FoxLearn.AspNetCore.SecurityHeaders
1.0.1
See the version list below for details.
dotnet add package FoxLearn.AspNetCore.SecurityHeaders --version 1.0.1
NuGet\Install-Package FoxLearn.AspNetCore.SecurityHeaders -Version 1.0.1
<PackageReference Include="FoxLearn.AspNetCore.SecurityHeaders" Version="1.0.1" />
<PackageVersion Include="FoxLearn.AspNetCore.SecurityHeaders" Version="1.0.1" />
<PackageReference Include="FoxLearn.AspNetCore.SecurityHeaders" />
paket add FoxLearn.AspNetCore.SecurityHeaders --version 1.0.1
#r "nuget: FoxLearn.AspNetCore.SecurityHeaders, 1.0.1"
#:package FoxLearn.AspNetCore.SecurityHeaders@1.0.1
#addin nuget:?package=FoxLearn.AspNetCore.SecurityHeaders&version=1.0.1
#tool nuget:?package=FoxLearn.AspNetCore.SecurityHeaders&version=1.0.1
FoxLearn.AspNetCore.SecurityHeaders
A lightweight library for adding common security headers to ASP.NET Core applications.
This package simplifies the process of applying essential HTTP security headers—such as Content-Security-Policy, Strict-Transport-Security, X-Content-Type-Options, and more—to your ASP.NET Core middleware pipeline, helping protect your web applications from common vulnerabilities.
Features
🔒 Easy integration with ASP.NET Core middleware
⚙️ Predefined defaults for recommended security headers
🛠️ Fully customizable header values
💡 Supports .NET 3.1 and later
Installation
Install via the .NET CLI:
dotnet add package FoxLearn.SecurityHeaders.AspNetCore
Or via the NuGet UI in Visual Studio by searching for FoxLearn.AspNetCore.SecurityHeaders
Usage
To enable and customize security headers in your ASP.NET Core application, configure the services and middleware using the provided extension methods. Add the service registration in your Startup.cs or Program.cs file:
builder.Services.AddSecurityHeaderPolicies(options =>
{
options.AddCrossOriginResourcePolicy(x => x.SameOrigin())
.AddFrameOptionsDeny()
.AddContentTypeOptionsNoSniff()
.AddReferrerPolicy(ReferrerPolicy.StrictOrigin)
.AddStrictTransportSecurity()
.AddPermissionsPolicy(policy =>
{
policy.AddAccelerometer().Self().For("https://foxlearn.com");
policy.AddMicrophone();
});
});
var app = builder.Build();
...
app.UseSecurityHeaders();
To fully control the headers returned, create a HeaderPolicyCollection and define your own set of headers including any custom headers you may need:
// Define a custom header policy
var policy = new HeaderPolicyCollection()
.AddFrameOptionsDeny()
.AddReferrerPolicyStrictOriginWhenCrossOrigin();
builder.Services.AddSecurityHeaderPolicies(options =>
{
options.AddPolicy("CustomPolicy", policy => policy.AddCustomHeader("X-Custom", "SomeValue"));
});
// Apply your custom policy globally or on a per-endpoint basis:
app.UseSecurityHeaders(policy); // Apply custom global policy
app.UseEndpointSecurityHeaders(); // Enable attribute-based usage
Apply a Policy to a Controller Action
public class HomeController : Controller
{
private readonly ILogger<HomeController> _logger;
public HomeController(ILogger<HomeController> logger)
{
_logger = logger;
}
[SecurityHeadersPolicy("CustomPolicy")]
public IActionResult Index()
{
return View();
}
}
Apply custom policies to endpoints
If you need to apply a custom (non-default) security header policy to a specific endpoint, use the .WithSecurityHeadersPolicy("PolicyName") extension method during endpoint mapping:
app.MapGet("/", () => "Hello world")
.WithSecurityHeadersPolicy("CustomPolicy"); // Apply a named policy to this endpoint
RemoveServerHeader
The RemoveServerHeader method is usually not enough to fully eliminate the Server header from HTTP responses. This is because middleware earlier in the pipeline can remove it, but Kestrel typically appends the Server header after middleware runs making it difficult to override at that stage.
To properly prevent the Server header from being added, you should configure Kestrel directly:
var host = new WebHostBuilder()
.UseKestrel(options => options.AddServerHeader = false)
Make sure this is set in Program.cs when building your app’s WebHostBuilder. This disables the automatic inclusion of the Server header at the source the Kestrel web server itself.
License
This project is licensed under the MIT License.
| Product | Versions Compatible and additional computed target framework versions. |
|---|---|
| .NET | net5.0 was computed. net5.0-windows was computed. net6.0 was computed. net6.0-android was computed. net6.0-ios was computed. net6.0-maccatalyst was computed. net6.0-macos was computed. net6.0-tvos was computed. net6.0-windows was computed. net7.0 was computed. net7.0-android was computed. net7.0-ios was computed. net7.0-maccatalyst was computed. net7.0-macos was computed. net7.0-tvos was computed. net7.0-windows was computed. net8.0 was computed. net8.0-android was computed. net8.0-browser was computed. net8.0-ios was computed. net8.0-maccatalyst was computed. net8.0-macos was computed. net8.0-tvos was computed. net8.0-windows was computed. net9.0 was computed. net9.0-android was computed. net9.0-browser was computed. net9.0-ios was computed. net9.0-maccatalyst was computed. net9.0-macos was computed. net9.0-tvos was computed. net9.0-windows was computed. net10.0 was computed. net10.0-android was computed. net10.0-browser was computed. net10.0-ios was computed. net10.0-maccatalyst was computed. net10.0-macos was computed. net10.0-tvos was computed. net10.0-windows was computed. |
| .NET Core | netcoreapp3.1 is compatible. |
-
.NETCoreApp 3.1
- No dependencies.
NuGet packages
This package is not used by any NuGet packages.
GitHub repositories
This package is not used by any popular GitHub repositories.