Add security headers to asp.net core

By | October 25, 2016

As in .net framework it is just as important to add security headers to your asp.net core project to harden the security posture of your web application. The following library for asp.net core deals with the adding and removal of the security related headers.

The library with source can be downloaded here.

What does the library for Asp.net core security headers provide?

  • It removes the following headers
    • Server Header (Indicates type and version of the web server)
    • X-Powered-By (Indicates the type of webserver)

Note that if IIS is used as the web server with a .net core application the Server header and X-Powered-By headers will not be removed as IIS adds the headers when the response leaves the application. To remove the headers see Remove IIS HTTP server header

  • It adds the following security headers
    • X-XSS-Protection (Reflected cross site scripting protection)
    • Strict-Transport-Security / HSTS (Enforces HTTPS traffic)
    • X-Content-Type-Options (Instructs the browser to honor the MIME types specified by the application)
    • X-Frame-Options (Used to indicate if a site may use IFrames, Is a way to protect against click jacking)
  • It makes provision for adding custom headers
    • There is a Add Custom Header method that allows the policy to be extended.

How to use the Asp.net core security headers library?

  • Add the project source to your asp.net core solution.
  • In the Startup.cs file in the Configure method call the AdjustSecurityHeader method. Adjust Asp.net core security headers

I originally got the middleware library from Andres Locks blog while investigate Identity 3.0 and asp.net core back in 2016.  Since then I have adjusted and added to it suit my own needs.

Leave a Reply

Your email address will not be published.