OwaspHeaders.Core 9.5.0

There is a newer version of this package available.
See the version list below for details.

dotnet add package OwaspHeaders.Core --version 9.5.0

NuGet\Install-Package OwaspHeaders.Core -Version 9.5.0

This command is intended to be used within the Package Manager Console in Visual Studio, as it uses the NuGet module's version of Install-Package.

<PackageReference Include="OwaspHeaders.Core" Version="9.5.0" />

For projects that support PackageReference, copy this XML node into the project file to reference the package.

<PackageVersion Include="OwaspHeaders.Core" Version="9.5.0" />
                    

                            Directory.Packages.props

<PackageReference Include="OwaspHeaders.Core" />
                    

                            Project file

For projects that support Central Package Management (CPM), copy this XML node into the solution Directory.Packages.props file to version the package.

paket add OwaspHeaders.Core --version 9.5.0

The NuGet Team does not provide support for this client. Please contact its maintainers for support.

#r "nuget: OwaspHeaders.Core, 9.5.0"

#r directive can be used in F# Interactive and Polyglot Notebooks. Copy this into the interactive tool or source code of the script to reference the package.

#:package OwaspHeaders.Core@9.5.0

#:package directive can be used in C# file-based apps starting in .NET 10 preview 4. Copy this into a .cs file before any lines of code to reference the package.

#addin nuget:?package=OwaspHeaders.Core&version=9.5.0
                    

                            Install as a Cake Addin

#tool nuget:?package=OwaspHeaders.Core&version=9.5.0
                    

                            Install as a Cake Tool

The NuGet Team does not provide support for this client. Please contact its maintainers for support.

OwaspHeaders.Core

An ASP .NET Core middleware for injection OWASP recommended HTTP Headers for increased security. This project is designed against the OWASP Secure Headers Project.

Quick Starts

Create a .NET (either Framework, Core, or 5+) project which uses ASP .NET Core

Example;

dotnet new webapi -n exampleProject

Add a reference to the OwaspHeaders.Core NuGet package.

Example:

dotnet add package OwaspHeaders.Core

Alter the program.cs file to include the following:

app.UseSecureHeadersMiddleware();

This will add a number of default HTTP headers to all responses from your server component.

The following is an example of the response headers from version 9.0.0 (taken on November 19th, 2024)

 cache-control: max-age=31536000,private 
 content-security-policy: script-src 'self';object-src 'self';block-all-mixed-content;upgrade-insecure-requests; 
 cross-origin-resource-policy: same-origin 
 referrer-policy: no-referrer 
 strict-transport-security: max-age=31536000;includeSubDomains 
 x-content-type-options: nosniff 
 x-frame-options: DENY 
 x-permitted-cross-domain-policies: none; 
 x-xss-protection: 0

Please note: The above example contains only the headers added by the Middleware.

Source Code Repo

The source code for this NuGet package can be found at: https://github.com/GaProgMan/OwaspHeaders.Core.

Documentation

The documentation for this NuGet package can be found at: https://gaprogman.github.io/OwaspHeaders.Core/.

Attestations

As of PR 148, OwaspHeaders.Core uses the GitHub provided process for creating attestations per build. This document talks through how to verify those attestations using the gh CLI.

See the Attestations page of the documentation to read about how you can verify the attestations for builds from 9.5.0 onward.

Issues and Bugs

Please raise any issues and bugs at the above mentioned source code repo.

Server Header: A Warning

The default configuration for this middleware removes the X-Powered-By header, as this can help malicious users to use targeted attacks for specific server infrastructure. However, since the Server header is added by the reverse proxy used when hosting an ASP .NET Core application, removing this header is out of scope for this middleware.

In order to remove this header, a web.config file is required, and the following should be added to it:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <security>
            <requestFiltering removeServerHeader="true" />
        </security>
    </system.webServer>
</configuration>

The above XML is taken from this answer on ServerFault.

The web.config file will need to be copied to the server when the application is deployed.

Product	Compatible and additional computed target framework versions.
.NET	net8.0 is compatible. net8.0-android was computed. net8.0-browser was computed. net8.0-ios was computed. net8.0-maccatalyst was computed. net8.0-macos was computed. net8.0-tvos was computed. net8.0-windows was computed. net9.0 is compatible. net9.0-android was computed. net9.0-browser was computed. net9.0-ios was computed. net9.0-maccatalyst was computed. net9.0-macos was computed. net9.0-tvos was computed. net9.0-windows was computed. net10.0 was computed. net10.0-android was computed. net10.0-browser was computed. net10.0-ios was computed. net10.0-maccatalyst was computed. net10.0-macos was computed. net10.0-tvos was computed. net10.0-windows was computed.

Product

.NET

Compatible target framework(s)

Included target framework(s) (in package)

Learn more about Target Frameworks and .NET Standard.

net8.0
- No dependencies.
net9.0
- No dependencies.

NuGet packages (4)

Showing the top 4 NuGet packages that depend on OwaspHeaders.Core:

Package	Downloads
Whipstaff.AspNetCore Re-usable logic for working with ASP.NET Core.	37.8K
wjsz-base wjsz基础库	36.0K
OwaspHeaders.IsolatedFunction A .NET Core middleware for injecting the Owasp recommended HTTP Headers into Azure Isolated Functions	6.7K
DojoTools Toolkit for microservices designing developed by Pod2 in Bakery Net Dojo at Globant - Aug 2022	384

GitHub repositories (1)

Showing the top 1 popular GitHub repositories that depend on OwaspHeaders.Core:

Repository	Stars
GaProgMan/OnionArch A .NET Core demo application which uses the Onion Architecture	104

Version	Downloads	Last Updated
10.0.0	7,126	11/12/2025
9.9.0	12,589	10/1/2025
9.8.2	12,524	8/28/2025
9.8.1	8,875	8/3/2025
9.8.0	418	8/3/2025
9.7.2	163,237	12/31/2024
9.7.1	453	12/31/2024
9.7.0	608	12/27/2024
9.6.3	481	12/27/2024
9.6.2	437	12/27/2024
9.6.1	454	12/26/2024
9.6.0	451	12/26/2024
9.5.0	558	12/23/2024
9.4.3	15,815	12/11/2024
9.4.2	7,949	12/4/2024
9.4.1	834	12/4/2024
9.4.0	542	12/3/2024
9.3.0	2,511	12/3/2024
9.2.3	683	12/2/2024
9.2.2	436	12/2/2024
9.2.1	436	12/2/2024
9.2.0	510	12/2/2024
9.1.1	1,168	11/28/2024
9.0.1	6,566	11/20/2024
9.0.0	494	11/20/2024
8.1.3	31,539	10/19/2024
8.1.2	413	10/19/2024
8.1.1	418	10/19/2024
8.1.0	99,583	5/30/2024
8.0.0	137,796	12/3/2023
7.5.1	53,822	8/9/2023
7.5.0	28,698	6/7/2023
7.0.1	2,198	6/5/2023
7.0.0	436	6/5/2023
6.1.0	3,859	5/15/2023
6.0.5	753	5/15/2023
6.0.4	424	5/15/2023
6.0.3	402	5/15/2023
6.0.2	617	5/11/2023
6.0.1	433	5/11/2023
6.0.0	1,771	5/11/2023
5.0.0	556	5/11/2023
4.6.2	2,763	5/11/2023
4.6.1	400	5/11/2023
4.6.0	463	5/11/2023
4.5.1	254,419	5/15/2022
4.5.0	700	5/15/2022
4.4.0	42,546	4/8/2022
4.3.0	700	4/8/2022
4.2.0	495,353	12/31/2019
4.1.1	7,926	11/16/2019
4.1.0	2,231	10/23/2019
3.5.2	30,093	7/19/2019
3.5.1	877	7/19/2019
3.5.0	901	7/19/2019
3.4.1	903	7/19/2019
3.4.0	16,597	3/16/2019
3.3.2	29,528	5/1/2018
3.3.1	4,109	4/16/2018
3.3.0	2,780	4/16/2018
3.2.0	1,709	4/16/2018
3.1.2	1,731	4/16/2018
3.1.1	1,803	4/13/2018
3.1.0	1,757	4/7/2018
3.0.0.3	2,313	3/20/2018
3.0.0.2	1,710	3/20/2018
3.0.0.1	2,715	2/25/2018
3.0.0	1,728	2/17/2018
2.1.0	4,038	1/2/2018
2.0.0.1	1,946	11/23/2017
2.0.0	3,076	9/20/2017
1.6.0	1,750	8/15/2017
1.5.0	1,694	8/13/2017
1.0.1	2,017	7/25/2017
0.0.0.1	2,837	7/25/2017