AspNetCore.Hosting.ContentSecurityPolicies

ASP.NET Content Security Middleware

An easy middlware for instituting a Content Security Policy header in the ASP.NET pipeline

Basic use case (includes 'self' for default-src):

    app.UseContentSecurityPolicy(policy => policy);

Standard use case:

    app.UseContentSecurityPolicy(policy => policy
        .WithDefaultSource(ContentSecurityPolicyResources.Self)
        .WithImageSource(ContentSecurityPolicyResources.Self, 
            SchemaResources.Data)
        .WithFontSource(ContentSecurityPolicyResources.Self, 
            ContentSecuritySourceResources.GoogleFonts)
        .WithStyleSource(ContentSecurityPolicyResources.Self, 
            ContentSecuritySourceResources.GoogleFontStyles,
            ContentSecuritySourceResources.Cloudflare)
        .WithScriptSource(ContentSecurityPolicyResources.Self)
        .WithConnectSource(ContentSecurityPolicyResources.Self,
            ContentSecuritySourceResources.MicrosoftLogin,
            ContentSecuritySourceResources.MicrosoftGraph)
        .WithFrameSource(ContentSecurityPolicyResources.None)
        .WithFrameAncestors(ContentSecurityPolicyResources.None);
)

Disable default-src 'self':

    app.UseContentSecurityPolicy(policy => policy.WithoutDefaultSelf());

Use sandbox:

    app.UseContentSecurityPolicy(policy => policy.WithSandBox(SandboxOptions.AllowScripts))

Use route specific policies:

References

1. The Mozilla CSP reference
2. The OWASP cheat sheet
3. The Microsoft Reference