ASP.NET Content Security Middleware
An easy middlware for instituting a Content Security Policy header in the ASP.NET pipeline
Basic use case (includes 'self' for default-src):
app.UseContentSecurityPolicy(policy => policy);
Standard use case:
app.UseContentSecurityPolicy(policy => policy
.WithDefaultSource(ContentSecurityPolicyResources.Self)
.WithImageSource(ContentSecurityPolicyResources.Self,
SchemaResources.Data)
.WithFontSource(ContentSecurityPolicyResources.Self,
ContentSecuritySourceResources.GoogleFonts)
.WithStyleSource(ContentSecurityPolicyResources.Self,
ContentSecuritySourceResources.GoogleFontStyles,
ContentSecuritySourceResources.Cloudflare)
.WithScriptSource(ContentSecurityPolicyResources.Self)
.WithConnectSource(ContentSecurityPolicyResources.Self,
ContentSecuritySourceResources.MicrosoftLogin,
ContentSecuritySourceResources.MicrosoftGraph)
.WithFrameSource(ContentSecurityPolicyResources.None)
.WithFrameAncestors(ContentSecurityPolicyResources.None);
)
Disable default-src 'self':
app.UseContentSecurityPolicy(policy => policy.WithoutDefaultSelf());
Use sandbox:
app.UseContentSecurityPolicy(policy => policy.WithSandBox(SandboxOptions.AllowScripts))
Use route specific policies:
References