Automatically includes the following HTTP Response Headers in the HTTP Responses of the web application
X-Content-Type-Options
X-Frame-Options
referrer-policy
X-Permitted-Cross-Domain-Policies
X-XSS-Protection
Expect-CT
Feature-Policy
Permissions-Policy
Content-Security-Policy
X-Powered-By
X-AspNetMvc-Version
"AppSecurity": {
"ReferrerPolicy": "strict-origin-when-cross-origin",
"ContentTypeOptions": "nosniff",
"FrameOptions": "DENY",
"PermittedCrossDomainPolicies": "none",
"XssProtection": "1; mode=block",
"CertificateTransparency": "max-age=0, enforce, report-uri=https://example.report-uri.com/r/d/ct/enforce",
"FeaturePolicy": "accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none'",
"PermissionsPolicy": "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()"
"ContentSecurityPolicy": "default-src 'none'; base-uri 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.some-page.com https://*.tv-page.tv https://*.tools.net ; style-src 'self' 'unsafe-inline' https://*.cloudflare.com; img-src 'self' data: https://*.data-page.net; font-src 'self' data:; connect-src 'self' https://dc.services.visualstudio.com; media-src 'self' data: https://*.data-page.tv; frame-src 'self' https://*.tv-page.tv; frame-ancestors 'self';"
}
public void ConfigureServices(IServiceCollection services)
{
...
services.AddSecurityHardening();
...
}
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
...
// Use prior (!!) the app.UseEndpoints statements!
app.UseSecurityHardening();
...
}