SafeWebCore 1.3.0

.NET 10.0

dotnet add package SafeWebCore --version 1.3.0

NuGet\Install-Package SafeWebCore -Version 1.3.0

This command is intended to be used within the Package Manager Console in Visual Studio, as it uses the NuGet module's version of Install-Package.

<PackageReference Include="SafeWebCore" Version="1.3.0" />

For projects that support PackageReference, copy this XML node into the project file to reference the package.

<PackageVersion Include="SafeWebCore" Version="1.3.0" />
                    

                            Directory.Packages.props

<PackageReference Include="SafeWebCore" />
                    

                            Project file

For projects that support Central Package Management (CPM), copy this XML node into the solution Directory.Packages.props file to version the package.

paket add SafeWebCore --version 1.3.0

The NuGet Team does not provide support for this client. Please contact its maintainers for support.

#r "nuget: SafeWebCore, 1.3.0"

#r directive can be used in F# Interactive and Polyglot Notebooks. Copy this into the interactive tool or source code of the script to reference the package.

#:package SafeWebCore@1.3.0

#:package directive can be used in C# file-based apps starting in .NET 10 preview 4. Copy this into a .cs file before any lines of code to reference the package.

#addin nuget:?package=SafeWebCore&version=1.3.0
                    

                            Install as a Cake Addin

#tool nuget:?package=SafeWebCore&version=1.3.0
                    

                            Install as a Cake Tool

The NuGet Team does not provide support for this client. Please contact its maintainers for support.

🛡️ SafeWebCore

A lightweight, high-performance .NET 10 middleware library that adds security headers to your ASP.NET Core applications. Targets an A+ rating on securityheaders.com out of the box.

Backward Compatibility Goal

SafeWebCore keeps a strict 100% backward compatibility contract. New capabilities are additive and opt-in, so existing configurations keep their current behavior.

Two Ways to Use SafeWebCore

Option 1 — Strict A+ Preset (fastest)

One line for the strictest A+ configuration. Defined in ServiceCollectionExtensions.AddNetSecureHeadersStrictAPlus().

using SafeWebCore.Extensions;

var builder = WebApplication.CreateBuilder(args);
builder.Services.AddNetSecureHeadersStrictAPlus();

var app = builder.Build();
app.UseNetSecureHeaders();
app.Run();

Customize the preset — CSP directives are space-separated, add multiple origins in one string:

builder.Services.AddNetSecureHeadersStrictAPlus(opts =>
{
    // Single origin
    opts.Csp = opts.Csp with { ImgSrc = "'self' https://cdn.example.com" };

    // Multiple origins — just separate with spaces
    opts.Csp = opts.Csp with { ImgSrc = "'self' https://cdn1.example.com https://cdn2.example.com data:" };

    // Multiple directives at once
    opts.Csp = opts.Csp with
    {
        ConnectSrc = "'self' https://api.example.com wss://ws.example.com",
        FontSrc = "'self' https://fonts.gstatic.com https://cdn.example.com"
    };

    // Non-CSP headers
    opts.ReferrerPolicyValue = "strict-origin-when-cross-origin";
});

Option 2 — Fully Custom Configuration

Full control over every header via ServiceCollectionExtensions.AddNetSecureHeaders():

using SafeWebCore.Builder;
using SafeWebCore.Extensions;

var builder = WebApplication.CreateBuilder(args);

builder.Services.AddNetSecureHeaders(opts =>
{
    // Transport security
    opts.EnableHsts = true;
    opts.HstsValue = "max-age=31536000; includeSubDomains";

    // Framing
    opts.EnableXFrameOptions = true;
    opts.XFrameOptionsValue = "SAMEORIGIN";

    // MIME sniffing
    opts.EnableXContentTypeOptions = true;
    opts.XContentTypeOptionsValue = "nosniff";

    // Referrer
    opts.EnableReferrerPolicy = true;
    opts.ReferrerPolicyValue = "strict-origin-when-cross-origin";

    // Permissions
    opts.EnablePermissionsPolicy = true;
    opts.PermissionsPolicyValue = "camera=(), microphone=(), geolocation=()";

    // Cross-Origin isolation
    opts.EnableCoep = true;
    opts.CoepValue = "require-corp";
    opts.EnableCoop = true;
    opts.CoopValue = "same-origin";
    opts.EnableCorp = true;
    opts.CorpValue = "same-origin";

    // Server header
    opts.RemoveServerHeader = true;

    // CSP — use the fluent builder
    opts.Csp = new CspBuilder()
        .DefaultSrc("'none'")
        .ScriptSrc("'nonce-{nonce}' 'strict-dynamic' https:")
        .StyleSrc("'nonce-{nonce}'")
        .ImgSrc("'self' https: data:")
        .FontSrc("'self' https://fonts.gstatic.com")
        .ConnectSrc("'self' wss://realtime.example.com")
        .FrameAncestors("'none'")
        .BaseUri("'none'")
        .FormAction("'self'")
        .UpgradeInsecureRequests()
        .Build();
});

var app = builder.Build();
app.UseNetSecureHeaders();
app.Run();

Both methods are defined in SafeWebCore.Extensions.ServiceCollectionExtensions.

Strict A+ Headers

Header	Strict A+ Value
`Strict-Transport-Security`	`max-age=63072000; includeSubDomains; preload`
`Content-Security-Policy`	Nonce-based, `strict-dynamic`, Trusted Types
`X-Frame-Options`	`DENY`
`X-Content-Type-Options`	`nosniff`
`Referrer-Policy`	`no-referrer`
`Permissions-Policy`	All 28 browser features denied (modern, Chromium-recognised tokens)
`Cross-Origin-Embedder-Policy`	`require-corp`
`Cross-Origin-Opener-Policy`	`same-origin`
`Cross-Origin-Resource-Policy`	`same-origin`
`Server`	(removed)

Features

🔒 Strict A+ preset — one-line setup with the strictest security headers
🌐 Browser-safe Permissions-Policy — preset emits only tokens recognised by current Chromium builds; stale tokens (ambient-light-sensor, battery, navigation-override, etc.) removed in v1.3.0 to eliminate console noise
🛠️ Fully custom — configure every header and CSP directive individually
🧩 Nonce-based CSP — per-request cryptographic nonces for scripts and styles
🧷 Razor nonce TagHelpers — auto-add nonce to <script> and <style> in Razor views
🛣️ Path-based policies — assign different security profiles per route prefix (longest-prefix wins)
🧪 Startup validation — fail fast on invalid combinations and duplicate path policies
📝 CSP Report-Only mode — safely test policy changes before hard enforcement
🧱 Typed policy builders — strongly typed builders for Referrer-Policy, Permissions-Policy, and COEP/COOP/CORP
🧭 First-class upcoming header support — configure non-standard or emerging headers through AdditionalHeaders (opt-in)
📡 First-class Reporting API endpoint support — emit Reporting-Endpoints from typed ReportingEndpoints options (opt-in)
📋 Full CSP Level 3 (W3C Recommendation) — all 22 directives, nonce/hash support, strict-dynamic, report-to, worker-src, frame-src, manifest-src, script-src-elem/attr, style-src-elem/attr
🔮 CSP Level 4 ready — Trusted Types (require-trusted-types-for, trusted-types), fenced-frame-src (Privacy Sandbox)
🎯 Fluent CSP Builder — type-safe, chainable API with full XML documentation
⚡ Zero-allocation nonce generation — stackalloc + RandomNumberGenerator, plus TryWriteNonce(Span<char>) for fully heap-free scenarios (v1.1.0)
🔍 HttpContext.GetCspNonce() — discoverable extension method to retrieve the per-request nonce (v1.1.0)
🚀 Pre-built CSP template — CSP header string computed once at startup, not per-request (v1.1.0)
🔌 Extensible — custom IHeaderPolicy implementations
📊 CSP violation reporting — built-in /csp-report endpoint using Reporting API v1

First-class Upcoming Headers (Opt-in)

Use AdditionalHeaders when you want to emit upcoming or non-standard headers without writing a custom policy type:

builder.Services.AddNetSecureHeaders(opts =>
{
    opts.AdditionalHeaders.Add(new()
    {
        Name = "Document-Policy",
        Value = "force-load-at-top"
    });
});

First-class Reporting Endpoints (Opt-in)

Use ReportingEndpoints to emit the Reporting-Endpoints response header and map endpoint groups used by CSP report-to:

builder.Services.AddNetSecureHeaders(opts =>
{
    opts.Csp = opts.Csp with { ReportTo = "default" };

    opts.ReportingEndpoints.Add(new()
    {
        Group = "default",
        Url = "https://reports.example.com/csp"
    });
});

Emitted header value:

Reporting-Endpoints: default="https://reports.example.com/csp"

Validate Your Headers

After deploying, test your security headers with:

securityheaders.com — Grades all response headers A+ through F. With the Strict A+ preset you should score A+ immediately.
Google CSP Evaluator — Paste your Content-Security-Policy value to check for misconfigurations (missing object-src, 'unsafe-inline' without nonce, missing 'strict-dynamic', etc.).

Documentation

Full documentation: github.com/MPCoreDeveloper/SafeWebCore/docs

Planning documents:

License

MIT — see LICENSE

Product	Compatible and additional computed target framework versions.
.NET	net10.0 is compatible. net10.0-android was computed. net10.0-browser was computed. net10.0-ios was computed. net10.0-maccatalyst was computed. net10.0-macos was computed. net10.0-tvos was computed. net10.0-windows was computed.

Compatible target framework(s)

Included target framework(s) (in package)

Learn more about Target Frameworks and .NET Standard.

net10.0
- No dependencies.

NuGet packages

This package is not used by any NuGet packages.

GitHub repositories

This package is not used by any popular GitHub repositories.

Version	Downloads	Last Updated
1.3.0	111	5/2/2026
1.2.0	610	4/2/2026
1.1.0	104	3/29/2026
1.0.0	195	3/28/2026

## v1.3.0 — Permissions-Policy Browser Compatibility Cleanup

**Changed:**
- StrictAPlus preset: removed 8 stale Permissions-Policy tokens that Chromium logs as
"Unrecognized feature" (ambient-light-sensor, battery, cross-origin-isolated,
document-domain, execution-while-not-rendered, execution-while-out-of-viewport,
navigation-override, sync-xhr). These were removed from or were never part of the
Permissions Policy spec.
- StrictAPlus preset: added 7 modern Permissions-Policy tokens standardised in 2022–2024
(clipboard-read, clipboard-write, identity-credentials-get, local-fonts,
otp-credentials, publickey-credentials-create, window-management).

**Result:** Preset now emits 28 recognised feature tokens, eliminating browser console
noise while keeping full deny-all coverage for all current standardised features.

## v1.2.0 — Security Rollout and Developer Experience

**Major Features:**
- CSP Report-Only mode for safe policy rollout before enforcement
- Path-based policy selection (different headers per route prefix, longest-prefix matching)
- Startup validation with actionable errors for invalid configurations
- Razor TagHelpers for automatic nonce injection on <script> and <style>
- Typed builders for Referrer-Policy, Permissions-Policy, and Cross-Origin policies
- CSP violation reporting with ICspReportSink abstraction (custom handling, logging, telemetry)
- Endpoint metadata overrides ([SkipNetSecureHeaders], [CspMode]) for targeted exceptions
- Optional additional headers: Origin-Agent-Cluster, X-Robots-Tag, Clear-Site-Data
- Five app-profile presets: StrictAPlus, Api, Mvc, Blazor, SpaReverseProxy

**Performance Optimizations (v1.1.0+):**
- Pre-built CSP template (computed once at startup, not per-request)
- StringBuilder-based CSP header generation (eliminates ~20 intermediate string allocations)
- Zero-allocation nonce generation: TryWriteNonce(Span<char>) for heap-free scenarios
- NonceService.NonceLength constant (44) for buffer pre-allocation

**New APIs:**
- HttpContext.GetCspNonce() extension method for discoverable nonce access
- NonceService.TryWriteNonce(Span<char>, out int written) for zero-alloc scenarios
- CspBuilder.Build() returns immutable CspOptions record
- Improved CancellationToken propagation in CSP reporting pipeline

**Improvements:**
- Modernized C# patterns (primary constructors, collection expressions, file-scoped namespaces)
- Comprehensive documentation for all features and presets
- Full CSP Level 3 (W3C Recommendation) support
- CSP Level 4 ready (Trusted Types, fenced-frame-src)

**Breaking Changes:** None — fully backward compatible with v1.0.0+

See docs/ for complete guides and examples/ for runnable sample projects.