{"id":16352108,"url":"https://github.com/bugthesystem/helmet","last_synced_at":"2025-03-23T01:30:52.892Z","repository":{"id":28097150,"uuid":"31595268","full_name":"bugthesystem/Helmet","owner":"bugthesystem","description":"Middlewares to help secure your apps","archived":false,"fork":false,"pushed_at":"2017-06-03T10:00:37.000Z","size":524,"stargazers_count":19,"open_issues_count":0,"forks_count":5,"subscribers_count":4,"default_branch":"master","last_synced_at":"2025-03-18T16:13:31.298Z","etag":null,"topics":["c-sharp","crossdomain","helmet","middleware","owin","owin-middleware","protection","xss"],"latest_commit_sha":null,"homepage":"","language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/bugthesystem.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2015-03-03T11:35:38.000Z","updated_at":"2024-03-30T15:40:08.000Z","dependencies_parsed_at":"2022-09-02T19:00:40.345Z","dependency_job_id":null,"html_url":"https://github.com/bugthesystem/Helmet","commit_stats":null,"previous_names":["bugthesystem/helmet","ziyasal/helmet"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bugthesystem%2FHelmet","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bugthesystem%2FHelmet/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bugthesystem%2FHelmet/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bugthesystem%2FHelmet/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/bugthesystem","download_url":"https://codeload.github.com/bugthesystem/Helmet/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245043843,"owners_count":20551840,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["c-sharp","crossdomain","helmet","middleware","owin","owin-middleware","protection","xss"],"created_at":"2024-10-11T01:25:00.059Z","updated_at":"2025-03-23T01:30:52.456Z","avatar_url":"https://github.com/bugthesystem.png","language":"C#","funding_links":[],"categories":[],"sub_categories":[],"readme":"# helmet.net\nMiddlewares to help secure your apps\n\n[![Build status](https://ci.appveyor.com/api/projects/status/032t00oscffq1jmd?svg=true)](https://ci.appveyor.com/project/ziyasal/helmet-net)\n\nTo install Helmet.Net,  run the following command in the NuGet [Package Manager Console](http://docs.nuget.org/consume/package-manager-console)\n\n```sh\nInstall-Package Helmet.Net\n```\n\n\n## Middlewares\n\n* [X-XSS-Protection middleware](#x-xss-protection-middleware)\n* [\"Don't infer the MIME type\" middleware](#dont-infer-the-mime-type-middleware)\n* [Middleware to turn off caching](#middleware-to-turn-off-caching)\n* [IE, restrict untrusted HTML](#ie-restrict-untrusted-html)\n* [Frameguard middleware](#frameguard-middleware)\n* [Hide powered by](#hide-powered-by)\n* [Crossdomain](#crossdomain)\n\n\n## X-XSS-Protection middleware\n\n**Trying to prevent:** Cross-site scripting attacks (XSS), a subset of the above.\n\n**How we mitigate this:** The ```X-XSS-Protection``` HTTP header is a basic protection against XSS. It was originally [by Microsoft](http://blogs.msdn.com/b/ieinternals/archive/2011/01/31/controlling-the-internet-explorer-xss-filter-with-the-x-xss-protection-http-header.aspx) but Chrome has since adopted it as well. To use it:\n\n```csharp\npublic class Startup\n{\n  public void Configuration(IAppBuilder appBuilder)\n  {\n    //omitted for brevity\n    appBuilder.Use\u003cXssFilterMiddleware\u003e();\n    //...\n  }\n}\n```\n\nThis sets the ```X-XSS-Protection``` header. On modern browsers, it will set the value to ```1; mode=block```. On old versions of Internet Explorer, this creates a vulnerability (see [here](http://hackademix.net/2009/11/21/ies-xss-filter-creates-xss-vulnerabilities/) and [here](http://technet.microsoft.com/en-us/security/bulletin/MS10-002)), and so the header is set to ```0``` to disable it. To force the header on all versions of IE, add the option:\n\n```csharp\npublic class Startup\n{\n  public void Configuration(IAppBuilder appBuilder)\n  {\n    //omitted for brevity\n    appBuilder.Use\u003cXssFilterMiddleware\u003e(new XssFilterOptions\n    {\n      SetOnOldIE = true\n    });\n    // This has some security problems for old IE!\n    //...\n  }\n}\n\n```\n\n**Limitations:** This isn't anywhere near as thorough as ```Content Security Policy```. It's only properly supported on IE9+ and Chrome; no other major browsers support it at this time. Old versions of IE support it in a buggy way, which we disable by default.\n\n\n## \"Don't infer the MIME type\" middleware\nSome browsers will try to \"sniff\" mimetypes. For example, if my server serves file.txt with a text/plain content-type, some browsers can still run that file with ```\u003cscript src=\"file.txt\"\u003e\u003c/script\u003e```. Many browsers will allow file.js to be run even if the content-type isn't for JavaScript. There are [some other vulnerabilities](https://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/), too.\n\nThis middleware to keep Chrome, Opera, and IE from doing this sniffing ([and Firefox soon](https://bugzilla.mozilla.org/show_bug.cgi?id=471020)). The following example sets the ```X-Content-Type-Options``` header to its only option, ```nosniff```:\n\n```csharp\npublic class Startup\n{\n  public void Configuration(IAppBuilder appBuilder)\n  {\n    //omitted for brevity\n     appBuilder.Use\u003cDontSniffMimetypeMiddleware\u003e();\n    //...\n  }\n}\n```\n\n[MSDN has a good description](https://msdn.microsoft.com/en-us/library/gg622941(v=vs.85).aspx) of how browsers behave when this header is sent.\n\nThis only prevents against a certain kind of attack.\n\n\n## Middleware to turn off caching\n\nIt's possible that you've got bugs in an old HTML or JavaScript file, and with a cache, some users will be stuck with those old versions. This will (try to) abolish all client-side caching.\n```csharp\npublic class Startup\n{\n  public void Configuration(IAppBuilder appBuilder)\n  {\n    //omitted for brevity\n     appBuilder.Use\u003cNoCacheMiddleware\u003e();\n    //...\n  }\n}\n```\nThis will set ```Cache-Control``` and ```Pragma``` headers to stop caching. It will also set an Expires header of 0, effectively saying \"this has already expired.\"\n\nIf you want to crush the ```ETag``` header as well, you can:\n```csharp\npublic class Startup\n{\n  public void Configuration(IAppBuilder appBuilder)\n  {\n    //omitted for brevity\n     appBuilder.Use\u003cNoCacheMiddleware\u003e(new NoCacheOptions \n     { \n       NoEtag = true \n     });\n    //...\n  }\n}\n```\nCaching has some real benefits, and you lose them here. Browsers won't cache resources with this enabled, although _some_ performance is retained if you keep ETag support. It's also possible that you'll introduce new bugs and you'll wish people had old resources cached, but that's less likely.\n\n## IE, restrict untrusted HTML\nThis middleware sets the ```X-Download-Options``` header to ```noopen``` to prevent IE users from executing downloads in your site's context.\n\n```csharp\npublic class Startup\n{\n  public void Configuration(IAppBuilder appBuilder)\n  {\n    //omitted for brevity\n    appBuilder.Use\u003cIeNoOpenMiddleware\u003e();\n    //...\n  }\n}\n```\n\nSome web applications will serve untrusted HTML for download. By default, some versions of IE will allow you to open those HTML files in the _context of your site_, which means that an untrusted HTML page could start doing bad things in the context of your pages. For more, see [this MSDN blog post](http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-v-comprehensive-protection.aspx).\n\nThis is pretty obscure, fixing a small bug on IE only. No real drawbacks other than performance/bandwidth of setting the headers, though.\n\n## Frameguard middleware\n\n**Trying to prevent:** Your page being put in a `\u003cframe\u003e` or `\u003ciframe\u003e` without your consent. This helps to prevent things like [clickjacking attacks](https://en.wikipedia.org/wiki/Clickjacking).\n\n**How do we mitigate this:** The `X-Frame-Options` HTTP header restricts who can put your site in a frame. It has three modes: `DENY`, `SAMEORIGIN`, and `ALLOW-FROM`. If your app does not need to be framed (and most don't) you can use the default `DENY`. If your site can be in frames from the same origin, you can set it to `SAMEORIGIN`. If you want to allow it from a specific URL, you can allow that with `ALLOW-FROM` and a URL.\n\n```csharp\npublic class Startup\n{\n  public void Configuration(IAppBuilder appBuilder)\n  {\n    // Don't allow me to be in ANY frames:\n     appBuilder.Use\u003cFrameGuardMiddleware\u003e(\"deny\");\n    //...\n  }\n}\n```\n\n```csharp\npublic class Startup\n{\n  public void Configuration(IAppBuilder appBuilder)\n  {\n     // Only let me be framed by people of the same origin:\n     appBuilder.Use\u003cFrameGuardMiddleware\u003e(\"SAMEORIGIN\");\n    //...\n  }\n}\n```\n\n```csharp\npublic class Startup\n{\n  public void Configuration(IAppBuilder appBuilder)\n  {\n    // Allow from a specific host:\n     appBuilder.Use\u003cFrameGuardMiddleware\u003e(\"allow-from\",\"http://example.com\");\n    //...\n  }\n}\n```\n\n**Limitations:** This has pretty good (but not 100%) browser support: IE8+, Opera 10.50+, Safari 4+, Chrome 4.1+, and Firefox 3.6.9+. It only prevents against a certain class of attack, but does so pretty well. It also prevents your site from being framed, which you might want for legitimate reasons.\n\n\n## Hide powered by\n\nSimple middleware to remove the `X-Powered-By` HTTP header if it's set.\n\nHackers can exploit known vulnerabilities in .net web apps if they see that your site is powered by .net web apps (or whichever framework you use). For example, `X-Powered-By: aspnet/mvc` is sent in every HTTP request coming from .net, by default.\n\nThe `hidePoweredBy` middleware will remove the `X-Powered-By` header if it is set.\n\n```c#\npublic class Startup\n{\n  public void Configuration(IAppBuilder appBuilder)\n  {\n     \n     appBuilder.Use\u003cHidePoweredByHeaderMiddleware\u003e();\n    //...\n  }\n}\n```\nYou can also explicitly set the header to something else, if you want. This could throw people off:\n\n```c#\npublic class Startup\n{\n  public void Configuration(IAppBuilder appBuilder)\n  {\n     \n     appBuilder.Use\u003cHidePoweredByHeaderMiddleware\u003e(new HidePoweredOptions { SetTo = \"steampowered\" });\n    //...\n  }\n}\n```\n\n## CrossDomain\n\nAdobe defines [the spec for crossdomain.xml](http://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html), a policy file that grants some Adobe products (like Flash) read access to resources on your domain. An unrestrictive policy could let others load things off your domain that you don't want.\n\nTo serve up a restrictive policy:\n\n```c#\n appBuilder.Use\u003cCrossDomainMiddleware\u003e()\n \n```\n\nThis serves the policy at `/crossdomain.xml`. By default, this is case-insensitive. To make it case-sensitive:\n\n```c#\n appBuilder.Use\u003cCrossDomainMiddleware\u003e(new CrossDomainOptions()\n                {\n                    CaseSensitive = false\n                });\n// This will now ONLY match all-lowercase /crossdomain.xml.\n```\n\nThis doesn't make you wildly more secure, but it does help to keep Flash from loading things that you don't want it to. You might also *want* some of this behavior, in which case you should make your own less-restrictive policy and serve it.\n\n\n## Permanent Redirect middleware\n\n```c#\npublic class Startup\n{\n\tpublic void Configuration(IAppBuilder appBuilder)\n\t{\n\t    // Some other configuration.\n\t\n\t    appBuilder.Use\u003cPermanentRedirectMiddleware\u003e(new PermanentRedirectOptions()\n\t    {\n\t        RedirectRules = new List\u003cRedirectRule\u003e()\n\t        {\n\t            new RedirectRule(\"http://localhost:9000/test\", \"http://localhost:9000/test/r\"),\n\t            new RedirectRule(\"http://localhost:9000/test2\", \"http://localhost:9000/test2/r\")\n\t        }\n\t    });\n\t}\n}\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbugthesystem%2Fhelmet","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbugthesystem%2Fhelmet","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbugthesystem%2Fhelmet/lists"}