ASP.NET Core Http Security Header
Let’s examine how the Http Security Header structure is used on .NET Core in a sample ASP.NET Core project. First we will create a blank web project.
dotnet new web -o httpsecurityheader
After creating the project, let’s examine the security headers.
X-Frame-Options
The X-Frame-Options header option is used to call your web page, called Clickjacking, on another web page with the iframe method and prevent any action.
DENY: It completely prevents the page from being called in an iframe.
SAMEORIGIN: It prevents the page from being called in an iframe outside of its domain.
ALLOW-FROM uri : Allows calling from a specific url in an iframe.
Note: According to the information here, X-Frame-Options header information is created as SAMEORIGIN by default.
To remove the X-Frame-Options header information, the AddAntiforgery method should be done as follows.
Strict-Transport-Security
It is used to prevent man-in-the-middle (MITM) attacks and automatically convert HTTP requests made by the client to HTTPS. It is used with the UseHsts middleware structure in .NET Core projects.
The use of HSTS is not recommended in development environments due to browser caching.
We can use the AddHSTS method for HSTS configuration.
Preload: The default value should be set to “true” in order to inform the browser that a secure connection will be established with the loading of the list of websites containing HSTS in the first connection of the website.
IncludeSubDomains: Used to specify whether or not to be valid for subdomains.
MaxAge: Sets how long the HSTS header is valid.
ExcludedHosts: Addresses that will invalidate headers are added.
UseHttpsRedirection middleware is used for mandatory redirection of all HTTP requests from clients to the HTTPS address. When using this middleware, attention should be paid to HTTPS configuration.
We can use AddHttpsRedirection method to configure HttpsRedirection.
X-Permitted-Cross-Domain-Policies
If you are using Flash on your website, you can prevent clients from making cross-site requests by using the X-Permission-Cross-Domain-Policies header.
X-XSS-Protection
The X-XSS-Protection header causes browsers to stop loading the web page when they detect a cross-site scripting attack.
X-Content-Type-Options
It is used to prevent browsers from determining the MIME type sent with the Content Type header in requests sent from the client.
Referrer-Policy
When a site accesses a different site, it sends its own address with a referrer. In some cases, the Referrer-Policy header is used when it is not desired to send the source address explicitly.
Feature-Policy
The app’s camera, microphone, usb etc. It is the title that we determine whether or not it will need such requirements.
Content-Security-Policy
Content-Security-Policy is a security policy used to control data injection attacks that may occur due to a web page’s style and script files.
I have prepared a sample middleware containing all these headers.
You can download the project here. Please let me know if there are typos in my post.
