OwaspHeaders.Core
9.0.1
dotnet add package OwaspHeaders.Core --version 9.0.1
NuGet\Install-Package OwaspHeaders.Core -Version 9.0.1
<PackageReference Include="OwaspHeaders.Core" Version="9.0.1" />
paket add OwaspHeaders.Core --version 9.0.1
#r "nuget: OwaspHeaders.Core, 9.0.1"
// Install OwaspHeaders.Core as a Cake Addin #addin nuget:?package=OwaspHeaders.Core&version=9.0.1 // Install OwaspHeaders.Core as a Cake Tool #tool nuget:?package=OwaspHeaders.Core&version=9.0.1
OwaspHeaders.Core
An ASP .NET Core middleware for injection OWASP recommended HTTP Headers for increased security. This project is designed against the OWASP Secure Headers Project.
Quick Starts
- Create a .NET (either Framework, Core, or 5+) project which uses ASP .NET Core
Example;
dotnet new webapi -n exampleProject
- Add a reference to the OwaspHeaders.Core NuGet package.
Example:
dotnet add package OwaspHeaders.Core
- Alter the program.cs file to include the following:
app.UseSecureHeadersMiddleware();
This will add a number of default HTTP headers to all responses from your server component.
The following is an example of the response headers from version 9.0.0 (taken on November 19th, 2024)
cache-control: max-age=31536000,private
content-security-policy: script-src 'self';object-src 'self';block-all-mixed-content;upgrade-insecure-requests;
cross-origin-resource-policy: same-origin
referrer-policy: no-referrer
strict-transport-security: max-age=63072000;includeSubDomains
x-content-type-options: nosniff
x-frame-options: DENY
x-permitted-cross-domain-policies: none;
x-xss-protection: 0
Please note: The above example contains only the headers added by the Middleware.
Source Code Repo
The source code for this NuGet package can be found at: https://github.com/GaProgMan/OwaspHeaders.Core.
Issues and Bugs
Please raise any issues and bugs at the above mentioned source code repo.
Server Header: A Warning
The default configuration for this middleware removes the X-Powered-By
header, as this can help malicious users to use targeted attacks for specific server infrastructure. However, since the Server
header is added by the reverse proxy used when hosting an ASP .NET Core application, removing this header is out of scope for this middleware.
In order to remove this header, a web.config
file is required, and the following should be added to it:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<security>
<requestFiltering removeServerHeader="true" />
</security>
</system.webServer>
</configuration>
The above XML is taken from this answer on ServerFault.
The web.config
file will need to be copied to the server when the application is deployed.
Product | Versions Compatible and additional computed target framework versions. |
---|---|
.NET | net8.0 is compatible. net8.0-android was computed. net8.0-browser was computed. net8.0-ios was computed. net8.0-maccatalyst was computed. net8.0-macos was computed. net8.0-tvos was computed. net8.0-windows was computed. net9.0 is compatible. |
-
net8.0
- No dependencies.
-
net9.0
- No dependencies.
NuGet packages (4)
Showing the top 4 NuGet packages that depend on OwaspHeaders.Core:
Package | Downloads |
---|---|
Whipstaff.AspNetCore
Re-usable logic for working with ASP.NET Core. |
|
wjsz-base
wjsz基础库 |
|
OwaspHeaders.IsolatedFunction
A .NET Core middleware for injecting the Owasp recommended HTTP Headers into Azure Isolated Functions |
|
DojoTools
Toolkit for microservices designing developed by Pod2 in Bakery Net Dojo at Globant - Aug 2022 |
GitHub repositories (2)
Showing the top 2 popular GitHub repositories that depend on OwaspHeaders.Core:
Repository | Stars |
---|---|
jeangatto/ASP.NET-Core-Clean-Architecture-CQRS-Event-Sourcing
ASP.NET Core, C#, CQRS Event Sourcing, REST API, DDD, SOLID Principles and Clean Architecture
|
|
GaProgMan/OnionArch
A .NET Core demo application which uses the Onion Architecture
|
Version | Downloads | Last updated | |
---|---|---|---|
9.0.1 | 153 | 11/20/2024 | |
9.0.0 | 49 | 11/20/2024 | |
8.1.3 | 6,391 | 10/19/2024 | |
8.1.2 | 82 | 10/19/2024 | |
8.1.1 | 92 | 10/19/2024 | |
8.1.0 | 48,216 | 5/30/2024 | |
8.0.0 | 87,678 | 12/3/2023 | |
7.5.1 | 43,808 | 8/9/2023 | |
7.5.0 | 26,523 | 6/7/2023 | |
7.0.1 | 1,912 | 6/5/2023 | |
7.0.0 | 187 | 6/5/2023 | |
6.1.0 | 3,121 | 5/15/2023 | |
6.0.5 | 390 | 5/15/2023 | |
6.0.4 | 163 | 5/15/2023 | |
6.0.3 | 175 | 5/15/2023 | |
6.0.2 | 342 | 5/11/2023 | |
6.0.1 | 171 | 5/11/2023 | |
6.0.0 | 1,060 | 5/11/2023 | |
5.0.0 | 235 | 5/11/2023 | |
4.6.2 | 2,090 | 5/11/2023 | |
4.6.1 | 170 | 5/11/2023 | |
4.6.0 | 192 | 5/11/2023 | |
4.5.1 | 212,562 | 5/15/2022 | |
4.5.0 | 465 | 5/15/2022 | |
4.4.0 | 42,097 | 4/8/2022 | |
4.3.0 | 479 | 4/8/2022 | |
4.2.0 | 449,170 | 12/31/2019 | |
4.1.1 | 7,626 | 11/16/2019 | |
4.1.0 | 1,945 | 10/23/2019 | |
3.5.2 | 28,018 | 7/19/2019 | |
3.5.1 | 584 | 7/19/2019 | |
3.5.0 | 597 | 7/19/2019 | |
3.4.1 | 592 | 7/19/2019 | |
3.4.0 | 15,813 | 3/16/2019 | |
3.3.2 | 28,431 | 5/1/2018 | |
3.3.1 | 3,479 | 4/16/2018 | |
3.3.0 | 1,982 | 4/16/2018 | |
3.2.0 | 1,091 | 4/16/2018 | |
3.1.2 | 1,108 | 4/16/2018 | |
3.1.1 | 1,209 | 4/13/2018 | |
3.1.0 | 1,171 | 4/7/2018 | |
3.0.0.3 | 1,685 | 3/20/2018 | |
3.0.0.2 | 1,112 | 3/20/2018 | |
3.0.0.1 | 2,135 | 2/25/2018 | |
3.0.0 | 1,165 | 2/17/2018 | |
2.1.0 | 3,443 | 1/2/2018 | |
2.0.0.1 | 1,502 | 11/23/2017 | |
2.0.0 | 2,638 | 9/20/2017 | |
1.6.0 | 1,156 | 8/15/2017 | |
1.5.0 | 1,101 | 8/13/2017 | |
1.0.1 | 1,252 | 7/25/2017 | |
0.0.0.1 | 1,500 | 7/25/2017 |