DEV Community

Cover image for Net Core security - NWebSec to the rescue!
Laura Weatherhead
Laura Weatherhead

Posted on

Net Core security - NWebSec to the rescue!

A quick overview of securing a Net Core webapp using NWebSec and the web.config

First up, let's install NWebSec middleware from nuget via the package manager

PM> Install-Package NWebsec.AspNetCore.Middleware
Enter fullscreen mode Exit fullscreen mode

For those of you (like me) who are a little rusty on security best practise, two of the general principles are:

  1. Reduce attack surface (make it as hard as possible for potential attackers to glean information about your app)
  2. Restrict access (unless securely authorised)

The ingredients for a safe Net Core app broadly feed into these practises and include the following (non-exhaustive) list:

  • [HSTS] HTTP Strict Transport Security Header
  • X-XSS-Protection Header
  • X-Frame-Options Header
  • [CSP] Content-Security-Policy Header
  • X-Content-Type-Options Header
  • Referrer-Policy Http Header
  • Remove the X-Powered-By header to remove the additional information transferred by verifying the app tech
  • [HPKP] HTTP Public Key Pinning Header

Let's take these one at a time!

[HSTS] HTTP Strict Transport Security Header

This is what it sounds like - force all comms to go through HTTPS! Using the .Preload() indicated below forces it from the first request.

app.UseHsts(options => options.MaxAge(365).IncludeSubdomains().Preload());
Enter fullscreen mode Exit fullscreen mode

X-XSS-Protection Header

This response header prevents pages from loading in modern browsers when reflected cross-site scription is detected. This is often unnecessary if a site implements a strong Content-Security-Policy (spoilers!)

app.UseXXssProtection(options => options.EnabledWithBlockMode());
Enter fullscreen mode Exit fullscreen mode

X-Frame-Options Header

Ensure that site content is not being embedded in an iframe on other sites - used to avoid clickjacking attacks.

app.UseXfo(options => options.SameOrigin());
Enter fullscreen mode Exit fullscreen mode

[CSP] Content-Security-Policy Header

The content security policy essentially allows you to whitelist resource origins when the site is loaded. These policies are usually to do with server and script origins.

There are a heap of different ways you can configure this and they are very much dependent upon your requirements and what you need to load in and out. You can read more about your options in the handy Mozilla docs

An example would be:

app.UseCsp(opts => opts
    .BlockAllMixedContent()
    .StyleSources(s => s.Self())
    .StyleSources(s => s.UnsafeInline())
    .FontSources(s => s.Self())
    .FormActions(s => s.Self())
    .FrameAncestors(s => s.Self())
    .ImageSources(s => s.Self())
    .ScriptSources(s => s.Self())
);
Enter fullscreen mode Exit fullscreen mode

X-Content-Type-Options Header

Blocks any content sniffing that could happen that might change an innocent MIME type (e.g. text/css) into something executable that could do some real damage.

app.UseXContentTypeOptions();
Enter fullscreen mode Exit fullscreen mode

Referrer-Policy Http Header

This tells the site how much information to send along in the Referer header field (misspelt!). Default value is no-referrer-when-downgrade i.e. don't send any referrer data is we're downgrading security protocols and going HTTPS to an HTTP site.

This one depends a bit on your requirements, the options are listed in detail on Mozilla's dev site to help you make a decision. If you want to be super safe, then opt for:

app.UseReferrerPolicy(opts => opts.NoReferrer());
Enter fullscreen mode Exit fullscreen mode

Remove X-Powered-By Header

Now let's make sure that we're not giving information away regarding the technology in use (i.e. ASP.NET). To do this, we'll remove the X-Powered-By header by adding to the web.config

<system.web>
   <httpRuntime enableVersionHeader="false"/>
</system.web>
<system.webServer>
   ...
   <httpProtocol>
     <customHeaders>
        <remove name="X-Powered-By" />
     </customHeaders>
   </httpProtocol>
</system.webServer>

Enter fullscreen mode Exit fullscreen mode

[HPKP] HTTP Public Key Pinning Header

This one is interesting and to do with the whitelisting certificates. There are couple of plugins you can use to facilitate this and it's covered comprehensively in @JoonasWestlin blog here


Further links/reading: A good tool to test the security headers is using Geek Flare and a wealth of easy to digest information for general .NET security best practise is available at OWASP.org

This is just a quick point of reference to get started on Net Core site (mostly header-based) security - what's missing? Other recommendations?

Top comments (8)

Collapse
 
dotnetcoreblog profile image
Jamie

Interesting stuff.

I have some ASP NET Core middleware which does this, too (great minds and all that). The entire thing is open source and available at GitHub. It even has a default builder which will supply the recommended header values.

Interestingly, I would avoid HPKP as it has been deprecated

Collapse
 
marmalade118 profile image
Marmalade

Thaks for this, Laura. I'm also rusty/still under construction when it comes to security best practices, and your article has given me a kick in the right direction to do some further learning. +1 unicorn for you.

Collapse
 
lssweatherhead profile image
Laura Weatherhead

Awww glad I could be help! It was definitely a case of “if I don’t write this down right now then in 4 months time I’ll have exactly the same problems!” :)

Collapse
 
marmalade118 profile image
Marmalade

Tell me about it. It's one of those aspects of development that whilst super important it's also not something you do as often as the rest of your development workflow, so it takes a bit more time and effort to learn. At least that's how I've found it anyways.

Thanks again!

Collapse
 
phlash profile image
Phil Ashby

Thanks Laura, a nice way to sort out response headers :)

OWASP have (as ever), lots more good advice on [ASP].NET security to cover a few more of the typical risks in web applications, and Microsoft have a good security for .NET Core introduction too:

owasp.org/index.php/.NET_Security_...
docs.microsoft.com/en-us/aspnet/co...

Like a lot of security controls, it's good to understand /why/ we should use them too, so thanks for starting with a couple of principals!

owasp.org/index.php/Security_by_De...

Collapse
 
lazize profile image
Leonardo Azize Martins

Maybe this one is interesting:
securityheaders.com

Collapse
 
mattferderer profile image
Matt Ferderer

I would advise against HPKP. It's difficult & dangerous to do correctly. See scotthelme.co.uk/im-giving-up-on-h... for more.

Love the rest of the tips though!

Collapse
 
praneetnadkar profile image
Praneet Nadkar

Hey Laura, thanks for this post!
A whole new set of headers in my head now