C# / .NETDevOpsMisc
C# / .NET
Security Headers
Alexandru Puiu
Alexandru Puiu
October 10, 2018
2 min

Table Of Contents

01
X-XSS-Protection
02
X-Content-Type-Options
03
Strict-Transport-Security
04
X-Frame-Options
05
Content-Security-Policy
06
HTTP Public Key Pinning
07
Referrer-Policy
08
Expect-CT / Certificate Transparency
09
Removing Headers
10
Tools

X-XSS-Protection

This header is used to configure the built in reflective XSS protection found in Internet Explorer, Chrome and Safari (Webkit). Valid settings for the header are 0, which disables the protection, 1 which enables the protection and 1; mode=block which tells the browser to block the response if it detects an attack rather than sanitising the script.

app.UseXXssProtection(options => options.EnabledWithBlockMode());

X-Content-Type-Options

Nice and easy to configure, this header only has one valid value, nosniff. It prevents Google Chrome and Internet Explorer from trying to mime-sniff the content-type of a response away from the one being declared by the server.

app.UseXContentTypeOptions();

Strict-Transport-Security

HSTS allows you to tell a browser that you always want a user to connect using HTTPS instead of HTTP. This means any bookmarks, links or addresses the user types will be forced to use HTTPS, even if they specify HTTP.

app.UseHsts(options => options.MaxAge(30).AllResponses());

https://scotthelme.co.uk/hsts-the-missing-link-in-tls/

X-Frame-Options

The X-Frame-Options header (RFC), or XFO header, protects your visitors against clickjacking attacks by controlling if/when your website is allowed to be loaded in an iframe.

app.UseXfo(options => options.SameOrigin());

https://www.troyhunt.com/clickjack-attack-hidden-threat-right-in/

X-Download-Options

The X-Download-Options is specific to IE 8, and is related to how IE 8 handles downloaded HTML files. Turns out if you download an HTML file from a web page and chooses to “Open” it in IE, it will execute in the context of the web site. That means that any scripts in that file will also execute with the origin of the web site.

app.UseXDownloadOptions();

https://www.nwebsec.com/HttpHeaders/SecurityHeaders/XDownloadOptions

Content-Security-Policy

The CSP header allows you to define a whitelist of approved sources of content for your site. By restricting the assets that a browser can load for your site, like js and css, CSP can act as an effective countermeasure to XSS attacks.

app.UseCsp(options => options
    .DefaultSources(s => s.Self())
    .ConnectSources(s => s.Self())
    .ScriptSources(s => s.Self())
    .StyleSources(s => s.Self().UnsafeInline())
    .ImageSources(s => s.Self().CustomSources("data:"))
    .FontSources(s => s.Self())
    .ReportUris(r => r.Uris("https://mysite.report-uri.io/r/default/csp/enforce")));

https://scotthelme.co.uk/content-security-policy-an-introduction/

https://docs.nwebsec.com/en/4.2/nwebsec/Configuring-csp.html

HTTP Public Key Pinning

HPKP allows you to protect yourself in cases of a compromised trusted Certification Authority by providing a whitelist of cryptographic identities that the browser should trust. Whilst HSTS says the browser must always use HTTPS, HPKP says the browser should only ever accept a specific set of certificates.

app.UseHpkpReportOnly(options => options
                    .Sha256Pins(
                        "hashkey1=",
                        "hashkey2",
                        "hashbackupkey1",
                        "hashbackupkey2")
                    .MaxAge(days: 180)
                    .IncludeSubdomains()
                    .ReportUri("https://mysite.report-uri.io/r/default/hpkp/reportOnly"));

https://scotthelme.co.uk/hpkp-http-public-key-pinning/

Referrer-Policy

When a user clicks a link on one site, the origin, that takes them to another site, the destination, the destination site receives information about the origin the user came from. This referer header lets me know where the inbound visitor came from, and is really handy, but there are cases where we may want to control or restrict the amount of information present in this header like the path or even whether the header is sent at all.

app.UseReferrerPolicy(options => options.StrictOriginWhenCrossOrigin());

https://scotthelme.co.uk/a-new-security-header-referrer-policy/

Expect-CT / Certificate Transparency

This header allows a site to determine if they are ready for the upcoming Chrome requirements and/or enforce their CT policy.

https://scotthelme.co.uk/a-new-security-header-expect-ct/

Removing Headers

Removing information about your server and frameworks / components in your application is just as important, as some of this information can be used by attackers to exploit known vulnerabilities in a particular platform, or narrow their attack to discover exploits more quickly.

Headers such as Server, X-Powered-By, X-AspNet-Version, and other identifying headers should be removed from all responses.

new WebHostBuilder()
...
.UseKestrel(options =>
    {
        options.AddServerHeader = false;
    })
...
.Build();

Tools

https://securityheaders.com - Scan website for security headers

https://report-uri.com/ - Collect and report on browser-reported security violations’


Tags

security
Alexandru Puiu

Alexandru Puiu

Engineer / Security Architect

Systems Engineering advocate, Software Engineer, Security Architect / Researcher, SQL/NoSQL DBA, and Certified Scrum Master with a passion for Distributed Systems, AI and IoT..

Expertise

.NET
RavenDB
Kubernetes

Social Media

githubtwitterwebsite

Related Posts

Authentication in HttpClientFactory
Authentication in Http Client Factory
December 21, 2022
1 min

Subscribe To My Newsletter

I'll only send worthwhile content I think you'll want, less than once a month, and promise to never spam or sell your information!
© 2023, All Rights Reserved.

Quick Links

Get In TouchAbout Me

Social Media