IIR.SecurityHeaders.Core
2.2.2.1
dotnet add package IIR.SecurityHeaders.Core --version 2.2.2.1
NuGet\Install-Package IIR.SecurityHeaders.Core -Version 2.2.2.1
<PackageReference Include="IIR.SecurityHeaders.Core" Version="2.2.2.1" />
paket add IIR.SecurityHeaders.Core --version 2.2.2.1
#r "nuget: IIR.SecurityHeaders.Core, 2.2.2.1"
// Install IIR.SecurityHeaders.Core as a Cake Addin #addin nuget:?package=IIR.SecurityHeaders.Core&version=2.2.2.1 // Install IIR.SecurityHeaders.Core as a Cake Tool #tool nuget:?package=IIR.SecurityHeaders.Core&version=2.2.2.1
This plugin is for IIR .NET 6 and higher sites to add additional security to it.
Program.cs
You can easily add in the Program.cs file a few lines to quickly add additional security to your sites. (Upgraded projects might still have a Startup.cs)
We will want to try and make cookies as secure as possible with the following settings
// Sets the default cookie policy. You may need to apply additional policies for authentication.
builder.Services.Configure<CookiePolicyOptions>(options =>
{
// This lambda determines whether user consent for non-essential cookies is needed for a given request.
options.CheckConsentNeeded = context => true;
options.MinimumSameSitePolicy = SameSiteMode.Strict;
// Handling SameSite cookie according to https://docs.microsoft.com/en-us/aspnet/core/security/samesite?view=aspnetcore-3.1
options.HandleSameSiteCookieCompatibility(); // If you have a collision, use options.CustomHandleSameSiteCookieCompatibility();
options.HttpOnly = HttpOnlyPolicy.Always;
options.Secure = CookieSecurePolicy.Always;
});
// Configure HSTS to a year out and include pre-load and subdomains
builder.Services.AddHsts(o =>
{
o.Preload = true;
o.IncludeSubDomains = true;
o.MaxAge = TimeSpan.FromDays(365);
});
Add the following line to automatically add required security settings
app.UseIIRStandard();
app.UseCookiePolicy(); // This is to apply from the above section
Make sure that app.UseHsts(); is set in this method (usually is by default)
Create Web.Config
You will need to create a web.config file in the root of the website and add the following XML to it. This will help remove some of the header values we don't want to include
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.webServer>
<httpProtocol>
<customHeaders>
<remove name="X-Powered-By"/>
<remove name="Server" />
<remove name="X-AspNet-Version" />
<remove name="X-AspNetMvc-Version" />
</customHeaders>
</httpProtocol>
<security>
<requestFiltering removeServerHeader="true" />
</security>
</system.webServer>
</configuration>
View Imports
In the _Viewimports.cshtml
file you will want to add the following line to the file
@addTagHelper *, Joonasw.AspNetCore.SecurityHeaders
Remarks
Most of this logic was taken from a library that has not been updated in a few years. We only inlcuded the tools that are still common for today. You can read more about the package at https://github.com/juunas11/aspnetcore-security-headers
Product | Versions Compatible and additional computed target framework versions. |
---|---|
.NET | net6.0 is compatible. net6.0-android was computed. net6.0-ios was computed. net6.0-maccatalyst was computed. net6.0-macos was computed. net6.0-tvos was computed. net6.0-windows was computed. net7.0 was computed. net7.0-android was computed. net7.0-ios was computed. net7.0-maccatalyst was computed. net7.0-macos was computed. net7.0-tvos was computed. net7.0-windows was computed. net8.0 was computed. net8.0-android was computed. net8.0-browser was computed. net8.0-ios was computed. net8.0-maccatalyst was computed. net8.0-macos was computed. net8.0-tvos was computed. net8.0-windows was computed. |
-
net6.0
- Joonasw.AspNetCore.SecurityHeaders (>= 5.0.0)
NuGet packages (1)
Showing the top 1 NuGet packages that depend on IIR.SecurityHeaders.Core:
Package | Downloads |
---|---|
IIR.RazorComponents.USWDS
IIR's U.S. Web Design System (USWDS) Components for .NET 6 and Razor Pages |
GitHub repositories
This package is not used by any popular GitHub repositories.
- Updating documentation