I have updated the module to automatically output the OWASP recommended security headers.
These headers are automatically added to the response but can be configured as required, or even disabled.
Code Configuration
services.AddJhooseSecurity(_configuration, (securityOptions) => { // define the XFrame Options mode securityOptions.XFrameOptions.Mode = XFrameOptionsEnum.SameOrigin; // disable HSTS securityOptions.StrictTransportSecurity.Enabled = false; });
Configuration via appSettings
"JhooseSecurity": { "ExclusionPaths": [ "/episerver" ], "HttpsRedirection": true, "StrictTransportSecurity": { "MaxAge": 31536000, "IncludeSubDomains": true }, "XFrameOptions": { "Enabled": false, "Mode": 0, "Domain": "" }, "XPermittedCrossDomainPolicies": { "Mode": 0 }, "ReferrerPolicy": { "Mode": 0 }, "CrossOriginEmbedderPolicy": { "Mode": 1 }, "CrossOriginOpenerPolicy": { "Mode": 2 }, "CrossOriginResourcePolicy": { "Mode": 1 } }
Managing the server header
The security module doesn’t remove the ‘server header’, this may seem strange, but the approach differs depending on how you are hosting your site. I have included some examples below.
Another consideration, if you are hosting your solution with Optimizely DXP then the CDN will automatically remove the header.
Kestrel
return Host.CreateDefaultBuilder(args) .ConfigureCmsDefaults() .ConfigureWebHostDefaults(webBuilder => { webBuilder.ConfigureKestrel(o => o.AddServerHeader = false); webBuilder.UseStartup<Startup>(); });
IIS
<?xml version="1.0" encoding="UTF-8"?> <configuration> <system.webServer> <security> <requestFiltering removeServerHeader="true" /> </security> </system.webServer> </configuration>
Installation
dotnet add package Jhoose.Security.Admin --version 1.1.1.89
great plugin! I would look for an option to refactor “Mode” settings to some more human readable format and (if necessary) parse it to required integer somewhere inside the lib.
Thanks Valdis, appreciate the feedback.
Good point about the “mode” settings, not very intuitive. I will add it to the backlog.