Skip to content

Adding security headers #430

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Sep 6, 2025
Merged

Adding security headers #430

merged 3 commits into from
Sep 6, 2025

Conversation

shahabganji
Copy link
Contributor

@shahabganji shahabganji commented Sep 6, 2025
edited
Loading

This Pull request contains the security headers to improve security on the blog!

After adding this PR, the rating on securityheaders.com increased to A.

image

@shahabganji
Add security headers for enhanced protection
4516a6b 
Integrated `NetEscapades.AspNetCore.SecurityHeaders` to enforce default and API-specific security header policies. Updated `Program.cs` to define and use the new security header configurations. Modified project files and dependencies to reference the necessary package for implementation. These updates improve application security against common vulnerabilities.
@shahabganji
Add new package for security headers
c71410f 
Included `NetEscapades.AspNetCore.SecurityHeaders` in `Directory.Packages.props` to enhance security header configurations. This addition supports improved protection against web vulnerabilities by leveraging default policies provided by the package. No functional changes yet; the package has been added for future integration.
@shahabganji
Enhance security header policies with stricter controls
fc40380 
Added Cross-Origin Embedder Policy with UnsafeNone directive to enable embedding YouTube videos, and stricter Permissions Policy for camera, microphone, and geolocation. These updates improve protection against cross-origin attacks and unauthorized access. Updated service configurations in `Program.cs` to apply these enhanced measures. This change bolsters application security and adheres to best practices.
@linkdotnet
Copy link
Owner

Hey @shahabganji - thanks for the PR. Really welcomed that and that is an obvious gap.

In one of my customer projects we are using a very simplistic solution:

public static class HttpHeaderMiddlewareExtensions
{
    public static void UseHttpHeaderSecurity(this IApplicationBuilder app)
    {
        app.Use((context, func) =>
        {
            context.Response.Headers.Append("X-Frame-Options", "DENY");
            context.Response.Headers.Append("X-Permitted-Cross-Domain-Policies", "none");
            context.Response.Headers.Append("X-Xss-Protection", "1; mode=block");
            context.Response.Headers.Append("X-Content-Type-Options", "nosniff");
            context.Response.Headers.Append("Referrer-Policy", "no-referrer");
            context.Response.Headers.Append("Permissions-Policy",
                "camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), usb=()");
            context.Response.Headers.Append("Content-Security-Policy",
                "default-src 'self'");
            return func();
        });
    }
}

Is there any major advantage for the micro package over those few lines of code?

@shahabganji
Copy link
Contributor Author

Hi @linkdotnet

In practice, not really! It adds some more headers and makes sure they are added properly!

image

This is what Andrew Lock pointed out in this post

The main problem with security headers is that there are a lot of them, and the list is generally growing and evolving, with new headers being introduced and others being retired. What's more, different headers use different patterns for lists—some use ; separators, others use ,, and others use a space—so it's easy to set them up incorrectly.
The NetEscapades.AspNetCore.SecurityHeaders package aims to help you set up security headers for your ASP.NET Core app. It provides sensible defaults, with a fluent builder pattern for customizing and configuring the headers for your specific application requirements.

I think, it'd be easier for someone who does not know how the security header's should be added or created to use this package! For me, whatever works in long run for the maintainance of this repo is fine!

@linkdotnet
Copy link
Owner

Let’s get that in then!

@linkdotnet linkdotnet merged commit 50ab026 into linkdotnet:master Sep 6, 2025
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@shahabganji @linkdotnet