IIR.SecurityHeaders.Core 2.2.2.1

dotnet add package IIR.SecurityHeaders.Core --version 2.2.2.1                
NuGet\Install-Package IIR.SecurityHeaders.Core -Version 2.2.2.1                
This command is intended to be used within the Package Manager Console in Visual Studio, as it uses the NuGet module's version of Install-Package.
<PackageReference Include="IIR.SecurityHeaders.Core" Version="2.2.2.1" />                
For projects that support PackageReference, copy this XML node into the project file to reference the package.
paket add IIR.SecurityHeaders.Core --version 2.2.2.1                
#r "nuget: IIR.SecurityHeaders.Core, 2.2.2.1"                
#r directive can be used in F# Interactive and Polyglot Notebooks. Copy this into the interactive tool or source code of the script to reference the package.
// Install IIR.SecurityHeaders.Core as a Cake Addin
#addin nuget:?package=IIR.SecurityHeaders.Core&version=2.2.2.1

// Install IIR.SecurityHeaders.Core as a Cake Tool
#tool nuget:?package=IIR.SecurityHeaders.Core&version=2.2.2.1                

This plugin is for IIR .NET 6 and higher sites to add additional security to it.

Program.cs

You can easily add in the Program.cs file a few lines to quickly add additional security to your sites. (Upgraded projects might still have a Startup.cs)

We will want to try and make cookies as secure as possible with the following settings

// Sets the default cookie policy. You may need to apply additional policies for authentication.
builder.Services.Configure<CookiePolicyOptions>(options =>
{
    // This lambda determines whether user consent for non-essential cookies is needed for a given request.
    options.CheckConsentNeeded = context => true;
                
    options.MinimumSameSitePolicy = SameSiteMode.Strict;
    // Handling SameSite cookie according to https://docs.microsoft.com/en-us/aspnet/core/security/samesite?view=aspnetcore-3.1
    options.HandleSameSiteCookieCompatibility(); // If you have a collision, use options.CustomHandleSameSiteCookieCompatibility();
    options.HttpOnly = HttpOnlyPolicy.Always;
    options.Secure = CookieSecurePolicy.Always;
});

    
// Configure HSTS to a year out and include pre-load and subdomains
builder.Services.AddHsts(o =>
{
    o.Preload = true;
    o.IncludeSubDomains = true;
    o.MaxAge = TimeSpan.FromDays(365);
});

Add the following line to automatically add required security settings

app.UseIIRStandard();
app.UseCookiePolicy(); // This is to apply from the above section

Make sure that app.UseHsts(); is set in this method (usually is by default)

Create Web.Config

You will need to create a web.config file in the root of the website and add the following XML to it. This will help remove some of the header values we don't want to include

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
  <system.webServer>
    <httpProtocol>
      <customHeaders>
        <remove name="X-Powered-By"/>
        <remove name="Server" />
        <remove name="X-AspNet-Version" />
        <remove name="X-AspNetMvc-Version" />
      </customHeaders>
    </httpProtocol>
    <security>
      <requestFiltering removeServerHeader="true" />
    </security>
  </system.webServer>
</configuration>

View Imports

In the _Viewimports.cshtml file you will want to add the following line to the file

@addTagHelper *, Joonasw.AspNetCore.SecurityHeaders

Remarks

Most of this logic was taken from a library that has not been updated in a few years. We only inlcuded the tools that are still common for today. You can read more about the package at https://github.com/juunas11/aspnetcore-security-headers

Product Compatible and additional computed target framework versions.
.NET net6.0 is compatible.  net6.0-android was computed.  net6.0-ios was computed.  net6.0-maccatalyst was computed.  net6.0-macos was computed.  net6.0-tvos was computed.  net6.0-windows was computed.  net7.0 was computed.  net7.0-android was computed.  net7.0-ios was computed.  net7.0-maccatalyst was computed.  net7.0-macos was computed.  net7.0-tvos was computed.  net7.0-windows was computed.  net8.0 was computed.  net8.0-android was computed.  net8.0-browser was computed.  net8.0-ios was computed.  net8.0-maccatalyst was computed.  net8.0-macos was computed.  net8.0-tvos was computed.  net8.0-windows was computed. 
Compatible target framework(s)
Included target framework(s) (in package)
Learn more about Target Frameworks and .NET Standard.

NuGet packages (1)

Showing the top 1 NuGet packages that depend on IIR.SecurityHeaders.Core:

Package Downloads
IIR.RazorComponents.USWDS

IIR's U.S. Web Design System (USWDS) Components for .NET 6 and Razor Pages

GitHub repositories

This package is not used by any popular GitHub repositories.

Version Downloads Last updated
2.2.2.1 2,902 1/31/2024
2.2.2 102 1/31/2024
2.2.1 111 1/31/2024
2.2.0 149 1/30/2024

- Updating documentation