SecHdrsCore 1.0.11
dotnet add package SecHdrsCore --version 1.0.11
NuGet\Install-Package SecHdrsCore -Version 1.0.11
<PackageReference Include="SecHdrsCore" Version="1.0.11" />
paket add SecHdrsCore --version 1.0.11
#r "nuget: SecHdrsCore, 1.0.11"
// Install SecHdrsCore as a Cake Addin #addin nuget:?package=SecHdrsCore&version=1.0.11 // Install SecHdrsCore as a Cake Tool #tool nuget:?package=SecHdrsCore&version=1.0.11
Build up Security Headers in a (semi) modular way.
To use in an ASP.Net Core web project.
In startup.cs - add the following private members to the startup class
private SecurityHeaders _securityHeaders { get; set; }
private List<CspFrame> _cspFrames { get; set; }
And the following two private methods (and alter as you need to). These do reference the samples nuget package.
private List<CspFrame> AssembleContentSecurityPolicies()
{
var defCspFrame = new CspFrame().Initialise("default");
defCspFrame.Clauses
.AddUpdateClause("script-src", "", "'unsafe-eval'")
.AddUpdateClause("style-src", "", "'unsafe-inline'")
.AddUpdateClause("img-src", "", "data:")
.AddUpdateClause("plugin-types", "", "application/pdf")
.AddUpdateClause("frame-ancestors", "", "'none'")
.AddUpdateClause("report-uri", "", "/cspreport");
var basicCdnCspFrame = new CspFrame().Initialise("basicCdn");
basicCdnCspFrame.Clauses
.AddUpdateClause("default-src", "", "https://maxcdn.bootstrapcdn.com/")
.AddUpdateClause("script-src", "", "https://ajax.googleapis.com/ https://code.jquery.com/ https://cdnjs.cloudflare.com/")
.AddUpdateClause("style-src", "", "https://fonts.googleapis.com/")
.AddUpdateClause("font-src", "", "https://fonts.gstatic.com/")
.AddUpdateClause("img-src", "", "https://csi.gstatic.com/");
var googleMapsCspFrame = new CspFrame().GoogleMaps();
var stripeCspFrame = new CspFrame().Stripe();
return new List<CspFrame>
{
defCspFrame,
basicCdnCspFrame,
googleMapsCspFrame,
stripeCspFrame
};
}
/// <summary>
/// Returns a merged copy of all relevant CspFrames - adding in the Dev CspFrame if required
/// </summary>
/// <param name="env"></param>
/// <returns></returns>
private CspFrame BuildContentSecurityPolicy(IHostingEnvironment env)
{
if (_cspFrames == null || !_cspFrames.Any())
{
_cspFrames = AssembleContentSecurityPolicies();
}
// Assemble the master CSP
var masterCsp = _cspFrames.Merge();
if (env.IsDevelopment())
{
var localhostSp = "localhost:56993/";
var stripe = "http://checkout.stripe.com/";
// Note that this dev CSP includes the http versions for Stripe
var devCspFrame = new CspFrame().Initialise("dev");
devCspFrame.Clauses.AddUpdateClause("default-src", "", "http://localhost:5000/")
.AddUpdateClause("connect-src", "", "http://" + localhostSp + " ws://" + localhostSp + " " + stripe)
.AddUpdateClause("script-src", "", "http://" + localhostSp + " " + stripe);
masterCsp = masterCsp.Merge(devCspFrame);
}
return masterCsp;
}
Finally include the following in the configuration method just before app.UseMvc( ...
// Set up the overall Security Headers
// This will also assemble the _cspFrames object if required
if (_securityHeaders == null)
{
_securityHeaders = app.BuildSecurityHeaders(BuildContentSecurityPolicy(env));
}
else
{
_securityHeaders.Csp = BuildContentSecurityPolicy(env);
}
app.UseSecurityHeaders(_securityHeaders);
Product | Versions Compatible and additional computed target framework versions. |
---|---|
.NET | net5.0 was computed. net5.0-windows was computed. net6.0 was computed. net6.0-android was computed. net6.0-ios was computed. net6.0-maccatalyst was computed. net6.0-macos was computed. net6.0-tvos was computed. net6.0-windows was computed. net7.0 was computed. net7.0-android was computed. net7.0-ios was computed. net7.0-maccatalyst was computed. net7.0-macos was computed. net7.0-tvos was computed. net7.0-windows was computed. net8.0 was computed. net8.0-android was computed. net8.0-browser was computed. net8.0-ios was computed. net8.0-maccatalyst was computed. net8.0-macos was computed. net8.0-tvos was computed. net8.0-windows was computed. |
.NET Core | netcoreapp1.0 was computed. netcoreapp1.1 was computed. netcoreapp2.0 was computed. netcoreapp2.1 was computed. netcoreapp2.2 was computed. netcoreapp3.0 was computed. netcoreapp3.1 was computed. |
.NET Standard | netstandard1.6 is compatible. netstandard2.0 was computed. netstandard2.1 was computed. |
.NET Framework | net461 was computed. net462 was computed. net463 was computed. net47 was computed. net471 was computed. net472 was computed. net48 was computed. net481 was computed. |
MonoAndroid | monoandroid was computed. |
MonoMac | monomac was computed. |
MonoTouch | monotouch was computed. |
Tizen | tizen30 was computed. tizen40 was computed. tizen60 was computed. |
Xamarin.iOS | xamarinios was computed. |
Xamarin.Mac | xamarinmac was computed. |
Xamarin.TVOS | xamarintvos was computed. |
Xamarin.WatchOS | xamarinwatchos was computed. |
-
.NETStandard 1.6
- Microsoft.AspNetCore.Http.Abstractions (>= 1.1.2)
- Microsoft.AspNetCore.Http.Extensions (>= 1.1.2)
- NETStandard.Library (>= 1.6.1)
NuGet packages (1)
Showing the top 1 NuGet packages that depend on SecHdrsCore:
Package | Downloads |
---|---|
SecHdrsCore.Sample
Security Headers Samples - for ASP.Net Core. Several samples of CspFrames to target resource sources. |
GitHub repositories
This package is not used by any popular GitHub repositories.
Version | Downloads | Last updated |
---|---|---|
1.0.11 | 2,138 | 7/14/2017 |
Does not currently provide specific support for manipulating Cookies or adding Subresource Integrity information for CDN based resources. See SecHdrsCore.Sample for several sample CSP Frames.