Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/ajtatum/babou.aspnetcore.securityextensions

Babou is concerned about security, so I created a .NET Standard 2.0 Security Extensions package for him. Babou is from the TV show Archer and is not affiliated with this package.
https://github.com/ajtatum/babou.aspnetcore.securityextensions

asp-net-core babou dotnet dotnetcore dotnetcore3 http-headers security

Last synced: about 2 months ago
JSON representation

Babou is concerned about security, so I created a .NET Standard 2.0 Security Extensions package for him. Babou is from the TV show Archer and is not affiliated with this package.

Awesome Lists containing this project

README 

          
![alt text](https://raw.githubusercontent.com/ajtatum/Babou.AspNetCore.SecurityExtensions/master/assets/Babou-150x150.png "Babou loves security!") 



# **Babou.AspNetCore.SecurityExtensions**



[![Build status](https://ci.appveyor.com/api/projects/status/3erthjnqds2fb6x7?svg=true)](https://ci.appveyor.com/project/ajtatum/babou-aspnetcore-securityextensions)



Contains a set of extensions which can help you make your web applications more secure.



## **Install**



View the NuGet at https://www.nuget.org/packages/Babou.AspNetCore.SecurityExtensions/



* **Package Manager:** Install-Package Babou.AspNetCore.SecurityExtensions

* **.NET CLI:** dotnet add package Babou.AspNetCore.SecurityExtensions



## **Table of contents**



**Tag Helpers**



- NoOpener

- Subresource Integrity

- Upgrade Insecure Resources



**Middlewares**



- Features

  - Redirect Policy

  - Require Authenticated Identity

- Headers

  - Content Security Policy

  - CustomHeaders

  - Expect CT

  - Feature Policy

  - Frame Options

  - HTTP Public Key Pinning

  - Referrer Policy

  - Report To

  - X-Content-Type-Options

  - X-Download-Options

  - X-Permitted-Cross-Domain-Policies

  - X-Robots-Tag

  - X-UA-Compatible

  - X-XSS-Protection



## **Features**



### **Content-Security-Policy**



Adds the `Content-Security-Policy` headers to responses with content type `text/html`.



```csharp

app.UseContentSecurityPolicy(new CspDirectiveList

{

    DefaultSrc = CspDirective.None,

    StyleSrc = StyleCspDirective.Self,

    ScriptSrc = ScriptCspDirective.Self

        .AddSource(new Uri("https://az416426.vo.msecnd.net/")), // Application Insights

    ImgSrc = CspDirective.Self

        .AddDataScheme(),

    FontSrc = CspDirective.Self,

    ConnectSrc = CspDirective.Empty

        .AddSource(new Uri("https://dc.services.visualstudio.com/")),

});

```



### **Cross Origin Resource Sharing**



Use the built-in support in ASP.NET Core 3.0.



### **Custom Headers**



Add or remove any header that you'd like.



```csharp

app.AddCustomHeaders("headerName", "headerValue");

```



```csharp

app.RemoveHeader("headerName");

```



### **Expect-CT**



Adds the `Expect-CT` header which allows sites to opt in to reporting and/or enforcement of Certificate Transparency requirements.



```csharp

app.UseExpectCT(enforce: true, maxAge: TimeSpan.FromHours(1));

```



### **Feature-Policy**



Adds the `Feature-Policy` header to responses with content type `text/html`.



```csharp

app.UseFeaturePolicy(

    new FeatureDirectiveList()

        .Add(PolicyFeature.Payment, "https://payment.example.org/")

        .AddNone(PolicyFeature.Microphone)

        .AddSelf(PolicyFeature.FullScreen)

);

```



### **Frame Options**



Adds the `Frame-Options` and `X-Frame-Options` headers to responses with content type `text/html`.



```csharp

app.UseFrameOptions(FrameOptionsPolicy.Deny);

```



If you want to enable displaying the page in a frame on a particular origin, you can set it like this:



```csharp

app.UseFrameOptions(new Uri("https://www.example.org"));

```



### **HTTP Strict Transport Security**



Use the built-in support in ASP.NET Core 3.0.



### **HTTP Public Key Pinning**



Adds the `Public-Key-Pinning` header to all responses.



```csharp

app.UseHttpPublicKeyPinning(options => options

    .Pin(fingerprint1, HttpPublicKeyPinningHashAlgorithm.Sha256)

    .Pin(fingerprint2, HttpPublicKeyPinningHashAlgorithm.Sha256)

);

```



### **NoOpener**



A tag helper that adds the missing `noopener` link relationship type to your `a` tags that open in another frame and doesn't reference the same origin.



Add an import for the tag helper (in your `_ViewImports.cshtml` if you have one):



```cshtml

@addTagHelper *, Babou.AspNetCore.SecurityExtensions.NoOpener

```



You don't need any additional changes, the tag helper applies to all links, for example:



```html

Click here

```



And adds the missing `rel` attribute:



```html

Click here

```



### **Redirect Policy**



Restricts server-side redirects only to trusted origins.



```csharp

app.UseRedirectPolicy();

```



You can also specify the trusted origins:



```csharp

app.UseRedirectPolicy(allowedBaseUris: "https://www.example.org");

```



### **Referrer Policy**



Adds the `Referrer-Policy` header to all responses.



```csharp

app.UseReferrerPolicy(ReferrerPolicy.SameOrigin);

```



### **Report-To**



Add the `Report-To` header to all responses.



```csharp

app.UseReportTo(new ReportingGroup(

    maxAge: TimeSpan.FromDays(30),

    endpoint: "https://example.org/browser-report"

));

```



### **Require Authenticated Identity**



This is a middleware that you can use to require an authenticated identity on the `HttpContext` to proceed. For example, you can use this middleware to require authentication for static files.



```csharp

app.UseWhen(

    context => context.Request.Path.StartsWithSegments("/dist"),

    branch => branch.UseRequireAuthenticatedIdentity()

);

```



Notes:



- `401` is returned in case of no authenticated user



### **Subresource Integrity**



A tag helper that computes the `integrity` attribute for linked styles and scripts from remote origins. It also adds the `crossorigin` attribute with `anonymous` value.



Add the required services (in your `Startup.cs`):



```cs

services.AddSubresourceIntegrity();

```



Add an import for the tag helper (in your `_ViewImports.cshtml` if you have one):



```cshtml

@addTagHelper *, Babou.AspNetCore.SecurityExtensions.SubresourceIntegrity

```



You don't need any additional changes, the tag helper applies to styles and scripts, for example:



```html



```



And adds the `integrity` and `crossorigin` attributes:



```html



```



Notes:



- If the `integrity` attribute is already included, it skips that element and doesn't compute and validate it.

- In case the remote resource is not available, a warning is logged and the integrity attribute is not included. Page rendering is not interrupted.

- The hash algorithm used is SHA-256.

- Hashes are cached in a memory cache indefinitely.



### **Upgrade Insecure Resources**

A tag helper that upgrades insecure links, style, script and image references to HTTPS.



Add an import for the tag helper (in your `_ViewImports.cshtml` if you have one):



```cshtml

@addTagHelper *, Babou.AspNetCore.SecurityExtensions.UpgradeInscureResources

```



You don't need any additional changes, the tag helper applies to all `href` and `src` attributes:



```html

Click here



```



Will be rewritten to:



```html

Click here



```



### **X-Content-Type-Options**



Adds the `X-Content-Type-Options` header to all responses.



```csharp

app.UseXContentTypeOptions(XContentTypeOptions.NoSniff);

```



### **X-Download-Options**



Adds the `X-Download-Options` header to each file download.



```csharp

app.UseXDownloadOptions(XDownloadOptions.NoOpen);

```



### **X-Permitted-Cross-Domain-Policies**



Adds `X-Permitted-Cross-Domain-Policies` header to all responses.



```csharp

app.UseXPermittedCrossDomainPolicies(PermittedCrossDomainPolicy.None);

```



### **X-Robots-Tag**



Adds the `X-Robots-Tag` header to all responses.



```csharp

app.UseXRobotsTag(noIndex: true, noFollow: true);

```



### **X-UA-Compatible**



Adds the `X-UA-Compatible` header to each response with `text/html` media type.



```csharp

app.UseXUACompatible(InternetExplorerCompatibiltyMode.Edge);

```



### **X-XSS-Protection**



Adds the `X-XSS-Protection` header to each response with `text/html` media type. The default setting enables protection and sets it to `block` mode.



```csharp

app.UseXXSSProtection();

```



#### Developed by AJ Tatum



[![ajtatum.com](https://img.icons8.com/clouds/50/000000/domain.png "ajtatum.com")](https://ajtatum.com/?utm_source=github&utm_medium=website&utm_campaign=babou_security)



[Icons by Icons8](https://icons8.com/)