Increasing Your ASP.NET Core App Security With OWASP Headers

July 17, 2023 by Khalid Abuhakmeh

Securing your application is of the utmost importance, but avoidable mistakes can lead to long-term damage to you, your business, and your users. Luckily for ASP.NET Core developers, they can implement the OWASP-recommended secure headers in their web applications with the greatest of ease.

Thanks to project maintainer Jamie Taylor and many other project contributors, you can now use the OwaspHeaders.Core library to secure your applications from common web-based security threats, all in a single line of code. This library enhances ASP.NET Core HTTP responses with additional HTTP headers known to squash common vulnerabilities, as determined by The OWASP Foundation.

Let's look at how to install this library in your existing ASP.NET Core web applications and what the additional headers may look like in your HTTP responses.

Getting Started

To start using OwaspHeaders.Core, you will need an existing ASP.NET Core application installed with the NuGet package of OwasHeaders.Core. To install the library, run the following command or use the NuGet tool window in your favorite IDE to find the package.

dotnet add package OwaspHeaders.Core

Once you've installed the dependency, you'll want to register the SecureHeadersMiddleware as part of your ASP.NET Core request pipeline. Library authors recommend adding the middleware as close to the start of your HTTP request pipeline as possible.

var app = builder.Build();

// Configure the HTTP request pipeline.
if (!app.Environment.IsDevelopment())
{
    app.UseExceptionHandler("/Error");
    app.UseHsts();
}

app.UseHttpsRedirection();
// Add the OWASP Secure Headers middleware here
app.UseSecureHeadersMiddleware();
app.UseStaticFiles();
app.UseRouting();
app.UseAuthorization();
app.MapRazorPages();
app.Run();

Once configured, your application's HTTP responses will now include the recommended set of security headers. Here's an example of what those new headers may look like. Note that the following result only shows the headers added by the library and no additional headers from ASP.NET Core.

cache-control: max-age=31536000, private
strict-transport-security: max-age=63072000;includeSubDomains
x-frame-options: DENY
x-xss-protection: 0
x-content-type-options: nosniff
content-security-policy: script-src 'self';object-src 'self';block-all-mixed-content;upgrade-insecure-requests;
x-permitted-cross-domain-policies: none;
referrer-policy: no-referrer

In addition to having a single-line middleware registration, you can choose which headers get added to responses by configuring an instance of the SecureHeadersMiddlewareConfiguration class. Here's an example of a custom configuration of OWASP-recommended headers.

public static SecureHeadersMiddlewareConfiguration CustomConfiguration()
{
    return SecureHeadersMiddlewareBuilder
        .CreateBuilder()
        .UseHsts(1200, false)
        .UseContentDefaultSecurityPolicy()
        .UsePermittedCrossDomainPolicies(XPermittedCrossDomainOptionValue.masterOnly)
        .UseReferrerPolicy(ReferrerPolicyOptions.sameOrigin)
        .Build();
}

Then you can change the registration of the middleware to take advantage of your new configuration.

app.UseSecureHeadersMiddleware(CustomSecureHeaderExtensions.CustomConfiguration());

It's that straightforward! Who doesn't love some extra security? ❤️

Give OwaspHeaders.Core a Try!

ASP.NET Core is the most popular part of the .NET stack, sadly making it the most prominent target for malicious attacks. By leaning on the security expert of the OWASP foundation and the hard work of our .NET OSS contributors, you can now add a new layer of security to your web applications.

As of this post, the OwaspHeaders.Core library is on release 7.5.0 and is available on NuGet, with over 600K downloads 🎉. Give it a try, and please take the time to thank the owners and contributors of the project that make .NET OSS possible.

If you have any feedback for the project or would like to get involved, please head over to their GitHub repository.