Security

  1. Home
  2. Blogs
  3. 2022
  4. June
  5. Set-up HTTP Security Headers in ASP.NET Core

Set-up HTTP Security Headers in ASP.NET Core

When building or maintaining any website you should consider security hardening your HTTP security headers to prevent security vulnerabilities. Proper HTTP response headers can help prevent security vulnerabilities like Cross-Site Scripting, Clickjacking, Information disclosure and more. If you want read more details about each header a good reference is OWASP Secure Headers Project. Here I'll demonstrate how this could be done in ASP.NET Core .NET 5.

First open your Startup.cs file in your application and go to the Configure method. Then implement the following code:

public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
    if (env.IsDevelopment())
    {
        app.UseDeveloperExceptionPage();
    }
    else
    {
        app.UseHsts();
    }

    // Security Headers
    app.Use(async (context, next) =>
    {
        context.Response.Headers.Remove("Server");
        context.Response.Headers.Remove("X-Powered-By");
        context.Response.Headers.Add("X-Xss-Protection", "1; mode=block");
        context.Response.Headers.Add("X-Frame-Options", "DENY");
        context.Response.Headers.Add("Referrer-Policy", "no-referrer");
        context.Response.Headers.Add("X-Content-Type-Options", "nosniff");
        context.Response.Headers.Add("X-Permitted-Cross-Domain-Policies", "none");
        context.Response.Headers.Add("Permissions-Policy", "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()");
        context.Response.Headers.Add("Content-Security-Policy", "script-src 'self' safe-website.com;");
        await next();
    });
}

Ones to note is the app.UseHsts(); which implements the HTTP Strict Transport Security header. Next we have the standard HTTP security headers, first removing the Server and X-Powered-By headers to prevent disclosure of information. Finally we have the remaining header configurations. Please refer to the OWASP Secure Headers Project for further explanation of each header and valid values that suit your requirements.

Once implemented you will be able to see these values reflected in your web pages by inspecting the Response Header using a tool like Developer Tools in Chrome.

Recent Blog Posts

Blog Tags