Security Hardening for Microsoft .NET Core, .NET 5/6/7 Web applications.

Automatically includes the following HTTP Response Headers in the HTTP Responses of the web application

X-Content-Type-Options
X-Frame-Options
referrer-policy
X-Permitted-Cross-Domain-Policies
X-XSS-Protection
Expect-CT
Feature-Policy
Permissions-Policy
Content-Security-Policy

Removes the following HTTP Response Header from the HTTP Response of the web application

X-Powered-By
X-AspNetMvc-Version

Example configuration

"AppSecurity": {
    "ReferrerPolicy": "strict-origin-when-cross-origin",
    "ContentTypeOptions": "nosniff",
    "FrameOptions": "DENY",
    "PermittedCrossDomainPolicies": "none",
    "XssProtection": "1; mode=block",
    "CertificateTransparency": "max-age=0, enforce, report-uri=https://example.report-uri.com/r/d/ct/enforce",
    "FeaturePolicy": "accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none'",
    "PermissionsPolicy": "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()"
    "ContentSecurityPolicy": "default-src 'none'; base-uri 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.some-page.com https://*.tv-page.tv https://*.tools.net ; style-src 'self' 'unsafe-inline' https://*.cloudflare.com; img-src 'self'  data: https://*.data-page.net; font-src 'self' data:; connect-src 'self' https://dc.services.visualstudio.com; media-src 'self' data: https://*.data-page.tv; frame-src 'self' https://*.tv-page.tv; frame-ancestors 'self';"
  }

How to use it in a .NET Core, .NET 5/6/7 application

public void ConfigureServices(IServiceCollection services)
{
    ...
    services.AddSecurityHardening();
    ...
}

public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
    ...
    // Use prior (!!) the app.UseEndpoints statements!
    app.UseSecurityHardening();
    ...
}