An ASP .NET Core middleware for injection OWASP recommended HTTP Headers for increased security. This project is designed against the OWASP Secure Headers Project.
Example;
dotnet new webapi -n exampleProject
Example:
dotnet add package OwaspHeaders.Core
app.UseSecureHeadersMiddleware();
This will add a number of default HTTP headers to all responses from your server component.
The following is an example of the response headers from version 6.0.2 (taken on May 15th, 2023)
cache-control: max-age=31536000, private
strict-transport-security: max-age=63072000;includeSubDomains
x-frame-options: DENY
x-xss-protection: 0
x-content-type-options: nosniff
content-security-policy: script-src 'self';object-src 'self';block-all-mixed-content;upgrade-insecure-requests;
x-permitted-cross-domain-policies: none;
referrer-policy: no-referrer
Please note: The above example contains only the headers added by the Middleware.
The source code for this NuGet package can be found at: https://github.com/GaProgMan/OwaspHeaders.Core.
Please raise any issues and bugs at the above mentioned source code repo.
The default configuration for this middleware removes the X-Powered-By
header, as this can help malicious users to use targeted attacks for specific server infrastructure. However, since the Server
header is added by the reverse proxy used when hosting an ASP .NET Core application, removing this header is out of scope for this middleware.
In order to remove this header, a web.config
file is required, and the following should be added to it:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<security>
<requestFiltering removeServerHeader="true" />
</security>
</system.webServer>
</configuration>
The above XML is taken from this answer on ServerFault.
The web.config
file will need to be copied to the server when the application is deployed.