ℹ️ Information
The code in the following article was tested with ASP.NET 6 and 7.
Nowadays, security is a fundamental aspect that should not be overlooked when developing a web app. An interesting approach to improving the security of a web app is the implementation of HTPP security headers.
Definition
An HTTP Security Header is a type of HTTP response that a server sends to a browser. The header provides instructions to the browser, directing how it should behave when interacting with the site. This interaction guidance contributes significantly to the enhancement of the application's security.
HTTP security headers
The most common HTTP security headers are:
- Content Security Policy (CSP): This helps prevent Cross-Site Scripting (XSS) attacks by specifying the domains that a browser should consider valid sources of executable scripts.
- HTTP Strict Transport Security (HSTS): This enforces secure (HTTP over SSL/TLS) connections to the server.
- X-Content-Type-Options: This prevents the browser from doing MIME-type sniffing.
- X-Frame-Options: This provides clickjacking protection by preventing the page from being embedded into an iframe.
- X-XSS-Protection: This stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. Although this header is deprecated and its use is not often recommended, it is still recognized and used by some browsers.
Implementations
You can implement these headers through:
👉 Anonymous middleware
Here is an example of how to add HTTP security headers directly into the Program.cs file:
using Microsoft.Extensions.Primitives;
app.Use(async (context, next) =>
{
context.Response.Headers.Add("Content-Security-Policy", new StringValues("default-src 'self'"));
context.Response.Headers.Add("X-Content-Type-Options", new StringValues("nosniff"));
context.Response.Headers.Add("X-Frame-Options", new StringValues("SAMEORIGIN"));
context.Response.Headers.Add("X-XSS-Protection", new StringValues("1; mode=block"));
await next();
});
👉 External middleware
By creating an external middleware, you can centralize the setting of HTTP Security Headers:
using Microsoft.Extensions.Primitives;
public class SecurityHeadersMiddleware
{
private readonly RequestDelegate _next;
public SecurityHeadersMiddleware(RequestDelegate next)
{
_next = next;
}
public async Task InvokeAsync(HttpContext context)
{
context.Response.Headers.Add("Content-Security-Policy", new StringValues("default-src 'self'"));
context.Response.Headers.Add("X-Content-Type-Options", new StringValues("nosniff"));
context.Response.Headers.Add("X-Frame-Options", new StringValues("SAMEORIGIN"));
context.Response.Headers.Add("X-XSS-Protection", new StringValues("1; mode=block"));
await _next(context);
}
}
Let's add the middleware to the app pipeline:
app.UseHsts();
app.UseHttpsRedirection();
app.UseMiddleware<SecurityHeadersMiddleware>();
Conclusion
Implementing HTTP security headers via middleware, either anonymously in the Program.cs file or via external middleware, is an effective way to improve the security of an ASP.NET application. However, it is important to remember that these headers are only part of the overall security of the app. They must be used with other security best practices, such as sanitizing user input and regularly updating software dependencies.
In addition, it is indispensable to thoroughly test the implementation of these headers to ensure that they do not cause operational problems for the application. For example, an overly restrictive CSP could prevent legitimate resources from loading.
Top comments (1)
Great start.
Few more suggested security settings are here
ASP.NET Core Security Header
Security-headers-in-asp-net-core