I have updated the module to automatically output the OWASP recommended security headers.
These headers are automatically added to the response but can be configured as required, or even disabled.
Code Configuration
services.AddJhooseSecurity(_configuration, (securityOptions) => { // define the XFrame Options mode securityOptions.XFrameOptions.Mode = XFrameOptionsEnum.SameOrigin; // disable HSTS securityOptions.StrictTransportSecurity.Enabled = false; });
Configuration via appSettings
"JhooseSecurity": { "ExclusionPaths": [ "/episerver" ], "HttpsRedirection": true, "StrictTransportSecurity": { "MaxAge": 31536000, "IncludeSubDomains": true }, "XFrameOptions": { "Enabled": false, "Mode": 0, "Domain": "" }, "XPermittedCrossDomainPolicies": { "Mode": 0 }, "ReferrerPolicy": { "Mode": 0 }, "CrossOriginEmbedderPolicy": { "Mode": 1 }, "CrossOriginOpenerPolicy": { "Mode": 2 }, "CrossOriginResourcePolicy": { "Mode": 1 } }
Managing the server header
The security module doesn’t remove the ‘server header’, this may seem strange, but the approach differs depending on how you are hosting your site. I have included some examples below.
Another consideration, if you are hosting your solution with Optimizely DXP then the CDN will automatically remove the header.
Kestrel
return Host.CreateDefaultBuilder(args) .ConfigureCmsDefaults() .ConfigureWebHostDefaults(webBuilder => { webBuilder.ConfigureKestrel(o => o.AddServerHeader = false); webBuilder.UseStartup<Startup>(); });
IIS
<?xml version="1.0" encoding="UTF-8"?> <configuration> <system.webServer> <security> <requestFiltering removeServerHeader="true" /> </security> </system.webServer> </configuration>
Installation
dotnet add package Jhoose.Security.Admin --version 1.1.1.89