Ecosyste.ms: Packages
An open API service providing package, version and dependency metadata of many open source software ecosystems and registries.
nuget.org : sechdrscore
Build up Security Headers in a (semi) modular way. To use in an ASP.Net Core web project. In startup.cs - add the following private members to the startup class private SecurityHeaders _securityHeaders { get; set; } private List<CspFrame> _cspFrames { get; set; } And the following two private methods (and alter as you need to). These do reference the samples nuget package. private List<CspFrame> AssembleContentSecurityPolicies() { var defCspFrame = new CspFrame().Initialise("default"); defCspFrame.Clauses .AddUpdateClause("script-src", "", "'unsafe-eval'") .AddUpdateClause("style-src", "", "'unsafe-inline'") .AddUpdateClause("img-src", "", "data:") .AddUpdateClause("plugin-types", "", "application/pdf") .AddUpdateClause("frame-ancestors", "", "'none'") .AddUpdateClause("report-uri", "", "/cspreport"); var basicCdnCspFrame = new CspFrame().Initialise("basicCdn"); basicCdnCspFrame.Clauses .AddUpdateClause("default-src", "", "https://maxcdn.bootstrapcdn.com/") .AddUpdateClause("script-src", "", "https://ajax.googleapis.com/ https://code.jquery.com/ https://cdnjs.cloudflare.com/") .AddUpdateClause("style-src", "", "https://fonts.googleapis.com/") .AddUpdateClause("font-src", "", "https://fonts.gstatic.com/") .AddUpdateClause("img-src", "", "https://csi.gstatic.com/"); var googleMapsCspFrame = new CspFrame().GoogleMaps(); var stripeCspFrame = new CspFrame().Stripe(); return new List<CspFrame> { defCspFrame, basicCdnCspFrame, googleMapsCspFrame, stripeCspFrame }; } /// <summary> /// Returns a merged copy of all relevant CspFrames - adding in the Dev CspFrame if required /// </summary> /// <param name="env"></param> /// <returns></returns> private CspFrame BuildContentSecurityPolicy(IHostingEnvironment env) { if (_cspFrames == null || !_cspFrames.Any()) { _cspFrames = AssembleContentSecurityPolicies(); } // Assemble the master CSP var masterCsp = _cspFrames.Merge(); if (env.IsDevelopment()) { var localhostSp = "localhost:56993/"; var stripe = "http://checkout.stripe.com/"; // Note that this dev CSP includes the http versions for Stripe var devCspFrame = new CspFrame().Initialise("dev"); devCspFrame.Clauses.AddUpdateClause("default-src", "", "http://localhost:5000/") .AddUpdateClause("connect-src", "", "http://" + localhostSp + " ws://" + localhostSp + " " + stripe) .AddUpdateClause("script-src", "", "http://" + localhostSp + " " + stripe); masterCsp = masterCsp.Merge(devCspFrame); } return masterCsp; } Finally include the following in the configuration method just before app.UseMvc( ... // Set up the overall Security Headers // This will also assemble the _cspFrames object if required if (_securityHeaders == null) { _securityHeaders = app.BuildSecurityHeaders(BuildContentSecurityPolicy(env)); } else { _securityHeaders.Csp = BuildContentSecurityPolicy(env); } app.UseSecurityHeaders(_securityHeaders);
Registry
- JSON
purl: pkg:nuget/sechdrscore
Keywords: asp.net, core, csp, content, security, policy, header, headers
License:
Latest release: almost 7 years ago
First release: over 124 years ago
Dependent packages: 1
Downloads: 13,963 total
Last synced: 21 days ago