Question 1

How do I customize the Content-Security-Policy with OwaspHeaders.Core?

Accepted Answer

Use the builder pattern in your configuration method: call UseContentDefaultSecurityPolicy() and chain other methods to adjust CSP directives. For example, you can modify script-src or object-src values during setup, but changes require recompilation.

Question 2

OwaspHeaders.Core vs manually setting headers in ASP.NET Core?

Accepted Answer

OwaspHeaders.Core standardizes OWASP best practices with minimal code, reducing configuration errors. Manual setup offers more granular control but requires deeper security knowledge and ongoing maintenance to keep headers up-to-date.

Question 3

Does OwaspHeaders.Core work with .NET 9?

Accepted Answer

Yes, the project lists .NET 9 SDK as a build requirement, ensuring compatibility with the latest ASP.NET Core versions. Always check the NuGet package for specific version support.

Question 4

How can I test if OwaspHeaders.Core is working?

Accepted Answer

Run your application and use browser developer tools to inspect network responses. Look for added headers like X-Frame-Options and Content-Security-Policy in the Response Headers tab, as shown in the README's screenshot example.

Question 5

Can I use OwaspHeaders.Core in a Blazor Server app?

Accepted Answer

No, the middleware does not support any Blazor applications, including Blazor Server, due to header handling challenges in WebAssembly contexts. The README clearly warns against this use case.

Question 6

How to remove the Server header with OwaspHeaders.Core?

Accepted Answer

OwaspHeaders.Core does not handle the Server header. You must add a web.config file with requestFiltering settings to remove it, as described in the README, which adds deployment complexity.

OwaspHeaders

What is OwaspHeaders?

Overview

Use Cases

Best For

Related Projects

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions