Skip to content

Help secure .net core apps with various HTTP headers (such as CSP's)

License

Notifications You must be signed in to change notification settings

TerribleDev/HardHat

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

44 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Hard Hat

Build status

HardHat is a set of .net core middleware that adds various headers to help protect your site from vulnerabilities. Inspired by helmetJS. We have some docs they are still a work in progress, so please feel free to submit changes to them.

In short this allows:

 // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
        public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
        {
            ...
            app.UseDnsPrefetch(allow: false); //turn off dns prefetch to protect the privacy of users
            app.UseFrameGuard(new FrameGuardOptions(FrameGuardOptions.FrameGuard.SAMEORIGIN)); //prevent clickjacking, by not allowing your site to be rendered in an iframe
            //  app.UseFrameGuard(new FrameGuardOptions("otherdomain.com")); or allow iframes on another domain
            app.UseHsts(maxAge: 5000, includeSubDomains: true, preload: false); //tell browsers to always use https for the next 5000 seconds
            app.UseReferrerPolicy(ReferrerPolicy.NoReferrer); // do not include the referrer header when linking away from your site to protect your users privacy
            app.UseIENoOpen(); // don't allow old ie to open files in the context of your site
            app.UseNoMimeSniff(); // prevent MIME sniffing https://en.wikipedia.org/wiki/Content_sniffing
            app.UseCrossSiteScriptingFilters(); //add headers to have the browsers auto detect and block some xss attacks
            app.UseContentSecurityPolicy( // Provide a security policy so only content can come from trusted sources
                new ContentSecurityPolicyBuilder()
                .WithDefaultSource(CSPConstants.Self)
                .WithImageSource("http://images.mysite.com")
                .WithFontSource(CSPConstants.Self)
                .WithFrameAncestors(CSPConstants.None)
                .BuildPolicy()
               );
            app.UseHpkp(maxAge: 5184000, keys: new List<PublicKeyPin>{ // Prevent man in the middle attacks by providing a hash of your public keys
                new PublicKeyPin("cUPcTAZWKaASuYWhhneDttWpY3oBAkE3h2+soZS7sWs=", HpKpCrypto.sha256),
                new PublicKeyPin("M8HztCzM3elUxkcjR2S5P4hhyBNf6lHkmjAHKhpGPWE=", HpKpCrypto.sha256)
            }, includeSubDomains: true, reportUri: "/report", reportOnly: false);
            ...
            app.UseMvc(routes =>
            {
                routes.MapRoute(
                    name: "default",
                    template: "{controller=Home}/{action=Index}/{id?}");
            });
        }
    }

Getting started

  • Install the nuget package Install-Package HardHat
  • Add the middleware you desire to your configure block.