Joonasw.AspNetCore.SecurityHeaders
2.6.0
See the version list below for details.
dotnet add package Joonasw.AspNetCore.SecurityHeaders --version 2.6.0
NuGet\Install-Package Joonasw.AspNetCore.SecurityHeaders -Version 2.6.0
<PackageReference Include="Joonasw.AspNetCore.SecurityHeaders" Version="2.6.0" />
paket add Joonasw.AspNetCore.SecurityHeaders --version 2.6.0
#r "nuget: Joonasw.AspNetCore.SecurityHeaders, 2.6.0"
// Install Joonasw.AspNetCore.SecurityHeaders as a Cake Addin #addin nuget:?package=Joonasw.AspNetCore.SecurityHeaders&version=2.6.0 // Install Joonasw.AspNetCore.SecurityHeaders as a Cake Tool #tool nuget:?package=Joonasw.AspNetCore.SecurityHeaders&version=2.6.0
Add CSP, HSTS or HPKP headers to an ASP.NET Core app
This library allows you to add Content Security Policy, Strict Transport Security and Public Key Pin headers via middleware.
You can get the library from NuGet: https://www.nuget.org/packages/Joonasw.AspNetCore.SecurityHeaders
Example configuration
// Enable Strict Transport Security with a 30-day caching period
// Do not include subdomains
// Do not allow preload
app.UseHsts(new HstsOptions(TimeSpan.FromDays(30), includeSubDomains: false, preload: false));
// Use certificate pinning with:
// - 30-day caching period
// - One pin in SHA-256 form
// - Report-Only = Invalid certificate should not be reported, but:
// - Report problems to /hpkp-report
app.UseHpkp(hpkp =>
{
hpkp.UseMaxAgeSeconds(30 * 24 * 60 * 60)
.AddSha256Pin("nrmpk4ZI3wbRBmUZIT5aKAgP0LlKHRgfA2Snjzeg9iY=")
.SetReportOnly()
.ReportViolationsTo("/hpkp-report");
});
// Content Security Policy
app.UseCsp(csp =>
{
// If nothing is mentioned for a resource class, allow from this domain
csp.ByDefaultAllow
.FromSelf();
// Allow JavaScript from:
csp.AllowScripts
.FromSelf() //This domain
.From("localhost:1591") //These two domains
.From("ajax.aspnetcdn.com");
// CSS allowed from:
csp.AllowStyles
.FromSelf()
.From("ajax.aspnetcdn.com");
csp.AllowImages
.FromSelf();
// HTML5 audio and video elemented sources can be from:
csp.AllowAudioAndVideo
.FromNowhere();
// Contained iframes can be sourced from:
csp.AllowFrames
.FromNowhere(); //Nowhere, no iframes allowed
// Allow AJAX, WebSocket and EventSource connections to:
csp.AllowConnections
.To("ws://localhost:1591")
.To("http://localhost:1591")
.ToSelf();
// Allow fonts to be downloaded from:
csp.AllowFonts
.FromSelf()
.From("ajax.aspnetcdn.com");
// Allow object, embed, and applet sources from:
csp.AllowPlugins
.FromNowhere();
// Allow other sites to put this in an iframe?
csp.AllowFraming
.FromNowhere(); // Block framing on other sites, equivalent to X-Frame-Options: DENY
// Do not block violations, only report
// This is a good idea while testing your CSP
// Remove it when you know everything will work
csp.SetReportOnly();
// Where should the violation reports be sent to?
csp.ReportViolationsTo("/csp-report");
// Do not include the CSP header for requests to the /api endpoints
csp.OnSendingHeader = context =>
{
context.ShouldNotSend = context.HttpContext.Request.Path.StartsWithSegments("/api");
return Task.CompletedTask;
};
});
Content Security Policy can be quite daunting. Here is a nice page to find out what the options do: https://content-security-policy.com/
For violation reports, I recommend using Scott Helme's Report URI service at https://report-uri.io/.
Nonces
CSP allows you to also specify a nonce value, which makes it easier to have inline script and style elements like this on a page:
<head>
<script>
console.log("Hello");
</script>
<style>
h1 {
color: red;
}
</style>
</head>
To allow them without nonces, you might have to use the unsafe-inline option.
Instead of doing that, we can add the following service in Startup
:
public void ConfigureServices(IServiceCollection services)
{
// ... other service registrations
// Add services necessary for nonces in CSP, 32-byte nonces
services.AddCsp(nonceByteAmount: 32);
}
Then you need to modify your CSP definition to include the nonce:
csp.AllowScripts
.FromSelf()
.From("localhost:1591")
.From("ajax.aspnetcdn.com")
.AddNonce(); //<----
csp.AllowStyles
.FromSelf()
.From("ajax.aspnetcdn.com")
.AddNonce(); //<-----
Then to use the nonce tag helper, we need to import it in _ViewImports.cshtml:
@addTagHelper *, Joonasw.AspNetCore.SecurityHeaders
Then we just need to use it in the Razor view:
<head>
<script asp-add-nonce="true">
console.log("Hello");
</script>
<style asp-add-nonce="true">
h1 {
color: red;
}
</style>
</head>
Now a unique nonce is generated every request and inserted into the CSP header + the elements you want.
Product | Versions Compatible and additional computed target framework versions. |
---|---|
.NET | net5.0 was computed. net5.0-windows was computed. net6.0 was computed. net6.0-android was computed. net6.0-ios was computed. net6.0-maccatalyst was computed. net6.0-macos was computed. net6.0-tvos was computed. net6.0-windows was computed. net7.0 was computed. net7.0-android was computed. net7.0-ios was computed. net7.0-maccatalyst was computed. net7.0-macos was computed. net7.0-tvos was computed. net7.0-windows was computed. net8.0 was computed. net8.0-android was computed. net8.0-browser was computed. net8.0-ios was computed. net8.0-maccatalyst was computed. net8.0-macos was computed. net8.0-tvos was computed. net8.0-windows was computed. |
.NET Core | netcoreapp1.0 was computed. netcoreapp1.1 was computed. netcoreapp2.0 was computed. netcoreapp2.1 was computed. netcoreapp2.2 was computed. netcoreapp3.0 was computed. netcoreapp3.1 was computed. |
.NET Standard | netstandard1.5 is compatible. netstandard1.6 was computed. netstandard2.0 is compatible. netstandard2.1 was computed. |
.NET Framework | net461 was computed. net462 was computed. net463 was computed. net47 was computed. net471 was computed. net472 was computed. net48 was computed. net481 was computed. |
MonoAndroid | monoandroid was computed. |
MonoMac | monomac was computed. |
MonoTouch | monotouch was computed. |
Tizen | tizen30 was computed. tizen40 was computed. tizen60 was computed. |
Xamarin.iOS | xamarinios was computed. |
Xamarin.Mac | xamarinmac was computed. |
Xamarin.TVOS | xamarintvos was computed. |
Xamarin.WatchOS | xamarinwatchos was computed. |
-
.NETStandard 1.5
- Microsoft.AspNetCore.Http.Abstractions (>= 1.0.0)
- Microsoft.AspNetCore.Razor.Runtime (>= 1.0.0)
- Microsoft.Extensions.DependencyInjection.Abstractions (>= 1.1.1)
- Microsoft.Extensions.Options (>= 1.1.2)
- NETStandard.Library (>= 1.6.1)
- System.ValueTuple (>= 4.4.0)
-
.NETStandard 2.0
- Microsoft.AspNetCore.Http.Abstractions (>= 2.0.1)
- Microsoft.AspNetCore.Razor.Runtime (>= 2.0.1)
- Microsoft.Extensions.DependencyInjection.Abstractions (>= 2.0.0)
- Microsoft.Extensions.Options (>= 2.0.0)
- System.ValueTuple (>= 4.4.0)
NuGet packages (5)
Showing the top 5 NuGet packages that depend on Joonasw.AspNetCore.SecurityHeaders:
Package | Downloads |
---|---|
IIR.RazorComponents.USWDS
IIR's U.S. Web Design System (USWDS) Components for .NET 6 and Razor Pages |
|
IIR.SecurityHeaders.Core
A collection of middleware and methods for helping secure the headers for websites in .NET 6. |
|
Peppermint.AspNetCore.SecurityHeaders.Addons
Addons permissions-policy to aspnetcore-security-headers library. |
|
RezisFramework
Package Description |
|
DenevCloud.AspNetCore.Services.Security
Easy to use and simple ASP.NET Core services for hardening and securing your web applications or APIs. Examples and Github repo coming soon. |
GitHub repositories (1)
Showing the top 1 popular GitHub repositories that depend on Joonasw.AspNetCore.SecurityHeaders:
Repository | Stars |
---|---|
exceptionless/Exceptionless
Exceptionless application
|
Version | Downloads | Last updated |
---|---|---|
5.0.0 | 513,314 | 9/13/2023 |
4.0.1 | 679,462 | 3/3/2022 |
3.0.0 | 1,036,221 | 10/24/2019 |
2.9.0 | 98,363 | 6/21/2019 |
2.8.1 | 101,533 | 1/1/2019 |
2.8.0 | 713 | 1/1/2019 |
2.7.0 | 77,420 | 8/11/2018 |
2.6.0 | 35,415 | 5/27/2018 |
2.5.1 | 4,427 | 5/1/2018 |
2.5.0 | 2,982 | 4/14/2018 |
2.4.1 | 1,115 | 4/14/2018 |
2.4.0 | 22,307 | 1/21/2018 |
2.3.0 | 2,077 | 1/6/2018 |
2.2.0 | 9,812 | 11/20/2017 |
2.1.0 | 7,800 | 10/29/2017 |
2.0.0 | 3,084 | 9/30/2017 |
1.1.2 | 14,891 | 7/14/2017 |
1.1.0 | 1,759 | 5/17/2017 |
1.0.1 | 3,762 | 1/23/2017 |
1.0.0 | 5,299 | 1/22/2017 |
Added support for strict-dynamic in CSPs.
No longer adding HSTS and HPKP headers if they are already in the response headers.