dotnet add package OwaspHeaders.Core --version 7.5.1
NuGet\Install-Package OwaspHeaders.Core -Version 7.5.1
<PackageReference Include="OwaspHeaders.Core" Version="7.5.1" />
paket add OwaspHeaders.Core --version 7.5.1
#r "nuget: OwaspHeaders.Core, 7.5.1"
// Install OwaspHeaders.Core as a Cake Addin #addin nuget:?package=OwaspHeaders.Core&version=7.5.1 // Install OwaspHeaders.Core as a Cake Tool #tool nuget:?package=OwaspHeaders.Core&version=7.5.1
- Create a .NET (either Framework, Core, or 5+) project which uses ASP .NET Core
dotnet new webapi -n exampleProject
- Add a reference to the OwaspHeaders.Core NuGet package.
dotnet add package OwaspHeaders.Core
- Alter the Startup (pre .NET 6) or program (post .NET 6) class to include the following:
This will add a number of default HTTP headers to all responses from your server component.
The following is an example of the response headers from version 6.0.2 (taken on May 15th, 2023)
cache-control: max-age=31536000, private strict-transport-security: max-age=63072000;includeSubDomains x-frame-options: DENY x-xss-protection: 0 x-content-type-options: nosniff content-security-policy: script-src 'self';object-src 'self';block-all-mixed-content;upgrade-insecure-requests; x-permitted-cross-domain-policies: none; referrer-policy: no-referrer
Please note: The above example contains only the headers added by the Middleware.
Source Code Repo
The source code for this NuGet package can be found at: https://github.com/GaProgMan/OwaspHeaders.Core.
Issues and Bugs
Please raise any issues and bugs at the above mentioned source code repo.
Server Header: A Warning
The default configuration for this middleware removes the
X-Powered-By header, as this can help malicious users to use targeted attacks for specific server infrastructure. However, since the
Server header is added by the reverse proxy used when hosting an ASP .NET Core application, removing this header is out of scope for this middleware.
In order to remove this header, a
web.config file is required, and the following should be added to it:
<?xml version="1.0" encoding="UTF-8"?> <configuration> <system.webServer> <security> <requestFiltering removeServerHeader="true" /> </security> </system.webServer> </configuration>
The above XML is taken from this answer on ServerFault.
web.config file will need to be copied to the server when the application is deployed.
|Product||Versions Compatible and additional computed target framework versions.|
|.NET||net5.0 was computed. net5.0-windows was computed. net6.0 was computed. net6.0-android was computed. net6.0-ios was computed. net6.0-maccatalyst was computed. net6.0-macos was computed. net6.0-tvos was computed. net6.0-windows was computed. net7.0 was computed. net7.0-android was computed. net7.0-ios was computed. net7.0-maccatalyst was computed. net7.0-macos was computed. net7.0-tvos was computed. net7.0-windows was computed.|
|.NET Core||netcoreapp2.0 was computed. netcoreapp2.1 was computed. netcoreapp2.2 was computed. netcoreapp3.0 was computed. netcoreapp3.1 was computed.|
|.NET Standard||netstandard2.0 is compatible. netstandard2.1 was computed.|
|.NET Framework||net461 was computed. net462 was computed. net463 was computed. net47 was computed. net471 was computed. net472 was computed. net48 was computed. net481 was computed.|
|MonoAndroid||monoandroid was computed.|
|MonoMac||monomac was computed.|
|MonoTouch||monotouch was computed.|
|Tizen||tizen40 was computed. tizen60 was computed.|
|Xamarin.iOS||xamarinios was computed.|
|Xamarin.Mac||xamarinmac was computed.|
|Xamarin.TVOS||xamarintvos was computed.|
|Xamarin.WatchOS||xamarinwatchos was computed.|
- Microsoft.AspNetCore.Http.Abstractions (>= 2.1.1)
NuGet packages (5)
Showing the top 5 NuGet packages that depend on OwaspHeaders.Core:
A .NET Core middleware for injecting the Owasp recommended HTTP Headers into Azure Isolated Functions
Toolkit for microservices designing developed by Pod2 in Bakery Net Dojo at Globant - Aug 2022
GitHub repositories (1)
Showing the top 1 popular GitHub repositories that depend on OwaspHeaders.Core:
A .NET Core demo application which uses the Onion Architecture