Today in this article, we shall cover ASP.NET Core Security Headers Guidelines. We will see how to enable security headers as part of security best practices protecting our ASP.NET Core API.
I shall talk about more specific headers which are always good to have and recommended as per the OWASP specifications.
These headers are simple to use and can be incorporated into your API or Web Application with simple easy-to configure steps.
Most of these headers once added to response headers use inbuilt browser features to protect your data and communication over the network.
We will cover the below aspects in the article,
Response Headers
Below are the various response headers which can be used in various contexts as needed. We shall be covering a few, important basic headers in this article.
- HTTP Strict Transport Security (HSTS)
- X-Frame-Options
- X-Content-Type-Options
- X-Permitted-Cross-Domain-Policies
- Referrer-Policy
- Content-Security-Policy
- Feature-Policy
- Public Key Pinning Extension for HTTP (HPKP)
- Expect-CT
- X-XSS-Protection
Out of all the above response headers, one can very much use highlighted headers in most of the use cases. Having above-highlighted headers are always good to have and help our API or Website secured well enough.
Let’s get started.
HTTP Strict Transport Security (HSTS)
What is HSTS
HSTS (HTTP Strict Transport Security) is an IETF standard, Strict Transport Security protocol, and is as per specifications and standards specified in RFC 6797. It allows the web sites owner to declare their website is accessible only via secure connections. It allows the user of the website to interact with the website in secure connections.
HSTS is an IETF standard, Strict Transport Security protocol, and is as per specification and standards specified in RFC 6797. It allows the web sites owner to declare their website is accessible only via secure connections. It allows the user of the website to interact with the website in secure connections.
Syntax :
Strict-Transport-Security: max-age=
Strict-Transport-Security: max-age=; includeSubDomains
Strict-Transport-Security: max-age=; preload
Enabling HSTS in ASP.NET Core is simple and it is explained in detail in the below article.
Example
public void ConfigureServices(IServiceCollection services)
{
services.AddControllers();
services.AddHsts(options =>
{
options.Preload = true;
options.IncludeSubDomains = true;
options.MaxAge = TimeSpan.FromDays(365);
});
''
''
''
}
//
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
else
{
app.UseHsts();
}
For more details, please visit this article,
X-Content-Type-Options
This is one of the headers which secures the content type of the data communicated. This header disables the wrong or malicious interpretation of Content-Type.
This header has only one value “nosniff” i.e do not sniff the content type and choose the only content type specified by the application via Content-Type.
Syntax
X-Content-Type-Options: nosniff
Add X-Content-Type-Options header in ASP.NET Core using middleware as below,
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
else
{
app.UseHsts();
}
app.UseHttpsRedirection();
app.Use(async (context, next) =>
{
context.Response.Headers.Add("X-Content-Type-Options", "nosniff");
await next.Invoke();
});
..
..
}
Content-Security-Policy
A Content-Security-Policy (CSP) header enables you to control the sources/content on your site that the browser can load. So this header gives you the ability to load the only resources needed by the browser.
A Content Security Policy (CSP) helps protect against XSS attacks by informing the browser of valid re-sources like as below,
- Content, scripts, stylesheets, and images.
- Actions are taken by a page, specifying permitted URL targets of forms.
- Plugins that can be loaded.
Syntax
Content-Security-Policy: default-src ‘self’
Add Content-Security-Policy header in ASP.NET Core using middleware as below,
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
else
{
app.UseHsts();
}
app.UseHttpsRedirection();
app.Use(async (context, next) =>
{
context.Response.Headers.Add("Content-Security-Policy", "default-src 'self';");
await next.Invoke();
});
..
..
}
X-XSS-Protection
X-XSS-Protection header is for protecting your site from XSS (Cross-site scripting) attacks. If a cross-site scripting attack is detected, the browser will sanitize the page and the malicious part will either be removed OR the browser will prevent rendering of the page and will block an attack (mode=block).
Syntax
Below are the four options for enabling Cross-site scripting.
X-XSS-Protection: 0
X-XSS-Protection: 1
X-XSS-Protection: 1; mode=block
X-XSS-Protection: 1; report=<report-uri>
Add X-XSS-Protection header in ASP.NET Core using middleware as below,
After adding all headers together in the middleware component and hosting it cloud below is how we can visualize all the response headers,
References:
That’s all, Enjoy Coding!
Do you have any comments or ideas or any better suggestions to share?
Please sound off your comments below.
Happy Coding !!
Please bookmark this page and share it with your friends. Please Subscribe to the blog to receive notifications on freshly published(2024) best practices and guidelines for software design and development.