{"id":25399290,"url":"https://github.com/ajtatum/babou.aspnetcore.securityextensions","last_synced_at":"2026-04-11T21:33:54.369Z","repository":{"id":77328070,"uuid":"228660011","full_name":"ajtatum/Babou.AspNetCore.SecurityExtensions","owner":"ajtatum","description":"Babou is concerned about security, so I created a .NET Standard 2.0 Security Extensions package for him. Babou is from the TV show Archer and is not affiliated with this package.","archived":false,"fork":false,"pushed_at":"2021-05-29T13:02:29.000Z","size":3957,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-10-11T21:16:05.205Z","etag":null,"topics":["asp-net-core","babou","dotnet","dotnetcore","dotnetcore3","http-headers","security"],"latest_commit_sha":null,"homepage":"https://ajt.io","language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ajtatum.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2019-12-17T16:43:58.000Z","updated_at":"2023-11-23T10:18:48.000Z","dependencies_parsed_at":"2023-06-27T05:24:55.313Z","dependency_job_id":null,"html_url":"https://github.com/ajtatum/Babou.AspNetCore.SecurityExtensions","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/ajtatum/Babou.AspNetCore.SecurityExtensions","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ajtatum%2FBabou.AspNetCore.SecurityExtensions","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ajtatum%2FBabou.AspNetCore.SecurityExtensions/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ajtatum%2FBabou.AspNetCore.SecurityExtensions/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ajtatum%2FBabou.AspNetCore.SecurityExtensions/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ajtatum","download_url":"https://codeload.github.com/ajtatum/Babou.AspNetCore.SecurityExtensions/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ajtatum%2FBabou.AspNetCore.SecurityExtensions/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":279073582,"owners_count":26097434,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-15T02:00:07.814Z","response_time":56,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["asp-net-core","babou","dotnet","dotnetcore","dotnetcore3","http-headers","security"],"created_at":"2025-02-15T23:37:54.787Z","updated_at":"2025-10-15T10:35:24.665Z","avatar_url":"https://github.com/ajtatum.png","language":"C#","funding_links":[],"categories":[],"sub_categories":[],"readme":"![alt text](https://raw.githubusercontent.com/ajtatum/Babou.AspNetCore.SecurityExtensions/master/assets/Babou-150x150.png \"Babou loves security!\") \u003c!-- markdownlint-disable --\u003e\r\n\r\n# **Babou.AspNetCore.SecurityExtensions**\r\n\r\n[![Build status](https://ci.appveyor.com/api/projects/status/3erthjnqds2fb6x7?svg=true)](https://ci.appveyor.com/project/ajtatum/babou-aspnetcore-securityextensions)\r\n\r\nContains a set of extensions which can help you make your web applications more secure.\r\n\r\n## **Install**\r\n\r\nView the NuGet at https://www.nuget.org/packages/Babou.AspNetCore.SecurityExtensions/\r\n\r\n* **Package Manager:** Install-Package Babou.AspNetCore.SecurityExtensions\r\n* **.NET CLI:** dotnet add package Babou.AspNetCore.SecurityExtensions\r\n\r\n## **Table of contents**\r\n\r\n**Tag Helpers**\r\n\r\n- NoOpener\r\n- Subresource Integrity\r\n- Upgrade Insecure Resources\r\n\r\n**Middlewares**\r\n\r\n- Features\r\n  - Redirect Policy\r\n  - Require Authenticated Identity\r\n- Headers\r\n  - Content Security Policy\r\n  - CustomHeaders\r\n  - Expect CT\r\n  - Feature Policy\r\n  - Frame Options\r\n  - HTTP Public Key Pinning\r\n  - Referrer Policy\r\n  - Report To\r\n  - X-Content-Type-Options\r\n  - X-Download-Options\r\n  - X-Permitted-Cross-Domain-Policies\r\n  - X-Robots-Tag\r\n  - X-UA-Compatible\r\n  - X-XSS-Protection\r\n\r\n## **Features**\r\n\r\n### **Content-Security-Policy**\r\n\r\nAdds the `Content-Security-Policy` headers to responses with content type `text/html`.\r\n\r\n```csharp\r\napp.UseContentSecurityPolicy(new CspDirectiveList\r\n{\r\n    DefaultSrc = CspDirective.None,\r\n    StyleSrc = StyleCspDirective.Self,\r\n    ScriptSrc = ScriptCspDirective.Self\r\n        .AddSource(new Uri(\"https://az416426.vo.msecnd.net/\")), // Application Insights\r\n    ImgSrc = CspDirective.Self\r\n        .AddDataScheme(),\r\n    FontSrc = CspDirective.Self,\r\n    ConnectSrc = CspDirective.Empty\r\n        .AddSource(new Uri(\"https://dc.services.visualstudio.com/\")),\r\n});\r\n```\r\n\r\n### **Cross Origin Resource Sharing**\r\n\r\nUse the built-in support in ASP.NET Core 3.0.\r\n\r\n### **Custom Headers**\r\n\r\nAdd or remove any header that you'd like.\r\n\r\n```csharp\r\napp.AddCustomHeaders(\"headerName\", \"headerValue\");\r\n```\r\n\r\n```csharp\r\napp.RemoveHeader(\"headerName\");\r\n```\r\n\r\n### **Expect-CT**\r\n\r\nAdds the `Expect-CT` header which allows sites to opt in to reporting and/or enforcement of Certificate Transparency requirements.\r\n\r\n```csharp\r\napp.UseExpectCT(enforce: true, maxAge: TimeSpan.FromHours(1));\r\n```\r\n\r\n### **Feature-Policy**\r\n\r\nAdds the `Feature-Policy` header to responses with content type `text/html`.\r\n\r\n```csharp\r\napp.UseFeaturePolicy(\r\n    new FeatureDirectiveList()\r\n        .Add(PolicyFeature.Payment, \"https://payment.example.org/\")\r\n        .AddNone(PolicyFeature.Microphone)\r\n        .AddSelf(PolicyFeature.FullScreen)\r\n);\r\n```\r\n\r\n### **Frame Options**\r\n\r\nAdds the `Frame-Options` and `X-Frame-Options` headers to responses with content type `text/html`.\r\n\r\n```csharp\r\napp.UseFrameOptions(FrameOptionsPolicy.Deny);\r\n```\r\n\r\nIf you want to enable displaying the page in a frame on a particular origin, you can set it like this:\r\n\r\n```csharp\r\napp.UseFrameOptions(new Uri(\"https://www.example.org\"));\r\n```\r\n\r\n### **HTTP Strict Transport Security**\r\n\r\nUse the built-in support in ASP.NET Core 3.0.\r\n\r\n### **HTTP Public Key Pinning**\r\n\r\nAdds the `Public-Key-Pinning` header to all responses.\r\n\r\n```csharp\r\napp.UseHttpPublicKeyPinning(options =\u003e options\r\n    .Pin(fingerprint1, HttpPublicKeyPinningHashAlgorithm.Sha256)\r\n    .Pin(fingerprint2, HttpPublicKeyPinningHashAlgorithm.Sha256)\r\n);\r\n```\r\n\r\n### **NoOpener**\r\n\r\nA tag helper that adds the missing `noopener` link relationship type to your `a` tags that open in another frame and doesn't reference the same origin.\r\n\r\nAdd an import for the tag helper (in your `_ViewImports.cshtml` if you have one):\r\n\r\n```cshtml\r\n@addTagHelper *, Babou.AspNetCore.SecurityExtensions.NoOpener\r\n```\r\n\r\nYou don't need any additional changes, the tag helper applies to all links, for example:\r\n\r\n```html\r\n\u003ca href=\"https://example.org/malicious.html\" target=\"_blank\"\u003eClick here\u003c/a\u003e\r\n```\r\n\r\nAnd adds the missing `rel` attribute:\r\n\r\n```html\r\n\u003ca href=\"https://example.org/malicious.html\" target=\"_blank\" rel=\"noopener\"\u003eClick here\u003c/a\u003e\r\n```\r\n\r\n### **Redirect Policy**\r\n\r\nRestricts server-side redirects only to trusted origins.\r\n\r\n```csharp\r\napp.UseRedirectPolicy();\r\n```\r\n\r\nYou can also specify the trusted origins:\r\n\r\n```csharp\r\napp.UseRedirectPolicy(allowedBaseUris: \"https://www.example.org\");\r\n```\r\n\r\n### **Referrer Policy**\r\n\r\nAdds the `Referrer-Policy` header to all responses.\r\n\r\n```csharp\r\napp.UseReferrerPolicy(ReferrerPolicy.SameOrigin);\r\n```\r\n\r\n### **Report-To**\r\n\r\nAdd the `Report-To` header to all responses.\r\n\r\n```csharp\r\napp.UseReportTo(new ReportingGroup(\r\n    maxAge: TimeSpan.FromDays(30),\r\n    endpoint: \"https://example.org/browser-report\"\r\n));\r\n```\r\n\r\n### **Require Authenticated Identity**\r\n\r\nThis is a middleware that you can use to require an authenticated identity on the `HttpContext` to proceed. For example, you can use this middleware to require authentication for static files.\r\n\r\n```csharp\r\napp.UseWhen(\r\n    context =\u003e context.Request.Path.StartsWithSegments(\"/dist\"),\r\n    branch =\u003e branch.UseRequireAuthenticatedIdentity()\r\n);\r\n```\r\n\r\nNotes:\r\n\r\n- `401` is returned in case of no authenticated user\r\n\r\n### **Subresource Integrity**\r\n\r\nA tag helper that computes the `integrity` attribute for linked styles and scripts from remote origins. It also adds the `crossorigin` attribute with `anonymous` value.\r\n\r\nAdd the required services (in your `Startup.cs`):\r\n\r\n```cs\r\nservices.AddSubresourceIntegrity();\r\n```\r\n\r\nAdd an import for the tag helper (in your `_ViewImports.cshtml` if you have one):\r\n\r\n```cshtml\r\n@addTagHelper *, Babou.AspNetCore.SecurityExtensions.SubresourceIntegrity\r\n```\r\n\r\nYou don't need any additional changes, the tag helper applies to styles and scripts, for example:\r\n\r\n```html\r\n\u003clink rel=\"stylesheet\" href=\"https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/css/bootstrap.min.css\" /\u003e\r\n\u003cscript src=\"https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/js/bootstrap.min.js\"\u003e\u003c/script\u003e\r\n```\r\n\r\nAnd adds the `integrity` and `crossorigin` attributes:\r\n\r\n```html\r\n\u003clink rel=\"stylesheet\" href=\"https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/css/bootstrap.min.css\" integrity=\"sha256-YLGeXaapI0/5IgZopewRJcFXomhRMlYYjugPLSyNjTY=\" crossorigin=\"anonymous\" /\u003e\r\n\u003cscript src=\"https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/js/bootstrap.min.js\" integrity=\"sha256-CjSoeELFOcH0/uxWu6mC/Vlrc1AARqbm/jiiImDGV3s=\" crossorigin=\"anonymous\"\u003e\u003c/script\u003e\r\n```\r\n\r\nNotes:\r\n\r\n- If the `integrity` attribute is already included, it skips that element and doesn't compute and validate it.\r\n- In case the remote resource is not available, a warning is logged and the integrity attribute is not included. Page rendering is not interrupted.\r\n- The hash algorithm used is SHA-256.\r\n- Hashes are cached in a memory cache indefinitely.\r\n\r\n### **Upgrade Insecure Resources**\r\nA tag helper that upgrades insecure links, style, script and image references to HTTPS.\r\n\r\nAdd an import for the tag helper (in your `_ViewImports.cshtml` if you have one):\r\n\r\n```cshtml\r\n@addTagHelper *, Babou.AspNetCore.SecurityExtensions.UpgradeInscureResources\r\n```\r\n\r\nYou don't need any additional changes, the tag helper applies to all `href` and `src` attributes:\r\n\r\n```html\r\n\u003ca href=\"http://example.org/page\"\u003eClick here\u003c/a\u003e\r\n\u003cscript src=\"http://example.org/script.js\"\u003e\u003c/script\u003e\r\n```\r\n\r\nWill be rewritten to:\r\n\r\n```html\r\n\u003ca href=\"https://example.org/page\"\u003eClick here\u003c/a\u003e\r\n\u003cscript src=\"https://example.org/script.js\"\u003e\u003c/script\u003e\r\n```\r\n\r\n### **X-Content-Type-Options**\r\n\r\nAdds the `X-Content-Type-Options` header to all responses.\r\n\r\n```csharp\r\napp.UseXContentTypeOptions(XContentTypeOptions.NoSniff);\r\n```\r\n\r\n### **X-Download-Options**\r\n\r\nAdds the `X-Download-Options` header to each file download.\r\n\r\n```csharp\r\napp.UseXDownloadOptions(XDownloadOptions.NoOpen);\r\n```\r\n\r\n### **X-Permitted-Cross-Domain-Policies**\r\n\r\nAdds `X-Permitted-Cross-Domain-Policies` header to all responses.\r\n\r\n```csharp\r\napp.UseXPermittedCrossDomainPolicies(PermittedCrossDomainPolicy.None);\r\n```\r\n\r\n### **X-Robots-Tag**\r\n\r\nAdds the `X-Robots-Tag` header to all responses.\r\n\r\n```csharp\r\napp.UseXRobotsTag(noIndex: true, noFollow: true);\r\n```\r\n\r\n### **X-UA-Compatible**\r\n\r\nAdds the `X-UA-Compatible` header to each response with `text/html` media type.\r\n\r\n```csharp\r\napp.UseXUACompatible(InternetExplorerCompatibiltyMode.Edge);\r\n```\r\n\r\n### **X-XSS-Protection**\r\n\r\nAdds the `X-XSS-Protection` header to each response with `text/html` media type. The default setting enables protection and sets it to `block` mode.\r\n\r\n```csharp\r\napp.UseXXSSProtection();\r\n```\r\n\r\n#### Developed by AJ Tatum\r\n\r\n[![ajtatum.com](https://img.icons8.com/clouds/50/000000/domain.png \"ajtatum.com\")](https://ajtatum.com/?utm_source=github\u0026utm_medium=website\u0026utm_campaign=babou_security)\r\n\r\n[Icons by Icons8](https://icons8.com/)\r\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fajtatum%2Fbabou.aspnetcore.securityextensions","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fajtatum%2Fbabou.aspnetcore.securityextensions","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fajtatum%2Fbabou.aspnetcore.securityextensions/lists"}