OwaspHeaders.Core 3.0.0

A .NET Core Middleware which adds the OWASP recommended HTTP headers for enhanced security.

There is a newer version of this package available.
See the version list below for details.
Install-Package OwaspHeaders.Core -Version 3.0.0
dotnet add package OwaspHeaders.Core --version 3.0.0
<PackageReference Include="OwaspHeaders.Core" Version="3.0.0" />
For projects that support PackageReference, copy this XML node into the project file to reference the package.
paket add OwaspHeaders.Core --version 3.0.0
The NuGet Team does not provide support for this client. Please contact its maintainers for support.

Description

A collection of ASP.NET Core middleware classes designed to increase web application security by adopting the recommended OWASP settings.

Source Code

For the full source code, please see the project's GitHub Repo.

Secure Headers

The SecureHeadersMiddleware is used to inject the HTTP headers recommended by the OWASP Secure Headers project into all responses generated by the ASP.NET Core pipeline.

Usage

Add a reference to the NuGet package to your project

dotnet add package OwaspHeaders.Core
Configuration in Version 3.x

Version 3.x of OwaspHaders.Core no longer uses the secureHeaderSettings.json file as this is a runtime dependency. It now uses the builder pattern to set up the header information, which is a compile time dependency.

In your Startup class, add a using statement for the OwaspHeaders.Core middleware

using OwaspHeaders.Core.Extensions;

Then in the Configure method, add the following

app.UseSecureHeadersMiddleware(SecureHeadersMiddlewareExtensions.BuildDefaultConfiguration());

This will use the default configuration for the OwaspHeaders.Core middleware. The method (found in /src/Extensions/SecureHeadersMiddlewareExtensions.cs) looks like this:

public static SecureHeadersMiddlewareConfiguration BuildDefaultConfiguration()
{
    return SecureHeadersMiddlewareBuilder
        .CreateBuilder()
        .UseHsts()
        .UseXFrameOptions()
        .UseXSSProtection()
        .UseContentTypeOptions()
        .UseContentDefaultSecurityPolicy()
        .UsePermittedCrossDomainPolicies()
        .UseReferrerPolicy()
        .Build();
}

In order to use a custom configuration, follow the same pattern (perhaps creating your own extension method to encapsulate it):

public static SecureHeadersMiddlewareConfiguration CustomConfiguration()
{
    return SecureHeadersMiddlewareBuilder
        .CreateBuilder()
        .UseHsts(1200, false)
        .UseXSSProtection(XssMode.oneReport, "https://reporturi.com/some-report-url")
        .UseContentDefaultSecurityPolicy()
        .UsePermittedCrossDomainPolicies(XPermittedCrossDomainOptionValue.masterOnly)
        .UseReferrerPolicy(ReferrerPolicyOptions.sameOrigin)
        .Build();
}

Then consume it in the following manner:

app.UseSecureHeadersMiddleware(CustomSecureHeaderExtensions.CustomConfiguration());
Configuration in Version 2.x

In the constructor for the Startup class, add a reference to a secureHeaderSettings.json

public Startup(IHostingEnvironment env)
{
    var builder = new ConfigurationBuilder()
    .SetBasePath(env.ContentRootPath)
    .AddJsonFile("appsettings.json", optional: true, reloadOnChange: true)
    .AddJsonFile($"appsettings.{env.EnvironmentName}.json", optional: true)
    .AddJsonFile("secureHeaderSettings.json", optional:true, reloadOnChange: true)
    .AddEnvironmentVariables();
    Configuration = builder.Build();
}

The contents of the secureHeaderSettings.json file take the following format:

{
    "SecureHeadersMiddlewareConfiguration": {
        "UseHsts": "true",
        "HstsConfiguration": {
            "MaxAge": 42,
            "IncludeSubDomains": "true"
        },
        "UseHpkp": "true",
        "HPKPConfiguration" :{
            "PinSha256" : [
                "e927fad33f9eb96126896413502a1034be0ca379dec377fb891feb9ebc720e47"
                ],
            "MaxAge": 3,
            "IncludeSubDomains": "true",
            "ReportUri": "https://github.com/GaProgMan/OwaspHeaders.Core"
        },
        "UseXFrameOptions": "true",
        "XFrameOptionsConfiguration": {
            "OptionValue": "allowfrom",
            "AllowFromDomain": "com.gaprogman.dotnetcore"
        },
        "UseXssProtection": "true",
        "XssConfiguration": {
            "XssSetting": "oneReport",
            "ReportUri": "https://github.com/GaProgMan/OwaspHeaders.Core"
        },
        "UseXContentTypeOptions": "true",
        "UseContentSecurityPolicy": "true",
        "ContentSecurityPolicyConfiguration": {
            "BlockAllMixedContent": "true",
            "UpgradeInsecureRequests": "true"
        }
    }
}

(the above file is provided for illustration purposes)

Load the contents of the secureHeaderSettings.json into an instance of the SecureHeadersMiddlewareConfiguration in the Startup class' ConfigureServices method.

public void ConfigureServices(IServiceCollection services)
{
    // Add framework services
    // Add functionality to inject IOptions<T>
    services.AddOptions();

    // Add our Config object so it can be injected
    services.Configure<SecureHeadersMiddlewareConfiguration>(Configuration.GetSection("SecureHeadersMiddlewareConfiguration"));
}

Add the SecureHeadersMiddleware into the ASP.NET Core pipeline, in the Startup class' Configure method.

public void Configure(IApplicationBuilder app, IHostingEnvironment env,
    IOptions<SecureHeadersMiddlewareConfiguration> secureHeaderSettings)
{
    // Add SecureHeadersMiddleware to the pipeline
    app.UseSecureHeadersMiddleware(secureHeaderSettings.Value);
}

Description

A collection of ASP.NET Core middleware classes designed to increase web application security by adopting the recommended OWASP settings.

Source Code

For the full source code, please see the project's GitHub Repo.

Secure Headers

The SecureHeadersMiddleware is used to inject the HTTP headers recommended by the OWASP Secure Headers project into all responses generated by the ASP.NET Core pipeline.

Usage

Add a reference to the NuGet package to your project

dotnet add package OwaspHeaders.Core
Configuration in Version 3.x

Version 3.x of OwaspHaders.Core no longer uses the secureHeaderSettings.json file as this is a runtime dependency. It now uses the builder pattern to set up the header information, which is a compile time dependency.

In your Startup class, add a using statement for the OwaspHeaders.Core middleware

using OwaspHeaders.Core.Extensions;

Then in the Configure method, add the following

app.UseSecureHeadersMiddleware(SecureHeadersMiddlewareExtensions.BuildDefaultConfiguration());

This will use the default configuration for the OwaspHeaders.Core middleware. The method (found in /src/Extensions/SecureHeadersMiddlewareExtensions.cs) looks like this:

public static SecureHeadersMiddlewareConfiguration BuildDefaultConfiguration()
{
    return SecureHeadersMiddlewareBuilder
        .CreateBuilder()
        .UseHsts()
        .UseXFrameOptions()
        .UseXSSProtection()
        .UseContentTypeOptions()
        .UseContentDefaultSecurityPolicy()
        .UsePermittedCrossDomainPolicies()
        .UseReferrerPolicy()
        .Build();
}

In order to use a custom configuration, follow the same pattern (perhaps creating your own extension method to encapsulate it):

public static SecureHeadersMiddlewareConfiguration CustomConfiguration()
{
    return SecureHeadersMiddlewareBuilder
        .CreateBuilder()
        .UseHsts(1200, false)
        .UseXSSProtection(XssMode.oneReport, "https://reporturi.com/some-report-url")
        .UseContentDefaultSecurityPolicy()
        .UsePermittedCrossDomainPolicies(XPermittedCrossDomainOptionValue.masterOnly)
        .UseReferrerPolicy(ReferrerPolicyOptions.sameOrigin)
        .Build();
}

Then consume it in the following manner:

app.UseSecureHeadersMiddleware(CustomSecureHeaderExtensions.CustomConfiguration());
Configuration in Version 2.x

In the constructor for the Startup class, add a reference to a secureHeaderSettings.json

public Startup(IHostingEnvironment env)
{
    var builder = new ConfigurationBuilder()
    .SetBasePath(env.ContentRootPath)
    .AddJsonFile("appsettings.json", optional: true, reloadOnChange: true)
    .AddJsonFile($"appsettings.{env.EnvironmentName}.json", optional: true)
    .AddJsonFile("secureHeaderSettings.json", optional:true, reloadOnChange: true)
    .AddEnvironmentVariables();
    Configuration = builder.Build();
}

The contents of the secureHeaderSettings.json file take the following format:

{
    "SecureHeadersMiddlewareConfiguration": {
        "UseHsts": "true",
        "HstsConfiguration": {
            "MaxAge": 42,
            "IncludeSubDomains": "true"
        },
        "UseHpkp": "true",
        "HPKPConfiguration" :{
            "PinSha256" : [
                "e927fad33f9eb96126896413502a1034be0ca379dec377fb891feb9ebc720e47"
                ],
            "MaxAge": 3,
            "IncludeSubDomains": "true",
            "ReportUri": "https://github.com/GaProgMan/OwaspHeaders.Core"
        },
        "UseXFrameOptions": "true",
        "XFrameOptionsConfiguration": {
            "OptionValue": "allowfrom",
            "AllowFromDomain": "com.gaprogman.dotnetcore"
        },
        "UseXssProtection": "true",
        "XssConfiguration": {
            "XssSetting": "oneReport",
            "ReportUri": "https://github.com/GaProgMan/OwaspHeaders.Core"
        },
        "UseXContentTypeOptions": "true",
        "UseContentSecurityPolicy": "true",
        "ContentSecurityPolicyConfiguration": {
            "BlockAllMixedContent": "true",
            "UpgradeInsecureRequests": "true"
        }
    }
}

(the above file is provided for illustration purposes)

Load the contents of the secureHeaderSettings.json into an instance of the SecureHeadersMiddlewareConfiguration in the Startup class' ConfigureServices method.

public void ConfigureServices(IServiceCollection services)
{
    // Add framework services
    // Add functionality to inject IOptions<T>
    services.AddOptions();

    // Add our Config object so it can be injected
    services.Configure<SecureHeadersMiddlewareConfiguration>(Configuration.GetSection("SecureHeadersMiddlewareConfiguration"));
}

Add the SecureHeadersMiddleware into the ASP.NET Core pipeline, in the Startup class' Configure method.

public void Configure(IApplicationBuilder app, IHostingEnvironment env,
    IOptions<SecureHeadersMiddlewareConfiguration> secureHeaderSettings)
{
    // Add SecureHeadersMiddleware to the pipeline
    app.UseSecureHeadersMiddleware(secureHeaderSettings.Value);
}

This package is not used by any popular GitHub repositories.

Version History

Version Downloads Last updated
3.5.2 3,176 7/19/2019
3.5.1 55 7/19/2019
3.5.0 54 7/19/2019
3.4.1 57 7/19/2019
3.4.0 8,258 3/16/2019
3.3.2 19,244 5/1/2018
3.3.1 981 4/16/2018
3.3.0 235 4/16/2018
3.2.0 231 4/16/2018
3.1.2 241 4/16/2018
3.1.1 384 4/13/2018
3.1.0 405 4/7/2018
3.0.0.3 746 3/20/2018
3.0.0.2 328 3/20/2018
3.0.0.1 1,309 2/25/2018
3.0.0 394 2/17/2018
2.1.0 2,429 1/2/2018
2.0.0.1 748 11/23/2017
2.0.0 1,271 9/20/2017
1.6.0 280 8/15/2017
1.5.0 242 8/13/2017
1.0.1 304 7/25/2017
0.0.0.1 305 7/25/2017
Show less