DEV Community

Fabrizio Bagalà
Fabrizio Bagalà

Posted on • Updated on

HTTP Security Headers in ASP.NET

ℹ️ Information
The code in the following article was tested with ASP.NET 6 and 7.

Nowadays, security is a fundamental aspect that should not be overlooked when developing a web app. An interesting approach to improving the security of a web app is the implementation of HTPP security headers.

Definition

An HTTP Security Header is a type of HTTP response that a server sends to a browser. The header provides instructions to the browser, directing how it should behave when interacting with the site. This interaction guidance contributes significantly to the enhancement of the application's security.

HTTP security headers

The most common HTTP security headers are:

  • Content Security Policy (CSP): This helps prevent Cross-Site Scripting (XSS) attacks by specifying the domains that a browser should consider valid sources of executable scripts.
  • HTTP Strict Transport Security (HSTS): This enforces secure (HTTP over SSL/TLS) connections to the server.
  • X-Content-Type-Options: This prevents the browser from doing MIME-type sniffing.
  • X-Frame-Options: This provides clickjacking protection by preventing the page from being embedded into an iframe.
  • X-XSS-Protection: This stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. Although this header is deprecated and its use is not often recommended, it is still recognized and used by some browsers.

Implementations

You can implement these headers through:

👉 Anonymous middleware

Here is an example of how to add HTTP security headers directly into the Program.cs file:

using Microsoft.Extensions.Primitives;

app.Use(async (context, next) =>
{
    context.Response.Headers.Add("Content-Security-Policy", new StringValues("default-src 'self'"));
    context.Response.Headers.Add("X-Content-Type-Options", new StringValues("nosniff"));
    context.Response.Headers.Add("X-Frame-Options", new StringValues("SAMEORIGIN"));
    context.Response.Headers.Add("X-XSS-Protection", new StringValues("1; mode=block"));
    await next();
});
Enter fullscreen mode Exit fullscreen mode

👉 External middleware

By creating an external middleware, you can centralize the setting of HTTP Security Headers:

using Microsoft.Extensions.Primitives;

public class SecurityHeadersMiddleware
{
    private readonly RequestDelegate _next;

    public SecurityHeadersMiddleware(RequestDelegate next)
    {
        _next = next;
    }

    public async Task InvokeAsync(HttpContext context)
    {
        context.Response.Headers.Add("Content-Security-Policy", new StringValues("default-src 'self'"));
        context.Response.Headers.Add("X-Content-Type-Options", new StringValues("nosniff"));
        context.Response.Headers.Add("X-Frame-Options", new StringValues("SAMEORIGIN"));
        context.Response.Headers.Add("X-XSS-Protection", new StringValues("1; mode=block"));

        await _next(context);
    }
}
Enter fullscreen mode Exit fullscreen mode

Let's add the middleware to the app pipeline:

app.UseHsts();
app.UseHttpsRedirection();
app.UseMiddleware<SecurityHeadersMiddleware>();
Enter fullscreen mode Exit fullscreen mode

Conclusion

Implementing HTTP security headers via middleware, either anonymously in the Program.cs file or via external middleware, is an effective way to improve the security of an ASP.NET application. However, it is important to remember that these headers are only part of the overall security of the app. They must be used with other security best practices, such as sanitizing user input and regularly updating software dependencies.

In addition, it is indispensable to thoroughly test the implementation of these headers to ensure that they do not cause operational problems for the application. For example, an overly restrictive CSP could prevent legitimate resources from loading.

References

Top comments (1)

Collapse
 
ranjancse profile image
Ranjan Dailata • Edited

Great start.

Few more suggested security settings are here

ASP.NET Core Security Header

Security-headers-in-asp-net-core