← HOME

Secure ASP.NET Core Server Headers

November 15, 2024

How to configure security headers in ASP.NET Core: remove server fingerprinting headers and add Content-Security-Policy, X-Content-Type-Options, and more.

Posted 11/15/2024

Remove server headers from response

Its always better to show headers which hold information about server, framework or language to hide the information from attacker.

builder.WebHost.ConfigureKestrel(host => { host.AddServerHeader = false;  });

Use HSTS

Always use Strict Transport Security Protocol and HTTPS Redirection in production apps:

  • HTTPS Redirection Middleware (UseHttpsRedirection) to redirect HTTP requests to HTTPS.
  • HSTS Middleware (UseHsts) to send HTTP Strict Transport Security Protocol (HSTS) headers to clients.
var builder = WebApplication.CreateBuilder(args);
...
var app = builder.Build();
...
app.UseHsts();
app.UseHttpsRedirection();

Enforce HTTPS

Security headers

  • Add the headers directly in program.cs using anonymous midleware 
      using Microsoft.Extensions.Primitives;

  app.Use(async (context, next) =>
  {
      context.Response.Headers.Add("Content-Security-Policy", new StringValues("default-src 'self'"));
      context.Response.Headers.Add("X-Content-Type-Options", new StringValues("nosniff"));
      context.Response.Headers.Add("X-Frame-Options", new StringValues("SAMEORIGIN"));
      context.Response.Headers.Add("X-XSS-Protection", new StringValues("1; mode=block"));
      await next();
  });
  • Add them using external midleware - all detailed info