Brickmakers.AspSecurityHeaders
1.2.2
Prefix Reserved
See the version list below for details.
dotnet add package Brickmakers.AspSecurityHeaders --version 1.2.2
NuGet\Install-Package Brickmakers.AspSecurityHeaders -Version 1.2.2
<PackageReference Include="Brickmakers.AspSecurityHeaders" Version="1.2.2" />
paket add Brickmakers.AspSecurityHeaders --version 1.2.2
#r "nuget: Brickmakers.AspSecurityHeaders, 1.2.2"
// Install Brickmakers.AspSecurityHeaders as a Cake Addin #addin nuget:?package=Brickmakers.AspSecurityHeaders&version=1.2.2 // Install Brickmakers.AspSecurityHeaders as a Cake Tool #tool nuget:?package=Brickmakers.AspSecurityHeaders&version=1.2.2
BRICKMAKERS ASP.Net Security Headers
A small package for ASP.Net (Core) to automatically configure secure HTTP-Headers.
<small><i><a href='http://ecotrust-canada.github.io/markdown-toc/'>Table of contents generated with markdown-toc</a></i></small>
Features
- Secure defaults for HTTP-Headers, CSP, Cookies and more
- Opt-Out mechanism for different security controls
- Easily configurable via
IApplicationBuilder.UseBmSecurityHeaders()
extension- Or use
IApplicationBuilder.UseBmApiSecurityHeaders()
for API-Projects
- Or use
- Developed and Maintained by the BRICKMAKERS Security Advisory Team
- Based on the widely used NetEscapades.AspNetCore.SecurityHeaders
- Easy integration in any project and build pipelines
Installation
This package is available on NuGet.org, you can simply add it to your C#-Project like any other dependency.
Usage
To get started, all you have to to is to register the middleware in the Configure
method. This should happen at the
beginning of the method to ensure the headers are added to all responses, as different middlewares might end
processing early, which would prevent the headers from being set:
public void Configure(IApplicationBuilder app)
{
// ! Should be the first step in the Configure method
// For "normal" Websites or combinations of Websites and APIs
app.UseBmSecurityHeaders();
// For pure APIs
app.UseBmApiSecurityHeaders();
// continue as usual with configuring the application
// ...
}
This will add all security headers, as well as a strict CSP and cookie policy. To further configure it and opt out of
certain security controls, you can use the configure
parameter of the method. In the following example, scripts,
styles and images are allowed to be loaded from the current origin and the minimum cookie same site requirements are
reduced to be lax instead of strict.
public void Configure(IApplicationBuilder app)
{
app.UseBmSecurityHeaders(collection => collection // Or .UseBmApiSecurityHeaders for APIs
.AddBmContentSecurityPolicy(builder =>
{
builder.AddScriptSrc().Self();
builder.AddStyleSrc().Self();
builder.AddImgSrc().Self();
})
.SetMinimumSameSitePolicy(SameSiteMode.Lax));
// ...
}
Using the Built-In CSP Report Controller
The library includes a ready-made API-Controller to automatically report CSP-Violations. It will provide an endpoint to be used by the browser to report CSP errors and log them as error message. If you want to use the controller, there are a few steps that need to be taken.
First, you have to add the controller to the MVC instance inside of the ConfigureServices
method. Typically,
the AddMvc
method is used, but you can also use any other of the MVC initializers, like for example AddControllers
in case of a pure API.
public void ConfigureServices(IServiceCollection services)
{
services.AddMvc()
.AddSecurityControllers();
// works on .AddRazorPages() and .AddControllers() as well
}
In the case that this is the first controller you add to your project, you also need to ensure that controllers are
correctly mapped to endpoints. You can do so via the UseEndpoints
method at the end of Configure
:
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
// do your normal setup
// ...
// at the end, UseEndpoints should already exist
app.UseEndpoints(endpoints =>
{
// this one must be present
endpoints.MapControllers();
// other mappings, e.g. MapRazorPages, depends on your application
// ...
});
}
Finally, you need to actually set the report URI in the CSP. This can be done by adding it inside the CSP builder of
the UseBmSecurityHeaders
by adding AddBmReportController
to the CSP. This automatically sets the report uri to the
CSP controller on this server.
public void Configure(IApplicationBuilder app)
{
app.UseBmSecurityHeaders(collection => collection // Or .UseBmApiSecurityHeaders for APIs
.AddBmContentSecurityPolicy(builder =>
{
// setup your CSP
// ...
builder.AddBmReportController();
})
.SetMinimumSameSitePolicy(SameSiteMode.Lax));
// ...
}
In case you also have additional projects that should also report to this controller, or in case you separate API and
web project, the controller will always be accessible via https://<host>/CspReport
. You can use it as any other CSP
reporting endpoint.
Attributions & Background
This project is heavily based on NetEscapades.AspNetCore.SecurityHeaders, thanks to everyone involved on that project.
The reason this package exists is because it enforces even stricter defaults than the original package and adds additional features. It has not been integrated into the original security headers, as some of these feature would be breaking changes and too strict for some users.
However, we at BRICKMAKERS prefer to use tight secure defaults, which is why we created this package. It will always set everything to no by default and may add new, even more restricting headers in the future.
Product | Versions Compatible and additional computed target framework versions. |
---|---|
.NET | net5.0 is compatible. net5.0-windows was computed. net6.0 is compatible. net6.0-android was computed. net6.0-ios was computed. net6.0-maccatalyst was computed. net6.0-macos was computed. net6.0-tvos was computed. net6.0-windows was computed. net7.0 was computed. net7.0-android was computed. net7.0-ios was computed. net7.0-maccatalyst was computed. net7.0-macos was computed. net7.0-tvos was computed. net7.0-windows was computed. net8.0 was computed. net8.0-android was computed. net8.0-browser was computed. net8.0-ios was computed. net8.0-maccatalyst was computed. net8.0-macos was computed. net8.0-tvos was computed. net8.0-windows was computed. |
.NET Core | netcoreapp3.1 is compatible. |
-
.NETCoreApp 3.1
- Microsoft.AspNetCore.CookiePolicy (>= 2.2.8)
- Microsoft.AspNetCore.Http.Abstractions (>= 2.2.0)
- NetEscapades.AspNetCore.SecurityHeaders (>= 0.16.1)
-
net5.0
- Microsoft.AspNetCore.CookiePolicy (>= 2.2.8)
- Microsoft.AspNetCore.Http.Abstractions (>= 2.2.0)
- NetEscapades.AspNetCore.SecurityHeaders (>= 0.16.1)
-
net6.0
- Microsoft.AspNetCore.CookiePolicy (>= 2.2.8)
- Microsoft.AspNetCore.Http.Abstractions (>= 2.2.0)
- NetEscapades.AspNetCore.SecurityHeaders (>= 0.16.1)
NuGet packages (2)
Showing the top 2 NuGet packages that depend on Brickmakers.AspSecurityHeaders:
Package | Downloads |
---|---|
Brickmakers.AspSecurityHeaders.OrchardModule
An Orchard Core MVC module to automatically configure secure HTTP-Headers. |
|
Brickmakers.AspSecurityHeaders.Generators
A small package for ASP.Net (Core) to automatically configure secure HTTP-Headers. |
GitHub repositories
This package is not used by any popular GitHub repositories.
# Changelog
All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres
to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
## [1.2.2] - 2022-01-26
### Added
- Added package icon
## [1.2.1] - 2022-01-26
### Changed
- First public release on GitHub and NuGet.org
## [1.2.0] - 2021-12-21
### Added
- `CspReportController`: Easily report CSP violations via the built-in controller
- Integration Tests
- Support for .Net 6
## [1.1.0] - 2021-10-21
### Added
- `UseBmApiSecurityHeaders`: Add Configuration method for pure APIs
## [1.0.2] - 2021-10-12
### Security
- Disable HSTS preload by default
## [1.0.1] - 2021-10-11
### Added
- Initial Release
## [Unreleased]
### Added
### Changed
### Deprecated
### Removed
### Fixed
### Security