{"id":20411858,"url":"https://github.com/markopapic/aspnetcoresecurityheaders","last_synced_at":"2025-09-23T06:39:00.042Z","repository":{"id":143393597,"uuid":"170543051","full_name":"MarkoPapic/AspNetCoreSecurityHeaders","owner":"MarkoPapic","description":"A set of Asp.Net Core middlewares for adding security headers to ASP.NET Core web apps.","archived":false,"fork":false,"pushed_at":"2019-03-11T18:46:50.000Z","size":116,"stargazers_count":3,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-09-20T20:22:20.047Z","etag":null,"topics":["asp-net-core","content-security-policy","expect-ct","feature-policy","public-key-pinning","referrer-policy","security","security-headers","strict-transport-security","x-content-type-options","x-frame-options","x-xss-protection"],"latest_commit_sha":null,"homepage":"","language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/MarkoPapic.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-02-13T16:45:23.000Z","updated_at":"2025-06-09T15:08:54.000Z","dependencies_parsed_at":"2023-06-09T00:45:19.975Z","dependency_job_id":null,"html_url":"https://github.com/MarkoPapic/AspNetCoreSecurityHeaders","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/MarkoPapic/AspNetCoreSecurityHeaders","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MarkoPapic%2FAspNetCoreSecurityHeaders","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MarkoPapic%2FAspNetCoreSecurityHeaders/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MarkoPapic%2FAspNetCoreSecurityHeaders/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MarkoPapic%2FAspNetCoreSecurityHeaders/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/MarkoPapic","download_url":"https://codeload.github.com/MarkoPapic/AspNetCoreSecurityHeaders/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MarkoPapic%2FAspNetCoreSecurityHeaders/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":276531297,"owners_count":25658697,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-09-23T02:00:09.130Z","response_time":73,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["asp-net-core","content-security-policy","expect-ct","feature-policy","public-key-pinning","referrer-policy","security","security-headers","strict-transport-security","x-content-type-options","x-frame-options","x-xss-protection"],"created_at":"2024-11-15T05:54:14.105Z","updated_at":"2025-09-23T06:39:00.009Z","avatar_url":"https://github.com/MarkoPapic.png","language":"C#","readme":"# MarkoPapic.AspNetCoreSecurityHeaders\n\n[![Build Status](https://travis-ci.org/MarkoPapic/AspNetCoreSecurityHeaders.svg?branch=master)](https://travis-ci.org/MarkoPapic/AspNetCoreSecurityHeaders)\n\n[![NuGet Version](https://img.shields.io/nuget/vpre/MarkoPapic.AspNetCoreSecurityHeaders.svg)](https://www.nuget.org/packages/MarkoPapic.AspNetCoreSecurityHeaders/)\n\nA set of Asp.Net Core middlewares for adding security headers to ASP.NET Core web apps.\n\nThe library allows you to add the following HTTP security headers:\n\n* `Content-Security-Policy`\n* `Expect-CT`\n* `Public-Key-Pins`\n* `Referrer-Policy`\n* `Strict-Transport-Security`\n* `X-Content-Type-Options`\n* `X-Frame-Options`\n* `X-Permitted-Cross-Domain-Policies`\n* `X-XSS-Protection`\n\n\n## Installation\n\nVisual Studio Package Manager Console:\n\n```\nInstall-Package MarkoPapic.AspNetCoreSecurityHeaders -Version 0.1.0\n```\n\ndotnet CLI:\n\n```\ndotnet add package MarkoPapic.AspNetCoreSecurityHeaders --version 0.1.0\n```\n\n\n## Usage\n\nYou can add security headers by adding middlewares to your Asp.Net Core pipeline:\n\n```cs\npublic void Configure(IApplicationBuilder app, IHostingEnvironment env)\n{\n\tapp.UseXssProtection();\n\t//other middlewares\n}\n```\n\n\n### Content-Security-Policy\n\nYou can add the `Content-Security-Policy` header using the `UseCsp` extension method:\n\n```cs\napp.UseCsp(x =\u003e {\n\tx.DefaultSources.AllowSelf();\n\tx.ScriptSources.AllowSelf().AllowHosts(\"https://example1.com\", \"https://example2.com\");\n\tx.StyleSources.AllowHash(\"sha256\", \"Q0E0NTUyMzFGRTJFRUYyNkM1Mjg4ODJBREE0ODNDQTY2Mzc2OTYzQ0U2OUZDNEE5RjMyMDI0NzlGQjExNTgwMg==\");\n\tx.FrameAncestors.AllowNone();\n\tx.PluginTypes.AllowMimeType(\"application/x-java-applet\");\n\tx.AddReportingGroup(rg =\u003e {\n\t\trg.Group = \"examplegroup\";\n\t\trg.Endpoints.Add(new ReportGroupEndpoint(\"https://reportserver.com/report\"));\n\t\trg.IncludeSubdomains = true;\n\t});\n});\n```\n\nThe above example would result in the following HTTP headers being added to the HTTP response:\n```\nContent-Security-Policy: connect-src `self` https://example1.com https://example2.com; style-src sha256-Q0E0NTUyMzFGRTJFRUYyNkM1Mjg4ODJBREE0ODNDQTY2Mzc2OTYzQ0U2OUZDNEE5RjMyMDI0NzlGQjExNTgwMg==; plugin-types application/x-java-applet; frame-ancestors 'none'; report-to examplegroup\n\nReport-To: {\"group\":\"examplegroup\",\"max_age\":0,\"include_subdomains\":true,\"endpoints\":[{\"url\":\"https://reportserver.com/report\",\"priority\":0,\"weight\":0}]}\n```\n\n\n#### connect-src Directive\n\nYou can set up the `connect-src` directive of the `Content-Security-Policy` header using the `ConnectSources` property of the `CspOptionsBuilder`:\n\n```cs\napp.UseCsp(x =\u003e {\n\tx.ConnectSources.AllowSelf().AllowHosts(\"https://example1.com\", \"https://example2.com\");\n});\n```\n\nYou can use the following methods to set up the directive:\n\n| Method  | Description |\n| ------------- | ------------- |\n| `AllowNone()`  | Sets the directive value to `none`.  |\n| `AllowSelf()`  | Adds `self` to the directive value.  |\n| `AllowAny()`  | Adds `*` to the directive value.  |\n| `AllowHosts(params string[] hosts)`  | Adds host/s to the directive value.  |\n| `AllowSchemas(params string[] schemas)`  | Adds schema/s to the directive value.  |\n| `AllowUnsafeInline()`  | Adds `unsafe-inline` to the directive value.  |\n| `AllowUnsafeEval()`  | Adds `unsafe-eval` to the directive value.  |\n| `AllowNonce(ICspNonceService nonceService)`  | Adds the nonce (for specific inline scripts) to the directive value. You should provide the implementation of the `ICspNonceService` interface, that will be used to generate the nonce.  |\n| `AllowHash(string item)`  | Adds the hash of the script or style to the directive value.  |\n| `AllowHash(string algorithm, string hashedSource)`  | Adds the hash of the script or style to the directive value.  |\n| `WithStrictDynamic()`  | Adds the `strict-dynamic` to the directive value.  |\n| `ReportSample()`  | Adds the `report-sample` to the directive value.  |\n\n\n#### default-src Directive\n\nYou can set up the `default-src` directive of the `Content-Security-Policy` header using the `DefaultSources` property of the `CspOptionsBuilder`. The setup is the same as for `connect-src` directive (and any other fetch directive).\n\n\n#### font-src Directive\n\nYou can set up the `font-src` directive of the `Content-Security-Policy` header using the `FontSources` property of the `CspOptionsBuilder`. The setup is the same as for `connect-src` directive (and any other fetch directive).\n\n\n#### frame-src Directive\n\nYou can set up the `frame-src` directive of the `Content-Security-Policy` header using the `FrameSources` property of the `CspOptionsBuilder`. The setup is the same as for `connect-src` directive (and any other fetch directive).\n\n\n#### img-src Directive\n\nYou can set up the `img-src` directive of the `Content-Security-Policy` header using the `ImgSources` property of the `CspOptionsBuilder`. The setup is the same as for `connect-src` directive (and any other fetch directive).\n\n\n#### manifest-src Directive\n\nYou can set up the `manifest-src` directive of the `Content-Security-Policy` header using the `ManifestSources` property of the `CspOptionsBuilder`. The setup is the same as for `connect-src` directive (and any other fetch directive).\n\n\n#### media-src Directive\n\nYou can set up the `media-src` directive of the `Content-Security-Policy` header using the `MediaSources` property of the `CspOptionsBuilder`. The setup is the same as for `connect-src` directive (and any other fetch directive).\n\n\n#### object-src Directive\n\nYou can set up the `object-src` directive of the `Content-Security-Policy` header using the `ObjectSources` property of the `CspOptionsBuilder`. The setup is the same as for `connect-src` directive (and any other fetch directive).\n\n\n#### prefetch-src Directive\n\nYou can set up the `prefetch-src` directive of the `Content-Security-Policy` header using the `PrefetchSources` property of the `CspOptionsBuilder`. The setup is the same as for `connect-src` directive (and any other fetch directive).\n\n\n#### script-src Directive\n\nYou can set up the `script-src` directive of the `Content-Security-Policy` header using the `ScriptSources` property of the `CspOptionsBuilder`. The setup is the same as for `connect-src` directive (and any other fetch directive).\n\n\n#### style-src Directive\n\nYou can set up the `style-src` directive of the `Content-Security-Policy` header using the `StyleSources` property of the `CspOptionsBuilder`. The setup is the same as for `connect-src` directive (and any other fetch directive).\n\n\n#### webrtc-src Directive\n\nYou can set up the `webrtc-src` directive of the `Content-Security-Policy` header using the `WebRtcSources` property of the `CspOptionsBuilder`. The setup is the same as for `connect-src` directive (and any other fetch directive).\n\n\n#### worker-src Directive\n\nYou can set up the `worker-src` directive of the `Content-Security-Policy` header using the `WorkerSources` property of the `CspOptionsBuilder`. The setup is the same as for `connect-src` directive (and any other fetch directive).\n\n\n#### base-uri Directive\n\nYou can set up the `base-uri` directive of the `Content-Security-Policy` header using the `BaseUri` property of the `CspOptionsBuilder`:\n\n```cs\napp.UseCsp(x =\u003e {\n\tx.BaseUri.AllowSelf().AllowHosts(\"https://example1.com\", \"https://example2.com\");\n});\n```\n\nYou can use the following methods to set up the directive:\n\n| Method  | Description |\n| ------------- | ------------- |\n| `AllowNone()`  | Sets the directive value to `none`.  |\n| `AllowSelf()`  | Adds `self` to the directive value.  |\n| `AllowAny()`  | Adds `*` to the directive value.  |\n| `AllowHosts(params string[] hosts)`  | Adds host/s to the directive value.  |\n| `AllowSchemas(params string[] schemas)`  | Adds schema/s to the directive value.  |\n| `AllowUnsafeInline()`  | Adds `unsafe-inline` to the directive value.  |\n| `AllowUnsafeEval()`  | Adds `unsafe-eval` to the directive value.  |\n| `AllowNonce(ICspNonceService nonceService)`  | Adds the nonce (for specific inline scripts) to the directive value. You should provide the implementation of the `ICspNonceService` interface, that will be used to generate the nonce.  |\n| `AllowHash(string item)`  | Adds the hash of the script or style to the directive value.  |\n| `AllowHash(string algorithm, string hashedSource)`  | Adds the hash of the script or style to the directive value.  |\n| `WithStrictDynamic()`  | Adds the `strict-dynamic` to the directive value.  |\n| `ReportSample()`  | Adds the `report-sample` to the directive value.  |\n\n\n#### plugin-types Directive\n\nYou can set up the `plugin-types` directive of the `Content-Security-Policy` header using the `PluginTypes` property of the `CspOptionsBuilder`:\n\n```cs\napp.UseCsp(x =\u003e {\n\tx.PluginTypes.AllowMimeType(\"application/x-java-applet\");\n});\n```\n\nYou can use the following methods to set up the directive:\n\n| Method  | Description |\n| ------------- | ------------- |\n| `AllowNone()`  | Sets the directive value to `none`.  |\n| `AllowAny()`  | Sets the directive value to `*`.  |\n| `AllowMimeType(string mimeType)`  | Adds the specified MIME type to the directive value.  |\n\n\n#### sandbox Directive\n\nYou can set up the `sandbox` directive of the `Content-Security-Policy` header using the `Sandbox` property of the `CspOptionsBuilder`:\n\n```cs\napp.UseCsp(x =\u003e {\n\tx.Sandbox.AllowPopups();\n});\n```\n\nYou can use the following methods to set up the directive:\n\n| Method  | Description |\n| ------------- | ------------- |\n| `AllowNone()`  | Sets the directive value to `none`.  |\n| `AllowAny()`  | Sets the directive value to `*`.  |\n| `AllowForms()`  | Adds `allow-forms` to the directive value.  |\n| `AllowModals()`  | Adds `allow-modals` to the directive value.  |\n| `AllowOrientationLock()`  | Adds `allow-orientation-lock` to the directive value.  |\n| `AllowPointerLock()`  | Adds `allow-pointer-lock` to the directive value.  |\n| `AllowPopups()`  | Adds `allow-popups` to the directive value.  |\n| `AllowPopupsToEscapeSandbox()`  | Adds `allow-popups-to-escape-sandbox` to the directive value.  |\n| `AllowPresentation()`  | Adds `allow-presentation` to the directive value.  |\n| `AllowSameOrigin()`  | Adds `allow-same-origin` to the directive value.  |\n| `AllowScripts()`  | Adds `allow-scripts` to the directive value.  |\n| `AllowTopNavigation()`  | Adds `allow-top-navigation` to the directive value.  |\n\n\n#### form-action Directive\n\nYou can set up the `form-action` directive of the `Content-Security-Policy` header using the `FormAction` property of the `CspOptionsBuilder`:\n\n```cs\napp.UseCsp(x =\u003e {\n\tx.FormAction.AllowSelf().AllowHosts(\"https://example1.com\", \"https://example2.com\");\n});\n```\n\nYou can use the following methods to set up the directive:\n\n| Method  | Description |\n| ------------- | ------------- |\n| `AllowNone()`  | Sets the directive value to `none`.  |\n| `AllowSelf()`  | Adds `self` to the directive value.  |\n| `AllowAny()`  | Adds `*` to the directive value.  |\n| `AllowHosts(params string[] hosts)`  | Adds host/s to the directive value.  |\n| `AllowSchemas(params string[] schemas)`  | Adds schema/s to the directive value.  |\n| `AllowUnsafeInline()`  | Adds `unsafe-inline` to the directive value.  |\n| `AllowUnsafeEval()`  | Adds `unsafe-eval` to the directive value.  |\n| `AllowNonce(ICspNonceService nonceService)`  | Adds the nonce (for specific inline scripts) to the directive value. You should provide the implementation of the `ICspNonceService` interface, that will be used to generate the nonce.  |\n| `AllowHash(string item)`  | Adds the hash of the script or style to the directive value.  |\n| `AllowHash(string algorithm, string hashedSource)`  | Adds the hash of the script or style to the directive value.  |\n| `WithStrictDynamic()`  | Adds the `strict-dynamic` to the directive value.  |\n| `ReportSample()`  | Adds the `report-sample` to the directive value.  |\n\n\n#### frame-ancestor Directive\n\nYou can set up the `frame-ancestor` directive of the `Content-Security-Policy` header using the `FrameAncestors` property of the `CspOptionsBuilder`:\n\n```cs\napp.UseCsp(x =\u003e {\n\tx.FrameAncestors.AllowSelf().AllowHosts(\"https://example1.com\", \"https://example2.com\");\n});\n```\n\nYou can use the following methods to set up the directive:\n\n| Method  | Description |\n| ------------- | ------------- |\n| `AllowNone()`  | Sets the directive value to `none`.  |\n| `AllowSelf()`  | Adds `self` to the directive value.  |\n| `AllowAny()`  | Adds `*` to the directive value.  |\n| `AllowHosts(params string[] hosts)`  | Adds host/s to the directive value.  |\n| `AllowSchemas(params string[] schemas)`  | Adds schema/s to the directive value.  |\n\n\n#### block-all-mixed-content Directive\n\nYou can set up the `block-all-mixed-content` directive of the `Content-Security-Policy` header by calling the `BlockAllMixedContent()` method of the `CspOptionsBuilder`:\n\n```cs\napp.UseCsp(x =\u003e {\n\tx.BlockAllMixedContent();\n});\n```\n\nThis method will add the `block-all-mixed-content` directive to the `Content-Security-Policy` header.\n\n\n#### require-sri-for Directive\n\nYou can add the `require-sri-for` directive to the `Content-Security-Policy` header using the `RequireSriFor` property of the `CspOptionsBuilder`:\n\n```cs\napp.UseCsp(x =\u003e {\n\tx.RequireSriFor.Script();\n});\n```\n\nYou can use the following methods to set up the directive:\n\n| Method  | Description |\n| ------------- | ------------- |\n| `Script()`  | Sets the directive value to `script`.  |\n| `Style()`  | Sets the directive value to `style`.  |\n| `ScriptStyle()`  | Sets the directive value to `script style`.  |\n\n\n#### upgrade-insecure-requests Directive\n\nYou can add the `upgrade-insecure-requests` directive to the 'Content-Security-Policy' header by calling the `UpgradeInsecureRequests()` method of the `CspOptionsBuilder`:\n\n```cs\napp.UseCsp(x =\u003e {\n\tx.UpgradeInsecureRequests();\n});\n```\n\nThis method will add the `upgrade-insecure-requests` directive to the `Content-Security-Policy` header.\n\n\n#### report-to Directive\n\nYou can add the [reporting group](https://w3c.github.io/reporting/) for your Content Security Policy by calling the `AddReportingGroup(Action\u003cReportGroupOptions\u003e optionsAction)` method of the `CspOptionsBuilder`:\n\n```cs\napp.UseCsp(x =\u003e {\n\t// ...\n\tx.AddReportingGroup(rg =\u003e {\n\t\trg.Group = \"examplegroup\";\n\t\trg.Endpoints.Add(new ReportGroupEndpoint(\"https://reportserver.com/report\"));\n\t\trg.IncludeSubdomains = true;\n\t});\n});\n```\n\nThis will add the appropriate `report-to` directive to the `Content-Security-Policy` header, as well as the `Report-To` header.\n\n\n### Expect-CT\n\nYou can add the `Expect-CT` header using the `UseExpectCt` extension method:\n\n```cs\napp.UseExpectCt(x =\u003e x.SetMaxAge(TimeSpan.FromDays(1)).Enforce());\n```\n\nThe above example would result in the following HTTP header being added to the HTTP response:\n\n```\nExpect-CT: enforce, max-age=86400\n```\n\n\n#### max-age Directive\n\nYou can set the `max-age` directive to the 'Expect-CT' header by calling the `SetMaxAge(TimeSpan maxAge)` method of the `ExpectCtOptionsBuilder`:\n\n```cs\napp.UseExpectCt(x =\u003e x.SetMaxAge(TimeSpan.FromDays(2)));\n```\n\nThe default value for the `max-age` directive is 1 day.\n\n\n#### enforce Directive\n\nYou can add the `enforce` directive to the 'Expect-CT' header by calling the `Enforce()` method of the `ExpectCtOptionsBuilder`:\n\n```cs\napp.UseExpectCt(x =\u003e x.Enforce());\n```\n\n\n#### report-uri Directive\n\nYou can add the `report-uri` directive to the 'Expect-CT' header by calling the `SetReportUri(string reportUri)` method of the `ExpectCtOptionsBuilder`:\n\n```cs\napp.UseExpectCt(x =\u003e x.SetReportUri(\"https://reportserver.com/uri\"));\n```\n\n\n### Public-Key-Pins\n\nYou can add the `Public-Key-Pins` header using the `UseExpectCt` extension method:\n\n```cs\napp.UseHpkp(x =\u003e x.AddPins(\"VGhpcyBpcyBzb21lIFN1YmplY3QgUHVibGljIEtleSBJbmZvcm1hdGlvbiBmaW5nZXJwcmludC4=\", \"QW5kIGFub3RoZXIgU3ViamVjdCBQdWJsaWMgS2V5IEluZm9ybWF0aW9uIGZpbmdlcnByaW50Lg==\")\n\t\t\t\t.SetMaxAge(TimeSpan.FromHours(3))\n\t\t\t\t.IncludeSubdomains());\n```\n\nThe above example would result in the following HTTP header being added to the HTTP response:\n\n```\nPublic-Key-Pins: pin-sha256=\"VGhpcyBpcyBzb21lIFN1YmplY3QgUHVibGljIEtleSBJbmZvcm1hdGlvbiBmaW5nZXJwcmludC4=\"; pin-sha256=\"QW5kIGFub3RoZXIgU3ViamVjdCBQdWJsaWMgS2V5IEluZm9ybWF0aW9uIGZpbmdlcnByaW50Lg==\"; max-age=10800; includeSubDomains\n```\n\n\n#### Adding Pins\n\nYou can add pins to the `Public-Key-Pins` header by calling the `AddPins(params string[] pins)` method of the `HpkpOptionsBuilder`:\n\n```cs\napp.UseHpkp(x =\u003e x.AddPins(\"VGhpcyBpcyBzb21lIFN1YmplY3QgUHVibGljIEtleSBJbmZvcm1hdGlvbiBmaW5nZXJwcmludC4=\"));\n```\n\n\n#### max-age Directive\n\nYou can set the `max-age` directive to the `Public-Key-Pins` header by calling the `SetMaxAge(TimeSpan maxAge)` method of the `HpkpOptionsBuilder`:\n\n```cs\napp.UseHpkp(x =\u003e x.AddPins(\"VGhpcyBpcyBzb21lIFN1YmplY3QgUHVibGljIEtleSBJbmZvcm1hdGlvbiBmaW5nZXJwcmludC4=\", \"QW5kIGFub3RoZXIgU3ViamVjdCBQdWJsaWMgS2V5IEluZm9ybWF0aW9uIGZpbmdlcnByaW50Lg==\")\n\t\t\t\t.SetMaxAge(TimeSpan.FromHours(3)));\n```\n\nThe default value for the `max-age` directive is 5 hours.\n\n\n#### includeSubDomains Directive\n\nYou can add the `includeSubDomains` directive to the `Public-Key-Pins` header by calling the `IncludeSubdomains()` method of the `HpkpOptionsBuilder`:\n\n```cs\napp.UseHpkp(x =\u003e x.AddPins(\"VGhpcyBpcyBzb21lIFN1YmplY3QgUHVibGljIEtleSBJbmZvcm1hdGlvbiBmaW5nZXJwcmludC4=\", \"QW5kIGFub3RoZXIgU3ViamVjdCBQdWJsaWMgS2V5IEluZm9ybWF0aW9uIGZpbmdlcnByaW50Lg==\")\n\t\t\t\t.IncludeSubdomains());\n```\n\n\n#### report-to Directive\n\nYou can add the [reporting group](https://w3c.github.io/reporting/) for your Public Key Pinning Extension by calling the `AddReportingGroup(Action\u003cReportGroupOptions\u003e optionsAction)` method of the `HpkpOptionsBuilder`:\n\n```cs\napp.UseHpkp(x =\u003e {\n\t// ...\n\tx.AddReportingGroup(rg =\u003e {\n\t\trg.Group = \"examplegroup\";\n\t\trg.Endpoints.Add(new ReportGroupEndpoint(\"https://reportserver.com/report\"));\n\t\trg.IncludeSubdomains = true;\n\t});\n});\n```\n\nThis will add the appropriate `report-to` directive to the `Public-Key-Pins` header, as well as the `Report-To` header.\n\n\n### Referrer-Policy\n\nYou can add the `Referrer-Policy` header using the `UseReferrerPolicy` extension method:\n\n```cs\napp.UseReferrerPolicy(ReferrerPolicyOptions.SameOrigin);\n```\n\nThe above example would result in the following HTTP header being added to the HTTP response:\n\n```\nReferrer-Policy: same-origin\n```\n\nThe `ReferrerPolicyOptions` enum supports the following values:\n\n| Value  | Description |\n| ------------- | ------------- |\n| `NoReferrerWhenDowngrade`  | Sets the directive value to `no-referrer-when-downgrade`.  |\n| `NoReferrer`  | Sets the directive value to `no-referrer`.  |\n| `Origin`  | Sets the directive value to `origin`.  |\n| `OriginWhenCrossOrigin`  | Sets the directive value to `origin-when-cross-origin`.  |\n| `SameOrigin`  | Sets the directive value to `same-origin`.  |\n| `StrictOrigin`  | Sets the directive value to `strict-origin`.  |\n| `StrictOriginWhenCrossOrigin`  | Sets the directive value to `strict-origin-when-cross-origin`.  |\n| `UnsafeUrl`  | Sets the directive value to `unsafe-url`.  |\n\n\n### Strict-Transport-Security\n\nYou can add the `Strict-Transport-Security` header using the `UseHsts` extension method:\n\n```cs\napp.UseHsts();\n```\n\nThe above example would result in the following HTTP header being added to the HTTP response:\n\n```\nStrict-Transport-Security: max-age=2592000\n```\n\n\n#### max-age Directive\n\nYou can set the `max-age` directive to the `Strict-Transport-Security` header by setting the `MaxAge` property of the `HstsOptions`:\n\n```cs\napp.UseHsts(x =\u003e { x.MaxAge = TimeSpan.FromDays(20); });\n```\n\nThe default value for the `max-age` directive is 30 days.\n\n\n#### includeSubDomains Directive\n\nYou can add the `includeSubDomains` directive to the `Strict-Transport-Security` header by setting the `IncludeSubDomains` property of the `HstsOptions`:\n\n```cs\napp.UseHsts(x =\u003e { x.IncludeSubDomains = true; });\n```\n\n\n#### preload Directive\n\nYou can add the `preload` directive to the `Strict-Transport-Security` header by setting the `Preload` property of the `HstsOptions`:\n\n```cs\napp.UseHsts(x =\u003e { x.Preload = true; });\n```\n\n\n### X-Content-Type-Options\n\nDocumentation in progress.\n\n\n### X-Frame-Options\n\nDocumentation in progress.\n\n\n### X-Permitted-Cross-Domain-Policies\n\nDocumentation in progress.\n\n\n### X-XSS-Protection\n\nDocumentation in progress.\n\n\n## Building From Source\n\n```\ngit clone https://github.com/MarkoPapic/AspNetCoreSecurityHeaders.git\ncd AspNetCoreSecurityHeaders\ndotnet restore\ndotnet build ./MarkoPapic.AspNetCoreSecurityHeaders.sln\ndotnet test ./MarkoPapic.AspNetCoreSecurityHeaders.UnitTests/\n```\n\n\n## License\n\n[MIT License](https://github.com/MarkoPapic/AspNetCoreSecurityHeaders/blob/master/LICENSE.txt)","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmarkopapic%2Faspnetcoresecurityheaders","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmarkopapic%2Faspnetcoresecurityheaders","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmarkopapic%2Faspnetcoresecurityheaders/lists"}