Install the AdamBarclay.AspNetCore.SecurityHeaders nuget package.
Install-Package AdamBarclay.AspNetCore.SecurityHeadersTo include the security headers middleware in the ASP.NET pipeline, during application configuration include:
using AdamBarclay.AspNetCore.SecurityHeaders;and call:
app.UseSecurityHeaders()Calling app.UseSecurityHeaders() is eqivalent to calling:
app.UseSecurityHeaders(
c =>
{
c.ContentSecurityPolicy(o =>
{
o.ConfigureDefault().Self();
o.ConfigureObject().None();
o.ConfigureDirective("frame-ancestors").None();
});
c.FrameOptions(o => o.Deny());
c.ReferrerPolicy(o => o.StrictOriginWhenCrossOrigin());
c.StrictTransportSecurity(o => o.MaxAge(TimeSpan.FromDays(365)).IncludeSubdomains());
});By default, all of the security headers are included. To disable any of the headers, call Disable() on that header's configuration builder.
app.UseSecurityHeaders(
c =>
{
c.ContentSecurityPolicy(o => o.Disable());
c.ContentTypeOptions(o => o.Disable());
c.FrameOptions(o => o.Disable());
c.ReferrerPolicy(o => o.Disable());
c.StrictTransportSecurity(o => o.Disable());
});The default value for content-security-policy is default-src 'self';frame-ancestors 'none';object-src 'none'.
The default value for x-content-type-options is nosniff.
No other values can be configured.
The default value for x-frame-options is deny.
Use the FrameOptions() configuration builder to configure the value.
Call Deny() to set the value to deny.
app.UseSecurityHeaders(c => c.FrameOptions(o => o.Deny()));Call SameOrigin() to set the value to sameorigin.
app.UseSecurityHeaders(c => c.FrameOptions(o => o.SameOrigin()));The default value for referrer-policy is strict-origin-when-cross-origin.
The default value for strict-transport-security is max-age=31536000;includeSubdomains.