Skip to content

Security Headers (CSP, XSS, etc.)

Edi Wang edited this page Oct 25, 2020 · 3 revisions

The security headers for Moonglade are controlled at web server level, not from ASP.NET Core kestrel. Because:

  • Different users have different security policies, I can not hard code it into startup.cs
  • Web server like IIS, Nginx or LB, WAF can provide much richer and flexibility to set security headers

IIS Example

The ./src/Moonglade.Web/web.Release.config is a default web.config transformation file to set security headers.

<location>
  <system.webServer>
    <security xdt:Transform="InsertIfMissing">
      <requestFiltering removeServerHeader="true" />
    </security>
    <httpProtocol xdt:Transform="InsertIfMissing">
      <customHeaders>
        <remove name="X-Powered-By" />
        <add name="x-content-type-options" value="nosniff" />
        <add name="x-frame-options" value="SAMEORIGIN" />
        <add name="x-xss-protection" value="1" />
        <add name="feature-policy" value="camera 'none'; microphone 'none'; payment 'none'; usb 'none'; accelerometer 'none'" />
        <add name="content-security-policy" value="form-action 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.vo.msecnd.net https://*.services.visualstudio.com" />
      </customHeaders>
    </httpProtocol>
  </system.webServer>
</location>

Nginx Example

I am not a Linux guy, this need some time to research...