Funky Si's Tech Talk by Simon Foster
Security Headers
26 September 2020security dotnet
Have you wondered what info you are leaking via your response headers?, do you want some kind of guide about what headers to set or remove altogether?
Head on over to https://securityheaders.com/ This is a site created by security expert Scott Helme that rates a URL based on what response headers it can see.
I am pleased to say www.funkysi1701.com is now getting an A.
So how do you add/remove headers in dotnet core?
In my configure method in Startup.cs I have the following code block.
app.Use(
next =>
{
return async context =>
{
context.Response.OnStarting(
() =>
{
context.Response.Headers.Add("Permissions-Policy", "microphone=()");
context.Response.Headers.Remove("Server");
context.Response.Headers.Remove("X-Powered-By");
context.Response.Headers.Remove("X-AspNet-Version");
return Task.CompletedTask;
});
await next(context);
};
});
I have only included a few of the headers I am adding as the excellent https://securityheaders.com/ can tell you which headers you should add and what options you might want.

Simon Foster
Views: 107 Reactions: 8
Views: 107 Reactions: 8