Install the AdamBarclay.AspNetCore.SecurityHeaders
nuget package.
Install-Package AdamBarclay.AspNetCore.SecurityHeaders
To include the security headers middleware in the ASP.NET pipeline, during application configuration include:
using AdamBarclay.AspNetCore.SecurityHeaders;
and call:
app.UseSecurityHeaders()
Calling app.UseSecurityHeaders()
is eqivalent to calling:
app.UseSecurityHeaders(
c =>
{
c.ContentSecurityPolicy(o =>
{
o.ConfigureDefault().Self();
o.ConfigureObject().None();
o.ConfigureDirective("frame-ancestors").None();
});
c.FrameOptions(o => o.Deny());
c.ReferrerPolicy(o => o.StrictOriginWhenCrossOrigin());
c.StrictTransportSecurity(o => o.MaxAge(TimeSpan.FromDays(365)).IncludeSubdomains());
});
By default, all of the security headers are included. To disable any of the headers, call Disable()
on that header's configuration builder.
app.UseSecurityHeaders(
c =>
{
c.ContentSecurityPolicy(o => o.Disable());
c.ContentTypeOptions(o => o.Disable());
c.FrameOptions(o => o.Disable());
c.ReferrerPolicy(o => o.Disable());
c.StrictTransportSecurity(o => o.Disable());
});
The default value for content-security-policy
is default-src 'self';frame-ancestors 'none';object-src 'none'
.
The default value for x-content-type-options
is nosniff
.
No other values can be configured.
The default value for x-frame-options
is deny
.
Use the FrameOptions()
configuration builder to configure the value.
Call Deny()
to set the value to deny
.
app.UseSecurityHeaders(c => c.FrameOptions(o => o.Deny()));
Call SameOrigin()
to set the value to sameorigin
.
app.UseSecurityHeaders(c => c.FrameOptions(o => o.SameOrigin()));
The default value for referrer-policy
is strict-origin-when-cross-origin
.
The default value for strict-transport-security
is max-age=31536000;includeSubdomains
.