Skip to content
Security extensions for ASP.NET Core
Branch: master
Clone or download
Latest commit d6ad311 Aug 14, 2018
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
src Redirect policy fix Aug 14, 2018
.gitattributes
.gitignore
CHANGELOG.md
LICENSE
PeterJuhasz.AspNetCore.Security.Extensions.sln
README.md expect-ct docs Jan 7, 2018

README.md

ASP.NET Core Security Extensions

dotnet add package PeterJuhasz.AspNetCore.Security.Extensions

Contains a set of extensions which help you make your web applications more secure.

Note: for ASP.NET Core 1.0 use package version 1.0.0, otherwise for ASP.NET Core 2.0 use 2.0.0.

Features

Content-Security-Policy

Adds the Content-Security-Policy, X-Content-Security-Policy and X-Webkit-CSP headers to responses with content type text/html.

app.UseContentSecurityPolicy(new CspOptions
{
    DefaultSrc = CspDirective.None,
    StyleSrc = StyleCspDirective.Self,
    ScriptSrc = ScriptCspDirective.Self
        .AddSource(new Uri("https://az416426.vo.msecnd.net/")), // Application Insights
    ImgSrc = CspDirective.Self
        .AddDataScheme(),
    FontSrc = CspDirective.Self,
    ConnectSrc = CspDirective.Empty
        .AddSource(new Uri("https://dc.services.visualstudio.com/")),
});

Expect-CT

Adds the Expect-CT header which allows sites to opt in to reporting and/or enforcement of Certificate Transparency requirements.

app.UseExpectCT(enforce: true, maxAge: TimeSpan.FromHours(1));

Frame Options

Adds the Frame-Options and X-Frame-Options headers to responses with content type text/html.

app.UseFrameOptions(FrameOptionsPolicy.Deny);

If you want to enable displaying the page in a frame on a particular origin, you can set it like this:

app.UseFrameOptions(new Uri("https://www.example.org"));

HTTP Strict Transport Security

Adds the Strict-Transport-Security header to all responses.

app.UseHttpStrictTransportSecurity();

HTTP Public Key Pinning

Adds the Public-Key-Pinning header to all responses.

app.UseHttpPublicKeyPinning(options => options
    .Pin(fingerprint1, HttpPublicKeyPinningHashAlgorithm.Sha256)
    .Pin(fingerprint2, HttpPublicKeyPinningHashAlgorithm.Sha256)
);

Redirect Policy

Restricts server-side redirects only to trusted origins.

app.UseRedirectPolicy();

You can also specify the trusted origins:

app.UseRedirectPolicy(allowedBaseUris: "https://www.example.org");

Referrer Policy

Adds the Referrer-Policy header to all responses.

app.UseReferrerPolicy(ReferrerPolicy.SameOrigin);

X-Content-Type-Options

Adds the X-Content-Type-Options header to all responses.

app.UseXContentTypeOptions(XContentTypeOptions.NoSniff);

X-Download-Options

Adds the X-Download-Options header to each file download.

app.UseXDownloadOptions(XDownloadOptions.NoOpen);

X-Permitted-Cross-Domain-Policies

Adds X-Permitted-Cross-Domain-Policies header to all responses.

app.UseXPermittedCrossDomainPolicies(PermittedCrossDomainPolicy.None);

X-Robots-Tag

Adds the X-Robots-Tag header to all responses.

app.UseXRobotsTag(noIndex: true, noFollow: true);

X-UA-Compatible

Adds the X-UA-Compatible header to each response with text/html media type.

app.UseXUACompatible(InternetExplorerCompatibiltyMode.Edge);

X-XSS-Protection

Adds the X-XSS-Protection header to each response with text/html media type. The default setting enables protection and sets it to block mode.

app.UseXXSSProtection();
You can’t perform that action at this time.