X-XSS-Protection

This header is used to configure the built in reflective XSS protection found in Internet Explorer, Chrome and Safari (Webkit). Valid settings for the header are 0, which disables the protection, 1 which enables the protection and 1; mode=block which tells the browser to block the response if it detects an attack rather than sanitising the script.

app.UseXXssProtection(options => options.EnabledWithBlockMode());

X-Content-Type-Options

Nice and easy to configure, this header only has one valid value, nosniff. It prevents Google Chrome and Internet Explorer from trying to mime-sniff the content-type of a response away from the one being declared by the server.

app.UseXContentTypeOptions();

Strict-Transport-Security

HSTS allows you to tell a browser that you always want a user to connect using HTTPS instead of HTTP. This means any bookmarks, links or addresses the user types will be forced to use HTTPS, even if they specify HTTP.

app.UseHsts(options => options.MaxAge(30).AllResponses());

https://scotthelme.co.uk/hsts-the-missing-link-in-tls/

X-Frame-Options

The X-Frame-Options header (RFC), or XFO header, protects your visitors against clickjacking attacks by controlling if/when your website is allowed to be loaded in an iframe.

app.UseXfo(options => options.SameOrigin());

https://www.troyhunt.com/clickjack-attack-hidden-threat-right-in/

X-Download-Options

The X-Download-Options is specific to IE 8, and is related to how IE 8 handles downloaded HTML files. Turns out if you download an HTML file from a web page and chooses to “Open” it in IE, it will execute in the context of the web site. That means that any scripts in that file will also execute with the origin of the web site.

app.UseXDownloadOptions();

https://www.nwebsec.com/HttpHeaders/SecurityHeaders/XDownloadOptions

Content-Security-Policy

The CSP header allows you to define a whitelist of approved sources of content for your site. By restricting the assets that a browser can load for your site, like js and css, CSP can act as an effective countermeasure to XSS attacks.

app.UseCsp(options => options
    .DefaultSources(s => s.Self())
    .ConnectSources(s => s.Self())
    .ScriptSources(s => s.Self())
    .StyleSources(s => s.Self().UnsafeInline())
    .ImageSources(s => s.Self().CustomSources("data:"))
    .FontSources(s => s.Self())
    .ReportUris(r => r.Uris("https://mysite.report-uri.io/r/default/csp/enforce")));

https://scotthelme.co.uk/content-security-policy-an-introduction/

https://docs.nwebsec.com/en/4.2/nwebsec/Configuring-csp.html

HTTP Public Key Pinning

HPKP allows you to protect yourself in cases of a compromised trusted Certification Authority by providing a whitelist of cryptographic identities that the browser should trust. Whilst HSTS says the browser must always use HTTPS, HPKP says the browser should only ever accept a specific set of certificates.

app.UseHpkpReportOnly(options => options
                    .Sha256Pins(
                        "hashkey1=",
                        "hashkey2",
                        "hashbackupkey1",
                        "hashbackupkey2")
                    .MaxAge(days: 180)
                    .IncludeSubdomains()
                    .ReportUri("https://mysite.report-uri.io/r/default/hpkp/reportOnly"));

https://scotthelme.co.uk/hpkp-http-public-key-pinning/

Referrer-Policy

When a user clicks a link on one site, the origin, that takes them to another site, the destination, the destination site receives information about the origin the user came from. This referer header lets me know where the inbound visitor came from, and is really handy, but there are cases where we may want to control or restrict the amount of information present in this header like the path or even whether the header is sent at all.

app.UseReferrerPolicy(options => options.StrictOriginWhenCrossOrigin());

https://scotthelme.co.uk/a-new-security-header-referrer-policy/

Expect-CT / Certificate Transparency

This header allows a site to determine if they are ready for the upcoming Chrome requirements and/or enforce their CT policy.

https://scotthelme.co.uk/a-new-security-header-expect-ct/

Removing Headers

Removing information about your server and frameworks / components in your application is just as important, as some of this information can be used by attackers to exploit known vulnerabilities in a particular platform, or narrow their attack to discover exploits more quickly.

Headers such as Server, X-Powered-By, X-AspNet-Version, and other identifying headers should be removed from all responses.

new WebHostBuilder()
...
.UseKestrel(options =>
    {
        options.AddServerHeader = false;
    })
...
.Build();

Tools

https://securityheaders.com - Scan website for security headers

https://report-uri.com/ - Collect and report on browser-reported security violations’