About

OwaspHeaders.Core is an ASP.NET Core middleware designed to increase web application security by adopting the OWASP recommended values for HTTP headers as per the OWASP Secure Headers project into all responses generated by the ASP.NET Core pipeline.

Listing and commenting on the default values that this middleware provides is out of scope for this index page, but you can read about each of the default values in the Configuration section

Build StatusRelease StatusLicense usedOpenSSF
Build statusReleaseLicense: MITOpenSSF Best Practices

This middleware DOES NOT SUPPORT BLAZOR OR WEBASSEMBLY APPLICATIONS. This is because setting up secure HTTP headers in a WebAssembly context is a non-trivial task.

.NET Version Support

OwaspHeaders.Core aims to keep in step with the official support lifecycle for .NET, as such the current (as of November 19th, 2024) supported versions of .NET are:

  • .NET 8
  • .NET 9

However, a number of previous releases can be found in the GitHub repository. Specifically:

Please see the .NET support lifecycle documentation for details: https://dotnet.microsoft.com/en-us/platform/support/policy/dotnet-core#lifecycle

Please note that backporting features and fixes are not provided for this NuGet package. However, as per the Security documentation in the repository, a sponsorship agreement could be reached where supported features could be backported.

Quick Start

Assuming that you have an ASP .NET Core project, add the NuGet package:

dotnet add package OwaspHeaders.Core

Alter the program.cs file to include the following:

app.UseSecureHeadersMiddleware();

This will add a number of default HTTP headers to all responses from your server component.

The following is an example of the response headers from version 9.1.0 (taken on November 19th, 2024)

strict-transport-security: max-age=31536000;includesubdomains
x-frame-options: deny
x-content-type-options: nosniff
content-security-policy: script-src 'self';object-src 'self';block-all-mixed-content;upgrade-insecure-requests;
x-permitted-cross-domain-policies: none
referrer-policy: no-referrer
cross-origin-resource-policy: same-origin
cache-control: max-age=0,no-store
cross-origin-opener-policy: same-origin
cross-origin-embedder-policy: same-require-corp
x-xss-protection: 0

The above example contains only the headers added by the Middleware.

For a more detailed explanation of how to use the middleware, including how to configure it, see Configuration.

Included Headers

This project is a work-in-progress, and headers will be added inline with Owasp recommendations. PRs are welcome, and you can read about how to contribute here.

The following list displays the status of all the current (as of Dec 27th, 2024) recommended headers:

Key:

  • ✅ means that the header, recommended value, and all of its options are implemented
  • ❌ means the header has not yet been implemented.

See the OWASP Secure Headers List for the most up-to-date list of recommended headers.

Server Header: A Warning

The default configuration for this middleware removes the X-Powered-By header, as this can help malicious users to use targeted attacks for specific server infrastructure. However, since the Server header is added by the reverse proxy used when hosting an ASP .NET Core application, removing this header is out of scope for this middleware.

In order to remove this header, a web.config file is required, and the following should be added to it:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <security>
            <requestFiltering removeServerHeader="true" />
        </security>
    </system.webServer>
</configuration>

The above XML is taken from this answer on ServerFault.

The web.config file will need to be copied to the server when the application is deployed.