A quick overview of securing a Net Core webapp using NWebSec and the web.config
First up, let's install NWebSec middleware from nuget via the pack...
For further actions, you may consider blocking this person and/or reporting abuse
Interesting stuff.
I have some ASP NET Core middleware which does this, too (great minds and all that). The entire thing is open source and available at GitHub. It even has a default builder which will supply the recommended header values.
Interestingly, I would avoid HPKP as it has been deprecated
Thaks for this, Laura. I'm also rusty/still under construction when it comes to security best practices, and your article has given me a kick in the right direction to do some further learning. +1 unicorn for you.
Awww glad I could be help! It was definitely a case of “if I don’t write this down right now then in 4 months time I’ll have exactly the same problems!” :)
Tell me about it. It's one of those aspects of development that whilst super important it's also not something you do as often as the rest of your development workflow, so it takes a bit more time and effort to learn. At least that's how I've found it anyways.
Thanks again!
Thanks Laura, a nice way to sort out response headers :)
OWASP have (as ever), lots more good advice on [ASP].NET security to cover a few more of the typical risks in web applications, and Microsoft have a good security for .NET Core introduction too:
owasp.org/index.php/.NET_Security_...
docs.microsoft.com/en-us/aspnet/co...
Like a lot of security controls, it's good to understand /why/ we should use them too, so thanks for starting with a couple of principals!
owasp.org/index.php/Security_by_De...
Maybe this one is interesting:
securityheaders.com
I would advise against HPKP. It's difficult & dangerous to do correctly. See scotthelme.co.uk/im-giving-up-on-h... for more.
Love the rest of the tips though!
Hey Laura, thanks for this post!
A whole new set of headers in my head now