ASP.NET core security headers

          

Scenario: Add remove security headers as per security scan

Solution:

1. securityheaders.io scans the website and make suggestions on any vunerability and any HTTP response headers to be added to improve security.
2. These headers can be added through middleware or web.config
3. Below is the way to addheader through middleware which needs to be added before UseEndpoints & UseMvc

1. securityheaders.io scans the website and make suggestions on any vunerability and any HTTP response headers to be added to improve security.
2. These headers can be added through middleware or web.config
3. Below is the way to addheader through middleware which needs to be added before UseEndpoints & UseMvc

//middleware
if (!context.Response.Headers.ContainsKey("headerName"))
{        
            app.Use(async (context, next) =>
            {
                context.Response.Headers.Add("headerName", "headerValue");
                await next();
            };
}

//Web.config

  <system.webServer>
    <httpProtocol>
      <customHeaders>
        <add name="Header-Name" value="Header-Value" />
      </customHeaders>
    </httpProtocol>
  </system.webServer>

     4. Some of the common security headers to add/remove

//server
<system.webServer>
<security>
  <requestFiltering removeServerHeader="true" />
</security>
</system.webServer>

//X-Powered-By
<system.webServer>
<httpProtocol>
  <customHeaders>
	<remove name="X-Powered-By" />
  </customHeaders>
</httpProtocol>
</system.webServer>


//X-Frame-Options
context.Response.Headers.Add("X-Frame-Options", "DENY");

//X-Xss-Protection [Against Crosssite scripting
context.Response.Headers.Add("X-Xss-Protection", "1; mode=block");]

//X-Content-Type-Options [sniffing]

//middleware
context.Response.Headers.Add("X-Content-Type-Options", "nosniff");

//web.config
<system.webServer>
    <httpProtocol>
      <customHeaders>
        <add name="X-Content-Type-Options" value="nosniff" />
      </customHeaders>
    </httpProtocol>
</system.webServer>