Security Headers - for ASP.Net Core. NuGet Package

Build up Security Headers in a (semi) modular way.
To use in an ASP.Net Core web project.
In startup.cs - add the following private members to the startup class
private SecurityHeaders _securityHeaders { get; set; }
private List<CspFrame> _cspFrames { get; set; }

And the following two private methods (and alter as you need to).

These do reference the samples nuget package.
private List<CspFrame> AssembleContentSecurityPolicies()
{
var defCspFrame = new CspFrame().Initialise("default");
defCspFrame.Clauses
.AddUpdateClause("script-src", "", "'unsafe-eval'")
.AddUpdateClause("style-src", "", "'unsafe-inline'")
.AddUpdateClause("img-src", "", "data:")
.AddUpdateClause("plugin-types", "", "application/pdf")
.AddUpdateClause("frame-ancestors", "", "'none'")
.AddUpdateClause("report-uri", "", "/cspreport");

var basicCdnCspFrame = new CspFrame().Initialise("basicCdn");
basicCdnCspFrame.Clauses
.AddUpdateClause("default-src", "", "https://maxcdn.bootstrapcdn.com/")
.AddUpdateClause("script-src", "", "https://ajax.googleapis.com/ https://code.jquery.com/ https://cdnjs.cloudflare.com/")
.AddUpdateClause("style-src", "", "https://fonts.googleapis.com/")
.AddUpdateClause("font-src", "", "https://fonts.gstatic.com/")
.AddUpdateClause("img-src", "", "https://csi.gstatic.com/");

var googleMapsCspFrame = new CspFrame().GoogleMaps();
var stripeCspFrame = new CspFrame().Stripe();

return new List<CspFrame>
{
defCspFrame,
basicCdnCspFrame,
googleMapsCspFrame,
stripeCspFrame
};
}

/// <summary>
/// Returns a merged copy of all relevant CspFrames - adding in the Dev CspFrame if required
/// </summary>
/// <param name="env"></param>
/// <returns></returns>
private CspFrame BuildContentSecurityPolicy(IHostingEnvironment env)
{
if (_cspFrames == null || !_cspFrames.Any())
{
_cspFrames = AssembleContentSecurityPolicies();
}

// Assemble the master CSP
var masterCsp = _cspFrames.Merge();

if (env.IsDevelopment())
{
var localhostSp = "localhost:56993/";
var stripe = "http://checkout.stripe.com/";

// Note that this dev CSP includes the http versions for Stripe
var devCspFrame = new CspFrame().Initialise("dev");
devCspFrame.Clauses.AddUpdateClause("default-src", "", "http://localhost:5000/")
.AddUpdateClause("connect-src", "", "http://" + localhostSp + " ws://" + localhostSp + " " + stripe)
.AddUpdateClause("script-src", "", "http://" + localhostSp + " " + stripe);

masterCsp = masterCsp.Merge(devCspFrame);
}

return masterCsp;
}

Finally include the following in the configuration method just before app.UseMvc( ...
// Set up the overall Security Headers
// This will also assemble the _cspFrames object if required
if (_securityHeaders == null)
{
_securityHeaders = app.BuildSecurityHeaders(BuildContentSecurityPolicy(env));
}
else
{
_securityHeaders.Csp = BuildContentSecurityPolicy(env);
}
app.UseSecurityHeaders(_securityHeaders);
.




Got any Security Headers - for ASP.Net Core. Question?





Info

Version: 1.0.11
Author(s): Lee HUMPHRIES
Last Update: Friday, July 14, 2017
.NET Fiddle: Create the first Fiddle
NuGet Url: https://www.nuget.org/packages/SecHdrsCore


Install
Install-Package SecHdrsCore
dotnet add package SecHdrsCore
paket add SecHdrsCore
SecHdrsCore Download (Unzip the "nupkg" after downloading)



Tags



STATS

must-have-score

avg-downloads-per-day

2

days-since-last-release

2449