GaProgMan/OwaspHeaders.Corev10.2.0
.NET 8.0.NET 9.0.NET 10.0
An ASP.NET Core Middleware which adds the OWASP recommended HTTP headers, with a single line of code, for enhanced security.
Get Started
$ dotnet add package OwaspHeaders.CoreReadme
OwaspHeaders.Core
An ASP .NET Core middleware for injection OWASP recommended HTTP Headers for increased security. This project is designed against the OWASP Secure Headers Project.
Quick Starts
- Create a .NET (either Framework, Core, or 5+) project which uses ASP .NET Core
Example;
dotnet new webapi -n exampleProject
- Add a reference to the OwaspHeaders.Core NuGet package.
Example:
dotnet add package OwaspHeaders.Core
- Alter the program.cs file to include the following:
app.UseSecureHeadersMiddleware();
This will add a number of default HTTP headers to all responses from your server component.
The following is an example of the response headers from version 9.0.0 (taken on November 19th, 2024)
strict-transport-security: max-age=31536000;includesubdomains
x-frame-options: deny
x-content-type-options: nosniff
content-security-policy: script-src 'self';object-src 'self';block-all-mixed-content;upgrade-insecure-requests;
x-permitted-cross-domain-policies: none
referrer-policy: no-referrer
cross-origin-resource-policy: same-origin
cache-control: max-age=0,no-store
cross-origin-opener-policy: same-origin
cross-origin-embedder-policy: require-corp
x-xss-protection: 0
Please note: The above example contains only the headers added by the Middleware.
Source Code Repo
The source code for this NuGet package can be found at: https://github.com/GaProgMan/OwaspHeaders.Core.
Documentation
The documentation for this NuGet package can be found at: https://gaprogman.github.io/OwaspHeaders.Core/.
Attestations
As of PR 148, OwaspHeaders.Core uses the GitHub provided process for creating attestations per build. This document talks through how to verify those attestations using the .