An ASP.NET Core middleware designed to increase web application security by adopting the OWASP Secure Headers project recommended HTTP headers and values.
Please note: this middleware DOES NOT SUPPORT BLAZOR OR WEBASSEMBLY APPLICATIONS. This is because setting up secure HTTP headers in a WebAssembly context is a non-trivial task.
Tools Required to Build This RepoThat's it.
Example Project Coding Guidelines Primary Constructors RestrictionImportant: When contributing to the example project only (OwaspHeaders.Core.Example directory), please avoid using primary constructors due to a known issue with dotnet-format that causes incorrect indentation.
public class HomeController(ILogger<HomeController> logger) : ControllerBase
{
private readonly ILogger<HomeController> _logger = logger;
// dotnet-format will incorrectly indent methods here
} ✅ Use instead (in example project):
public class HomeController : ControllerBase
{
private readonly ILogger<HomeController> _logger;
public HomeController(ILogger<HomeController> logger)
{
_logger = logger;
}
// dotnet-format handles this correctly
}
Why: This restriction exists because of a bug in dotnet-format when processing primary constructors (see dotnet/format#2165). Since this project uses .editorconfig and dotnet-format for consistent code formatting, primary constructors cause formatting issues that break our CI/CD pipeline.
Scope: This restriction applies only to the example project. The main OwaspHeaders.Core library does not use primary constructors and is not affected by this issue.
Future: This guidance will be removed once the upstream dotnet-format bug is resolved.
The latest documentation for OwaspHeaders.Core can be found at https://gaprogman.github.io/OwaspHeaders.Core/.
As of PR 148, OwaspHeaders.Core uses the GitHub provided process for creating attestations per build. This document talks through how to verify those attestations using the gh CLI.
See the Attestations page of the documentation to read about how you can verify the attestations for builds from 9.5.0 onward.
Pull requests are welcome, but please take a moment to read the Code of Conduct before submitting them or commenting on any work in this repo.
We have comprehensive documentation for contributing to this project which you are encouraged to reach. This documentation can be found at: https://gaprogman.github.io/OwaspHeaders.Core/Contributing/.
Assuming that you have an ASP .NET Core project, add the NuGet package:
dotnet add package OwaspHeaders.Core
Alter the program.cs file to include the following:
app.UseSecureHeadersMiddleware();
This will add a number of default HTTP headers to all responses from your server component.
The following is an example of the response headers from version 9.0.0 (taken on November 19th, 2024)
strict-transport-security: max-age=31536000;includesubdomains x-frame-options: deny x-content-type-options: nosniff content-security-policy: script-src 'self';object-src 'self';block-all-mixed-content;upgrade-insecure-requests; x-permitted-cross-domain-policies: none referrer-policy: no-referrer cross-origin-resource-policy: same-origin cache-control: max-age=0,no-store cross-origin-opener-policy: same-origin cross-origin-embedder-policy: require-corp x-xss-protection: 0
Please note: The above example contains only the headers added by the Middleware.
The SecureHeadersMiddleware is used to inject the HTTP headers recommended by the OWASP Secure Headers project into all responses generated by the ASP.NET Core pipeline.
Listing and commenting on the default values that this middleware provides is out of scope for this readme—but can be found in the official documentation—. Please note that you will need to read through the above link to the Secure Headers Project in order to understand what these headers do, and the affect their presence will have on your applications when running in a web browser.
This Middleware uses the builder pattern to set up the header information, which is a compile time dependency.
In your Program.cs file:
This will use the default configuration for the OwaspHeaders.Core middleware. The method (found in /src/Extensions/SecureHeadersMiddlewareExtensions.cs) looks like this:
In order to use a custom configuration, follow the same pattern (perhaps creating your own extension method to encapsulate it):
public static SecureHeadersMiddlewareConfiguration CustomConfiguration()
{
return SecureHeadersMiddlewareBuilder
.CreateBuilder()
.UseHsts(1200, false)
.UseContentDefaultSecurityPolicy()
.UsePermittedCrossDomainPolicy
(XPermittedCrossDomainOptionValue.masterOnly)
.UseReferrerPolicy(ReferrerPolicyOptions.sameOrigin)
.Build();
}
Then consume it in the following manner:
app.UseSecureHeadersMiddleware(
CustomSecureHeaderExtensions.CustomConfiguration()
);
An example ASP .NET Core application - with the middleware installed - is provided as part of this repo (see the code in the OwaspHeaders.Core.Example directory). As such, you can run this example application to see the middleware in use via a provided OpenAPI endpoint - located at /swagger.
Or you could add the middleware to an existing application and run through the following Run the application, request one of the pages that it serves and view the headers for the page.
This can be done in Google Chrome, using the Dev tools and checking the network tab.
Shown above in the Response Headers section of the Values response.
The default configuration for this middleware removes the X-Powered-By header, as this can help malicious users to use targeted attacks for specific server infrastructure. However, since the Server header is added by the reverse proxy used when hosting an ASP .NET Core application, removing this header is out of scope for this middleware.
In order to remove this header, a web.config file is required, and the following should be added to it:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<security>
<requestFiltering removeServerHeader="true" />
</security>
</system.webServer>
</configuration>
The above XML is taken from this answer on ServerFault.
The web.config file will need to be copied to the server when the application is deployed.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4