OwaspHeaders.Core 3.1.2

There is a newer version of this package available.
See the version list below for details.
dotnet add package OwaspHeaders.Core --version 3.1.2                
NuGet\Install-Package OwaspHeaders.Core -Version 3.1.2                
This command is intended to be used within the Package Manager Console in Visual Studio, as it uses the NuGet module's version of Install-Package.
<PackageReference Include="OwaspHeaders.Core" Version="3.1.2" />                
For projects that support PackageReference, copy this XML node into the project file to reference the package.
paket add OwaspHeaders.Core --version 3.1.2                
#r "nuget: OwaspHeaders.Core, 3.1.2"                
#r directive can be used in F# Interactive and Polyglot Notebooks. Copy this into the interactive tool or source code of the script to reference the package.
// Install OwaspHeaders.Core as a Cake Addin
#addin nuget:?package=OwaspHeaders.Core&version=3.1.2

// Install OwaspHeaders.Core as a Cake Tool
#tool nuget:?package=OwaspHeaders.Core&version=3.1.2                

OwaspHeaders.Core

A .NET Core middleware for injecting the Owasp recommended HTTP Headers for increased security.

Licence Used

License: MIT

See the contents of the LICENSE file for details

Description

A collection of ASP.NET Core middleware classes designed to increase web application security by adopting the recommended OWASP settings.

Secure Headers

The SecureHeadersMiddleware is used to inject the HTTP headers recommended by the OWASP Secure Headers project into all responses generated by the ASP.NET Core pipeline.

Usage

Add a reference to the NuGet package to your project

dotnet add package OwaspHeaders.Core

Configuration

For both versions 1.x and 2.x, a secureHeaderSettings.json file was used. However, from version 3.x onwards, a build-time builder pattern is now used for configuring the secure headers.

Please see the following sections for how to configure the OwaspHeaders.Core middlware.

Configuration in Version 3.x

Version 3.x of OwaspHaders.Core no longer uses the secureHeaderSettings.json file as this is a runtime dependency. It now uses the builder pattern to set up the header information, which is a compile time dependency.

In your Startup class, add a using statement for the OwaspHeaders.Core middleware

using OwaspHeaders.Core.Extensions;

Then in the Configure method, add the following

app.UseSecureHeadersMiddleware(SecureHeadersMiddlewareExtensions.BuildDefaultConfiguration());

This will use the default configuration for the OwaspHeaders.Core middleware. The method (found in /src/Extensions/SecureHeadersMiddlewareExtensions.cs) looks like this:

public static SecureHeadersMiddlewareConfiguration BuildDefaultConfiguration()
{
    return SecureHeadersMiddlewareBuilder
        .CreateBuilder()
        .UseHsts()
        .UseXFrameOptions()
        .UseXSSProtection()
        .UseContentTypeOptions()
        .UseContentDefaultSecurityPolicy()
        .UsePermittedCrossDomainPolicies()
        .UseReferrerPolicy()
        .Build();
}

In order to use a custom configuration, follow the same pattern (perhaps creating your own extension method to encapsulate it):

public static SecureHeadersMiddlewareConfiguration CustomConfiguration()
{
    return SecureHeadersMiddlewareBuilder
        .CreateBuilder()
        .UseHsts(1200, false)
        .UseXSSProtection(XssMode.oneReport, "https://reporturi.com/some-report-url")
        .UseContentDefaultSecurityPolicy()
        .UsePermittedCrossDomainPolicies(XPermittedCrossDomainOptionValue.masterOnly)
        .UseReferrerPolicy(ReferrerPolicyOptions.sameOrigin)
        .Build();
}

Then consume it in the following manner:

app.UseSecureHeadersMiddleware(CustomSecureHeaderExtensions.CustomConfiguration());

Configuration in Version 2.x

In the constructor for the Startup class, add a reference to a secureHeaderSettings.json

public Startup(IHostingEnvironment env)
{
    var builder = new ConfigurationBuilder()
    .SetBasePath(env.ContentRootPath)
    .AddJsonFile("appsettings.json", optional: true, reloadOnChange: true)
    .AddJsonFile($"appsettings.{env.EnvironmentName}.json", optional: true)
    .AddJsonFile("secureHeaderSettings.json", optional:true, reloadOnChange: true)
    .AddEnvironmentVariables();
    Configuration = builder.Build();
}

The contents of the secureHeaderSettings.json file take the following format:

{
    "SecureHeadersMiddlewareConfiguration": {
        "UseHsts": "true",
        "HstsConfiguration": {
            "MaxAge": 42,
            "IncludeSubDomains": "true"
        },
        "UseHpkp": "true",
        "HPKPConfiguration" :{
            "PinSha256" : [
                "e927fad33f9eb96126896413502a1034be0ca379dec377fb891feb9ebc720e47"
                ],
            "MaxAge": 3,
            "IncludeSubDomains": "true",
            "ReportUri": "https://github.com/GaProgMan/OwaspHeaders.Core"
        },
        "UseXFrameOptions": "true",
        "XFrameOptionsConfiguration": {
            "OptionValue": "allowfrom",
            "AllowFromDomain": "com.gaprogman.dotnetcore"
        },
        "UseXssProtection": "true",
        "XssConfiguration": {
            "XssSetting": "oneReport",
            "ReportUri": "https://github.com/GaProgMan/OwaspHeaders.Core"
        },
        "UseXContentTypeOptions": "true",
        "UseContentSecurityPolicy": "true",
        "ContentSecurityPolicyConfiguration": {
            "BlockAllMixedContent": "true",
            "UpgradeInsecureRequests": "true"
        }
    }
}

(the above file is provided for illustration purposes)

Load the contents of the secureHeaderSettings.json into an instance of the SecureHeadersMiddlewareConfiguration in the Startup class' ConfigureServices method.

public void ConfigureServices(IServiceCollection services)
{
    // Add framework services
    // Add functionality to inject IOptions<T>
    services.AddOptions();

    // Add our Config object so it can be injected
    services.Configure<SecureHeadersMiddlewareConfiguration>(Configuration.GetSection("SecureHeadersMiddlewareConfiguration"));
}

Add the SecureHeadersMiddleware into the ASP.NET Core pipeline, in the Startup class' Configure method.

public void Configure(IApplicationBuilder app, IHostingEnvironment env,
    IOptions<SecureHeadersMiddlewareConfiguration> secureHeaderSettings)
{
    // Add SecureHeadersMiddleware to the pipeline
    app.UseSecureHeadersMiddleware(secureHeaderSettings.Value);
}

Testing the Middleware

Run the application, request one of the pages that it serves and view the headers for the page.

This can be done in Google Chrome, using the Dev tools and checking the network tab.

secure headers shown in network tab

Shown above in the Response Headers section of the Values response.

Development Logs

This repository forms the basis for a series of blog posts that I have written on the topic of ASP.NET Core middleware.

If you would like to read about how I have developed the code in this repository, please see the first in the blog post series entitled: ".NET Core Middleware – OWASP Headers Part 1"

There are no supported framework assets in this package.

Learn more about Target Frameworks and .NET Standard.

This package has no dependencies.

NuGet packages (4)

Showing the top 4 NuGet packages that depend on OwaspHeaders.Core:

Package Downloads
Whipstaff.AspNetCore

Re-usable logic for working with ASP.NET Core.

wjsz-base

wjsz基础库

OwaspHeaders.IsolatedFunction

A .NET Core middleware for injecting the Owasp recommended HTTP Headers into Azure Isolated Functions

DojoTools

Toolkit for microservices designing developed by Pod2 in Bakery Net Dojo at Globant - Aug 2022

GitHub repositories (2)

Showing the top 2 popular GitHub repositories that depend on OwaspHeaders.Core:

Repository Stars
jeangatto/ASP.NET-Core-Clean-Architecture-CQRS-Event-Sourcing
ASP.NET Core, C#, CQRS Event Sourcing, REST API, DDD, SOLID Principles and Clean Architecture
GaProgMan/OnionArch
A .NET Core demo application which uses the Onion Architecture
Version Downloads Last updated
8.1.3 4,269 10/19/2024
8.1.2 77 10/19/2024
8.1.1 88 10/19/2024
8.1.0 46,235 5/30/2024
8.0.0 86,574 12/3/2023
7.5.1 43,494 8/9/2023
7.5.0 26,491 6/7/2023
7.0.1 1,910 6/5/2023
7.0.0 187 6/5/2023
6.1.0 3,094 5/15/2023
6.0.5 388 5/15/2023
6.0.4 163 5/15/2023
6.0.3 175 5/15/2023
6.0.2 342 5/11/2023
6.0.1 171 5/11/2023
6.0.0 1,055 5/11/2023
5.0.0 232 5/11/2023
4.6.2 2,055 5/11/2023
4.6.1 170 5/11/2023
4.6.0 190 5/11/2023
4.5.1 211,663 5/15/2022
4.5.0 463 5/15/2022
4.4.0 42,031 4/8/2022
4.3.0 477 4/8/2022
4.2.0 447,791 12/31/2019
4.1.1 7,623 11/16/2019
4.1.0 1,943 10/23/2019
3.5.2 27,964 7/19/2019
3.5.1 582 7/19/2019
3.5.0 595 7/19/2019
3.4.1 590 7/19/2019
3.4.0 15,809 3/16/2019
3.3.2 28,422 5/1/2018
3.3.1 3,474 4/16/2018
3.3.0 1,980 4/16/2018
3.2.0 1,089 4/16/2018
3.1.2 1,106 4/16/2018
3.1.1 1,207 4/13/2018
3.1.0 1,169 4/7/2018
3.0.0.3 1,683 3/20/2018
3.0.0.2 1,110 3/20/2018
3.0.0.1 2,133 2/25/2018
3.0.0 1,163 2/17/2018
2.1.0 3,441 1/2/2018
2.0.0.1 1,498 11/23/2017
2.0.0 2,636 9/20/2017
1.6.0 1,154 8/15/2017 1.6.0 is deprecated because it is no longer maintained.
1.5.0 1,099 8/13/2017 1.5.0 is deprecated because it is no longer maintained.
1.0.1 1,250 7/25/2017 1.0.1 is deprecated because it is no longer maintained.
0.0.0.1 1,498 7/25/2017