IM.ContentSecurityPolicy
1.0.2
dotnet add package IM.ContentSecurityPolicy --version 1.0.2
NuGet\Install-Package IM.ContentSecurityPolicy -Version 1.0.2
This command is intended to be used within the Package Manager Console in Visual Studio, as it uses the NuGet module's version of Install-Package.
<PackageReference Include="IM.ContentSecurityPolicy" Version="1.0.2" />
For projects that support PackageReference, copy this XML node into the project file to reference the package.
<PackageVersion Include="IM.ContentSecurityPolicy" Version="1.0.2" />
<PackageReference Include="IM.ContentSecurityPolicy" />
For projects that support Central Package Management (CPM), copy this XML node into the solution Directory.Packages.props file to version the package.
paket add IM.ContentSecurityPolicy --version 1.0.2
The NuGet Team does not provide support for this client. Please contact its maintainers for support.
#r "nuget: IM.ContentSecurityPolicy, 1.0.2"
#r directive can be used in F# Interactive and Polyglot Notebooks. Copy this into the interactive tool or source code of the script to reference the package.
#:package IM.ContentSecurityPolicy@1.0.2
#:package directive can be used in C# file-based apps starting in .NET 10 preview 4. Copy this into a .cs file before any lines of code to reference the package.
#addin nuget:?package=IM.ContentSecurityPolicy&version=1.0.2
#tool nuget:?package=IM.ContentSecurityPolicy&version=1.0.2
The NuGet Team does not provide support for this client. Please contact its maintainers for support.
Content Security Policy for Umbraco
A comprehensive .NET library for Content Security Policy (CSP) support in ASP.NET Core and Umbraco CMS applications with configurable policy rules.
Features
- Nonce Generation: Cryptographically secure nonce generation per request
- Tag Helpers:
asp-nonceattribute support for<script>and<style>elements - View Components: Reusable components for scripts and styles with nonces
- HTML Helper Extensions: Extension methods for nonce support
- Middleware: Automatic nonce generation and CSP header support
- Configurable CSP Rules: Fully customizable Content Security Policy directives
- Easy Integration: Simple service registration and setup
- Umbraco Support: Seamless integration with Umbraco CMS
Installation
For ASP.NET Core Applications
Add the package to your project:
<PackageReference Include="IM.ContentSecurityPolicy" Version="1.0.2" />
For Umbraco CMS Applications
Via Umbraco Package Manager
- Go to Packages in your Umbraco backoffice
- Search for "IM.ContentSecurityPolicy"
- Click Install
Via NuGet
dotnet add package IM.ContentSecurityPolicy
For detailed Umbraco installation and usage instructions, see Umbraco Marketplace README.
Quick Start
1. Register Services
In your Program.cs or Startup.cs:
using IM.ContentSecurityPolicy.Extensions;
// Add nonce services with default CSP options
builder.Services.AddNonceServices();
2. Add Middleware
using IM.ContentSecurityPolicy.Middleware;
// Add nonce generation middleware
app.UseNonceGeneration();
// Add CSP middleware with default options
app.UseContentSecurityPolicy();
3. Use in Views
<script src="~/dist/script.js" asp-append-version="true" asp-nonce="true"></script>
<script type="text/javascript" asp-nonce="true">
console.log('Hello World');
</script>
Configuration
Basic CSP Configuration
Configure CSP options during service registration:
builder.Services.AddNonceServices(options =>
{
// Allow scripts from trusted CDNs
options.ScriptSrc = new[] { "'self'", "'nonce-{nonce}'", "https://cdn.example.com" };
// Allow styles from trusted sources
options.StyleSrc = new[] { "'self'", "'nonce-{nonce}'", "https://fonts.example.com" };
// Allow fonts from trusted sources
options.FontSrc = new[] { "'self'", "https://fonts.example.com" };
// Allow images from any HTTPS source
options.ImgSrc = new[] { "'self'", "data:", "https:" };
// Enable report-only mode for testing
options.ReportOnly = true;
// Set violation report URI
options.ReportUri = "https://your-domain.com/csp-report";
});
Using the Fluent Builder
For more complex configurations, use the fluent builder:
using IM.ContentSecurityPolicy.Options;
var cspOptions = CspOptionsBuilder.CreateStrict()
.WithScriptSrc("'self'", "'nonce-{nonce}'", "https://cdn.example.com")
.WithStyleSrc("'self'", "'nonce-{nonce}'", "https://fonts.example.com")
.WithFontSrc("'self'", "https://fonts.example.com")
.WithImgSrc("'self'", "data:", "https:")
.WithConnectSrc("'self'", "https://api.example.com")
.WithReportUri("https://your-domain.com/csp-report")
.Build();
builder.Services.AddNonceServices(options =>
{
// Apply the built options
options.DefaultSrc = cspOptions.DefaultSrc;
options.ScriptSrc = cspOptions.ScriptSrc;
options.StyleSrc = cspOptions.StyleSrc;
options.FontSrc = cspOptions.FontSrc;
options.ImgSrc = cspOptions.ImgSrc;
options.ConnectSrc = cspOptions.ConnectSrc;
options.ReportUri = cspOptions.ReportUri;
});
Environment-Specific Configuration
Configure different policies for different environments:
if (app.Environment.IsDevelopment())
{
// More permissive policy for development
var devOptions = CspOptionsBuilder.CreateDevelopment()
.WithReportOnly(true) // Only report violations, don't block
.Build();
builder.Services.AddNonceServices(options =>
{
// Apply development options
options.ScriptSrc = devOptions.ScriptSrc;
options.StyleSrc = devOptions.StyleSrc;
options.ReportOnly = devOptions.ReportOnly;
});
}
else
{
// Strict policy for production
var prodOptions = CspOptionsBuilder.CreateStrict()
.WithReportUri("https://your-domain.com/csp-report")
.Build();
builder.Services.AddNonceServices(options =>
{
// Apply production options
options.ScriptSrc = prodOptions.ScriptSrc;
options.StyleSrc = prodOptions.StyleSrc;
options.ReportUri = prodOptions.ReportUri;
});
}
| Product | Versions Compatible and additional computed target framework versions. |
|---|---|
| .NET | net6.0 is compatible. net6.0-android was computed. net6.0-ios was computed. net6.0-maccatalyst was computed. net6.0-macos was computed. net6.0-tvos was computed. net6.0-windows was computed. net7.0 is compatible. net7.0-android was computed. net7.0-ios was computed. net7.0-maccatalyst was computed. net7.0-macos was computed. net7.0-tvos was computed. net7.0-windows was computed. net8.0 is compatible. net8.0-android was computed. net8.0-browser was computed. net8.0-ios was computed. net8.0-maccatalyst was computed. net8.0-macos was computed. net8.0-tvos was computed. net8.0-windows was computed. net9.0 was computed. net9.0-android was computed. net9.0-browser was computed. net9.0-ios was computed. net9.0-maccatalyst was computed. net9.0-macos was computed. net9.0-tvos was computed. net9.0-windows was computed. net10.0 was computed. net10.0-android was computed. net10.0-browser was computed. net10.0-ios was computed. net10.0-maccatalyst was computed. net10.0-macos was computed. net10.0-tvos was computed. net10.0-windows was computed. |
Compatible target framework(s)
Included target framework(s) (in package)
Learn more about Target Frameworks and .NET Standard.
-
net6.0
- Umbraco.Cms.Core (>= 10.0.0)
-
net7.0
- Umbraco.Cms.Core (>= 11.0.0)
-
net8.0
- Umbraco.Cms.Core (>= 14.0.0)
NuGet packages
This package is not used by any NuGet packages.
GitHub repositories
This package is not used by any popular GitHub repositories.
Initial release with nonce generation, tag helpers, view components, and middleware support.