Question 1

How to add CSP nonce in ASP.NET Core with this library?

Accepted Answer

Register the service with AddCsp in ConfigureServices, use AddNonce() in your CSP configuration, and apply the asp-add-nonce tag helper in Razor views. This generates per-request nonces for inline scripts and styles, as detailed in the README.

Question 2

Is HPKP still safe to use in 2024?

Accepted Answer

No, HPKP is deprecated and not recommended due to high risks of misconfiguration leading to site outages. Modern security practices favor mechanisms like HTTP Strict Transport Security (HSTS) and Certificate Transparency instead.

Question 3

Joonasw.AspNetCore.SecurityHeaders vs built-in ASP.NET Core security features?

Accepted Answer

Built-in ASP.NET Core features like UseHsts provide basic HSTS support, but Joonasw's library offers a more comprehensive fluent API for CSP with nonce generation and HPKP, making it better for advanced header management. However, built-in options are lighter for simple cases.

Question 4

How to exclude security headers from API endpoints?

Accepted Answer

Use the OnSendingHeader callback in CSP configuration to set ShouldNotSend based on request paths, such as checking if the path starts with /api. This allows conditional application without affecting API responses.

Question 5

Best practices for testing CSP with this library?

Accepted Answer

Start with SetReportOnly() in CSP setup to enable report-only mode, configure ReportViolationsTo to send logs to an endpoint or service like report-uri.io, and monitor violations before enforcing policies to avoid breaking functionality.

Question 6

How to handle CSP violation reports in ASP.NET Core?

Accepted Answer

Set up a custom endpoint to receive POST reports via ReportViolationsTo, then integrate with third-party services like Report URI or implement custom logging. The library doesn't include built-in report handling, so additional code is needed.

aspnetcore-security-headers

What is aspnetcore-security-headers?

Overview

Use Cases

Best For

Related Projects

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions