Last active
November 1, 2023 01:52
-
-
Save VijayBhatter/67fd80961e4e1dcd4406e05ee62791ed to your computer and use it in GitHub Desktop.
ASP.NET Core Security Headers
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| To be added to the Configure method in the Startup.cs in ASP.NET Core app | |
| // public void Configure(IApplicationBuilder app, IHostingEnvironment env) | |
| app.Use((context, next) => | |
| { | |
| context.Response.Headers["Server"] = "Cyberax"; | |
| context.Response.Headers["X-Frame-Options"] = "DENY"; | |
| context.Response.Headers["X-XSS-Protection"] = "1; mode=block"; | |
| context.Response.Headers["X-Content-Type-Options"] = "nosniff"; | |
| context.Response.Headers["Strict-Transport-Security"] = "max-age=31536000"; | |
| context.Response.Headers["Content-Security-Policy"] = "default-src https: 'unsafe-inline'"; | |
| context.Response.Headers["Referrer-Policy"] = "no-referrer-when-downgrade"; | |
| return next(); | |
| }); |
Author
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The above code makes the SecurityHeaders ranking to A.
It can be made A+ if we remove 'unsafe-inline' from the Content-Security-Policy but that would mean that any inline javascript/css will be blocked by browser. Even a simple style="display:none" will not work.