HTTP security headers

Confinity comes with a middleware that sets a bunch of HTTP headers in order to improve the security of your application.

Configuration

Most security headers can be configured in the section ConfinityHttpHeader in the appsettings.json of your host application.

{
    "ConfinityHttpHeader": {
        "DisableSecurityHeaders": false,
        "XFrameOptions": "deny",
        "XContentTypeOptions": "nosniff",
        "ReferrerPolicy": "same-origin",
        "CspDefaultSource": "'self'"
    }
}

Or by configuring:

services.Configure<ConfinityHttpHeaderOptions>(o =>
{
    o.XFrameOptions = "SAMEORIGIN";
    // ...
});

DisableSecurityHeaders

Disables the middleware and thereby all security headers, use with care.

Default: false

XFrameOptions

The X-Frame-Options HTTP response header.

Default: "deny"

XContentTypeOptions

The X-Content-Type-Options HTTP response header.

Default: "nosniff"

ReferrerPolicy

The Referrer-Policy HTTP response header.

Default: "same-origin"

XXssProtection

The X-XSS-Protection HTTP response header.

Default: "none"

XPermittedCrossDomainPolicies

The X-Permitted-Cross-Domain-Policies HTTP response header.

Default: "none"

CspDefaultSource

The content security policy's header source for the default-src directive.

Default: "'self'"

Content Security Policy (CSP)

Confinity offers several ways for configuring the Content Security Policy header. For some applications it might be sufficient to just set the default-src via appsettings.json.

{
    "ConfinityHttpHeader": {
        "CspDefaultSource": "'self' trusted.com *.trusted.com"
    }
}

For more complex scenarios, Confinity offers configurations on the HttpContext and tag helpers for generating a nonce.

Configure CSP sources

By calling ConfinityHttpHeaders().Csp() on a HttpContext, sources can be allowed for CSP directives. This can be done in a view, view component, a controller, or wherever HttpContext is accessible.

The following example creates a middleware at startup. As usual, the order of middlewares is important, register this one before calling app.UseConfinity.


public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
    if (env.IsDevelopment())
    {
        app.UseDeveloperExceptionPage();
    }
    else
    {
        app.UseExceptionHandler("/Home/Error");
    }

    app.UseStaticFiles();

    // configure CSP headers
    app.Use(async (context, next) =>
    {
        context.ConfinityHttpHeaders().Csp()
            .AllowFontSource("fonts.googleapis.com fonts.gstatic.com")
            .AllowStyleSourceElement("fonts.googleapis.com")
            .AllowStyleSourceElement(CspValues.Self)
            .AllowScriptSource(CspValues.Self);
        await next.Invoke();
    });
    app.UseConfinity(env);

    app.UseEndpoints(endpoints =>
    {
        endpoints.MapControllerRoute(
            name: "default",
            pattern: "{controller=Home}/{action=Index}/{id?}");
        endpoints.MapConfinity();
    });
}

Inline scripts/styles with nonce

ConfinityHttpHeaders().Csp().GetNonce() creates a nonce for a given directive to be included in your HTML. Alternatively you can use the CspNonceTagHelper (namespace Confinity.WebUI.Util) inside a razor view as shown in the following example.

<button id="myBtn">Click me</button> 
<script confinity-nonce>
document.getElementById("myBtn").addEventListener("click", function(){
  alert('Cool team, bro!');
});
</script>