OwaspHeaders.Core
4.1.0
See the version list below for details.
dotnet add package OwaspHeaders.Core --version 4.1.0
NuGet\Install-Package OwaspHeaders.Core -Version 4.1.0
<PackageReference Include="OwaspHeaders.Core" Version="4.1.0" />
paket add OwaspHeaders.Core --version 4.1.0
#r "nuget: OwaspHeaders.Core, 4.1.0"
// Install OwaspHeaders.Core as a Cake Addin #addin nuget:?package=OwaspHeaders.Core&version=4.1.0 // Install OwaspHeaders.Core as a Cake Tool #tool nuget:?package=OwaspHeaders.Core&version=4.1.0
A .NET Core middleware for injecting the Owasp recommended HTTP Headers for increased security.
Licence Used
See the contents of the LICENSE file for details
Description
A collection of ASP.NET Core middleware classes designed to increase web application security by adopting the recommended OWASP settings.
Secure Headers
The SecureHeadersMiddleware
is used to inject the HTTP headers recommended by the OWASP Secure Headers project into all responses generated by the ASP.NET Core pipeline.
Usage
Add a reference to the NuGet package to your project
dotnet add package OwaspHeaders.Core
Configuration
For both versions 1.x and 2.x, a secureHeaderSettings.json
file was used. However, from version 3.x onwards, a build-time builder pattern is now used for configuring the secure headers.
Please see the following sections for how to configure the OwaspHeaders.Core middlware.
Configuration in Version 3.x
Version 3.x of OwaspHaders.Core no longer uses the secureHeaderSettings.json
file as this is a runtime dependency. It now uses the builder pattern to set up the header information, which is a compile time dependency.
In your Startup
class, add a using statement for the OwaspHeaders.Core middleware
using OwaspHeaders.Core.Extensions;
Then in the Configure
method, add the following
app.UseSecureHeadersMiddleware(SecureHeadersMiddlewareExtensions.BuildDefaultConfiguration());
This will use the default configuration for the OwaspHeaders.Core middleware. The method (found in /src/Extensions/SecureHeadersMiddlewareExtensions.cs
) looks like this:
public static SecureHeadersMiddlewareConfiguration BuildDefaultConfiguration()
{
return SecureHeadersMiddlewareBuilder
.CreateBuilder()
.UseHsts()
.UseXFrameOptions()
.UseXSSProtection()
.UseContentTypeOptions()
.UseContentDefaultSecurityPolicy()
.UsePermittedCrossDomainPolicies()
.UseReferrerPolicy()
.Build();
}
In order to use a custom configuration, follow the same pattern (perhaps creating your own extension method to encapsulate it):
public static SecureHeadersMiddlewareConfiguration CustomConfiguration()
{
return SecureHeadersMiddlewareBuilder
.CreateBuilder()
.UseHsts(1200, false)
.UseXSSProtection(XssMode.oneReport, "https://reporturi.com/some-report-url")
.UseContentDefaultSecurityPolicy()
.UsePermittedCrossDomainPolicies(XPermittedCrossDomainOptionValue.masterOnly)
.UseReferrerPolicy(ReferrerPolicyOptions.sameOrigin)
.Build();
}
Then consume it in the following manner:
app.UseSecureHeadersMiddleware(CustomSecureHeaderExtensions.CustomConfiguration());
Configuration in Version 2.x
In the constructor for the Startup
class, add a reference to a secureHeaderSettings.json
public Startup(IHostingEnvironment env)
{
var builder = new ConfigurationBuilder()
.SetBasePath(env.ContentRootPath)
.AddJsonFile("appsettings.json", optional: true, reloadOnChange: true)
.AddJsonFile($"appsettings.{env.EnvironmentName}.json", optional: true)
.AddJsonFile("secureHeaderSettings.json", optional:true, reloadOnChange: true)
.AddEnvironmentVariables();
Configuration = builder.Build();
}
The contents of the secureHeaderSettings.json
file take the following format:
{
"SecureHeadersMiddlewareConfiguration": {
"UseHsts": "true",
"HstsConfiguration": {
"MaxAge": 42,
"IncludeSubDomains": "true"
},
"UseHpkp": "true",
"HPKPConfiguration" :{
"PinSha256" : [
"e927fad33f9eb96126896413502a1034be0ca379dec377fb891feb9ebc720e47"
],
"MaxAge": 3,
"IncludeSubDomains": "true",
"ReportUri": "https://github.com/GaProgMan/OwaspHeaders.Core"
},
"UseXFrameOptions": "true",
"XFrameOptionsConfiguration": {
"OptionValue": "allowfrom",
"AllowFromDomain": "com.gaprogman.dotnetcore"
},
"UseXssProtection": "true",
"XssConfiguration": {
"XssSetting": "oneReport",
"ReportUri": "https://github.com/GaProgMan/OwaspHeaders.Core"
},
"UseXContentTypeOptions": "true",
"UseContentSecurityPolicy": "true",
"ContentSecurityPolicyConfiguration": {
"BlockAllMixedContent": "true",
"UpgradeInsecureRequests": "true"
}
}
}
(the above file is provided for illustration purposes)
Load the contents of the secureHeaderSettings.json
into an instance of the SecureHeadersMiddlewareConfiguration
in the Startup class' ConfigureServices
method.
public void ConfigureServices(IServiceCollection services)
{
// Add framework services
// Add functionality to inject IOptions<T>
services.AddOptions();
// Add our Config object so it can be injected
services.Configure<SecureHeadersMiddlewareConfiguration>(Configuration.GetSection("SecureHeadersMiddlewareConfiguration"));
}
Add the SecureHeadersMiddleware
into the ASP.NET Core pipeline, in the Startup class' Configure
method.
public void Configure(IApplicationBuilder app, IHostingEnvironment env,
IOptions<SecureHeadersMiddlewareConfiguration> secureHeaderSettings)
{
// Add SecureHeadersMiddleware to the pipeline
app.UseSecureHeadersMiddleware(secureHeaderSettings.Value);
}
Testing the Middleware
Run the application, request one of the pages that it serves and view the headers for the page.
This can be done in Google Chrome, using the Dev tools and checking the network tab.
Shown above in the Response Headers
section of the Values
response.
Development Logs
This repository forms the basis for a series of blog posts that I have written on the topic of ASP.NET Core middleware.
If you would like to read about how I have developed the code in this repository, please see the first in the blog post series entitled: ".NET Core Middleware – OWASP Headers Part 1"
Product | Versions Compatible and additional computed target framework versions. |
---|---|
.NET | net5.0 was computed. net5.0-windows was computed. net6.0 was computed. net6.0-android was computed. net6.0-ios was computed. net6.0-maccatalyst was computed. net6.0-macos was computed. net6.0-tvos was computed. net6.0-windows was computed. net7.0 was computed. net7.0-android was computed. net7.0-ios was computed. net7.0-maccatalyst was computed. net7.0-macos was computed. net7.0-tvos was computed. net7.0-windows was computed. net8.0 was computed. net8.0-android was computed. net8.0-browser was computed. net8.0-ios was computed. net8.0-maccatalyst was computed. net8.0-macos was computed. net8.0-tvos was computed. net8.0-windows was computed. |
.NET Core | netcoreapp2.0 was computed. netcoreapp2.1 was computed. netcoreapp2.2 was computed. netcoreapp3.0 was computed. netcoreapp3.1 was computed. |
.NET Standard | netstandard2.0 is compatible. netstandard2.1 was computed. |
.NET Framework | net461 was computed. net462 was computed. net463 was computed. net47 was computed. net471 was computed. net472 was computed. net48 was computed. net481 was computed. |
MonoAndroid | monoandroid was computed. |
MonoMac | monomac was computed. |
MonoTouch | monotouch was computed. |
Tizen | tizen40 was computed. tizen60 was computed. |
Xamarin.iOS | xamarinios was computed. |
Xamarin.Mac | xamarinmac was computed. |
Xamarin.TVOS | xamarintvos was computed. |
Xamarin.WatchOS | xamarinwatchos was computed. |
-
.NETStandard 2.0
- Microsoft.AspNetCore.Http.Abstractions (>= 2.1.1)
NuGet packages (4)
Showing the top 4 NuGet packages that depend on OwaspHeaders.Core:
Package | Downloads |
---|---|
Whipstaff.AspNetCore
Re-usable logic for working with ASP.NET Core. |
|
wjsz-base
wjsz基础库 |
|
OwaspHeaders.IsolatedFunction
A .NET Core middleware for injecting the Owasp recommended HTTP Headers into Azure Isolated Functions |
|
DojoTools
Toolkit for microservices designing developed by Pod2 in Bakery Net Dojo at Globant - Aug 2022 |
GitHub repositories (2)
Showing the top 2 popular GitHub repositories that depend on OwaspHeaders.Core:
Repository | Stars |
---|---|
jeangatto/ASP.NET-Core-Clean-Architecture-CQRS-Event-Sourcing
ASP.NET Core, C#, CQRS Event Sourcing, REST API, DDD, SOLID Principles and Clean Architecture
|
|
GaProgMan/OnionArch
A .NET Core demo application which uses the Onion Architecture
|
Version | Downloads | Last updated | |
---|---|---|---|
9.0.1 | 250 | 11/20/2024 | |
9.0.0 | 57 | 11/20/2024 | |
8.1.3 | 6,530 | 10/19/2024 | |
8.1.2 | 85 | 10/19/2024 | |
8.1.1 | 95 | 10/19/2024 | |
8.1.0 | 48,460 | 5/30/2024 | |
8.0.0 | 87,860 | 12/3/2023 | |
7.5.1 | 43,833 | 8/9/2023 | |
7.5.0 | 26,528 | 6/7/2023 | |
7.0.1 | 1,915 | 6/5/2023 | |
7.0.0 | 190 | 6/5/2023 | |
6.1.0 | 3,135 | 5/15/2023 | |
6.0.5 | 393 | 5/15/2023 | |
6.0.4 | 166 | 5/15/2023 | |
6.0.3 | 178 | 5/15/2023 | |
6.0.2 | 345 | 5/11/2023 | |
6.0.1 | 174 | 5/11/2023 | |
6.0.0 | 1,063 | 5/11/2023 | |
5.0.0 | 238 | 5/11/2023 | |
4.6.2 | 2,099 | 5/11/2023 | |
4.6.1 | 173 | 5/11/2023 | |
4.6.0 | 195 | 5/11/2023 | |
4.5.1 | 212,620 | 5/15/2022 | |
4.5.0 | 468 | 5/15/2022 | |
4.4.0 | 42,105 | 4/8/2022 | |
4.3.0 | 482 | 4/8/2022 | |
4.2.0 | 449,358 | 12/31/2019 | |
4.1.1 | 7,629 | 11/16/2019 | |
4.1.0 | 1,948 | 10/23/2019 | |
3.5.2 | 28,025 | 7/19/2019 | |
3.5.1 | 587 | 7/19/2019 | |
3.5.0 | 600 | 7/19/2019 | |
3.4.1 | 595 | 7/19/2019 | |
3.4.0 | 15,816 | 3/16/2019 | |
3.3.2 | 28,434 | 5/1/2018 | |
3.3.1 | 3,482 | 4/16/2018 | |
3.3.0 | 1,985 | 4/16/2018 | |
3.2.0 | 1,094 | 4/16/2018 | |
3.1.2 | 1,111 | 4/16/2018 | |
3.1.1 | 1,212 | 4/13/2018 | |
3.1.0 | 1,174 | 4/7/2018 | |
3.0.0.3 | 1,688 | 3/20/2018 | |
3.0.0.2 | 1,115 | 3/20/2018 | |
3.0.0.1 | 2,138 | 2/25/2018 | |
3.0.0 | 1,168 | 2/17/2018 | |
2.1.0 | 3,446 | 1/2/2018 | |
2.0.0.1 | 1,505 | 11/23/2017 | |
2.0.0 | 2,641 | 9/20/2017 | |
1.6.0 | 1,159 | 8/15/2017 | |
1.5.0 | 1,104 | 8/13/2017 | |
1.0.1 | 1,255 | 7/25/2017 | |
0.0.0.1 | 1,503 | 7/25/2017 |