Conversation
Integrated `NetEscapades.AspNetCore.SecurityHeaders` to enforce default and API-specific security header policies. Updated `Program.cs` to define and use the new security header configurations. Modified project files and dependencies to reference the necessary package for implementation. These updates improve application security against common vulnerabilities.
Included `NetEscapades.AspNetCore.SecurityHeaders` in `Directory.Packages.props` to enhance security header configurations. This addition supports improved protection against web vulnerabilities by leveraging default policies provided by the package. No functional changes yet; the package has been added for future integration.
Added Cross-Origin Embedder Policy with UnsafeNone directive to enable embedding YouTube videos, and stricter Permissions Policy for camera, microphone, and geolocation. These updates improve protection against cross-origin attacks and unauthorized access. Updated service configurations in `Program.cs` to apply these enhanced measures. This change bolsters application security and adheres to best practices.
|
Hey @shahabganji - thanks for the PR. Really welcomed that and that is an obvious gap. In one of my customer projects we are using a very simplistic solution: public static class HttpHeaderMiddlewareExtensions
{
public static void UseHttpHeaderSecurity(this IApplicationBuilder app)
{
app.Use((context, func) =>
{
context.Response.Headers.Append("X-Frame-Options", "DENY");
context.Response.Headers.Append("X-Permitted-Cross-Domain-Policies", "none");
context.Response.Headers.Append("X-Xss-Protection", "1; mode=block");
context.Response.Headers.Append("X-Content-Type-Options", "nosniff");
context.Response.Headers.Append("Referrer-Policy", "no-referrer");
context.Response.Headers.Append("Permissions-Policy",
"camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), usb=()");
context.Response.Headers.Append("Content-Security-Policy",
"default-src 'self'");
return func();
});
}
}Is there any major advantage for the micro package over those few lines of code? |
|
Hi @linkdotnet In practice, not really! It adds some more headers and makes sure they are added properly! 
This is what Andrew Lock pointed out in this post
I think, it'd be easier for someone who does not know how the security header's should be added or created to use this package! For me, whatever works in long run for the maintainance of this repo is fine! |
|
Let’s get that in then! |
This Pull request contains the security headers to improve security on the blog!
After adding this PR, the rating on securityheaders.com increased to A.