc.
  • Predefined, quickly usable defaults. Currently Https only, None and Self.
  • Easy to add custom urls with the Domains property (it's an ICollection)
  • Report only mode
  • Violation report framework is there (simple interface and class)
  • Example site has an implementation of an HttpHandler that will write the violation to the debugger.
  • Logger implementation is really easy, single method, can go to wherever you want.

###x-xss-protection Current browser support: (As of the time of this writing, IE, Chrome and Safari supported it, Firefox was not.)

  • Allows predefined and valid values, Disabled, Enabled, Enabled and block

Implementation

  • Add a reference to built library (Vecc.WebSecurity.dll)
  • In your web site, open up global.asax
  • Add a new member, I made mine public static so the rest of the app could use it easily.
public static readonly Security SecurityManager = new Security();
  • If you don't already have it, add the Application_BeginRequest method and add call SecurityManager.Apply(Context). Mine looks like this:
protected void Application_BeginRequest(object sender, EventArgs e)
{
    SecurityManager.Apply(this.Context);
}

About

Easy implementation of a bunch of anti cross site scripting headers for asp.net

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published