Add security headers to core

By | Oct 25, 2016

As in .net framework it is just as important to add security headers to your core project to harden the security posture of your web application. The following library for core deals with the adding and removal of the security related headers.

The library with source can be downloaded here.

What does the library for core security headers provide?

  • It removes the following headers
    • Server Header (Indicates type and version of the web server)
    • X-Powered-By (Indicates the type of webserver)

Note that if IIS is used as the web server with a .net core application the Server header and X-Powered-By headers will not be removed as IIS adds the headers when the response leaves the application. To remove the headers see Remove IIS HTTP server header

  • It adds the following security headers
    • X-XSS-Protection (Reflected cross site scripting protection)
    • Strict-Transport-Security / HSTS (Enforces HTTPS traffic)
    • X-Content-Type-Options (Instructs the browser to honor the MIME types specified by the application)
    • X-Frame-Options (Used to indicate if a site may use IFrames, Is a way to protect against click jacking)
  • It makes provision for adding custom headers
    • There is a Add Custom Header method that allows the policy to be extended.

How to use the core security headers library?

  • Add the project source to your core solution.
  • In the Startup.cs file in the Configure method call the AdjustSecurityHeader method. Adjust core security headers

I originally got the middleware library from Andres Locks blog while investigate Identity 3.0 and core back in 2016.  Since then I have adjusted and added to it suit my own needs.

0 0 votes
Article Rating
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments