A detailed explanation of the method of making security settings for web site under asp.net core

Time:2019-11-28

Preface

This article mainly introduces the content about asp.net core making security settings for the website, and shares it for your reference and study. I won’t say much next, let’s take a look at the detailed introduction

The setting method is as follows

First, let’s look at the request header file of the stack overflow website:

You can see some familiar or unfamiliar HTTP header fields.

Here we do some basic protection in the header file of HTTP input stream. First of all, it should be clear that since we are dealing with the HTTP header, we need to use the

The configuration method is used to process the HTTP input stream.

First, do some basic processing, such as middleware and basic classes:


public class SecurityHeadersPolicy 
{
 public IDictionary<string, string> SetHeaders { get; }
  = new Dictionary<string, string>();
 
 public ISet<string> RemoveHeaders { get; }
 = new HashSet<string>();
}

The header information here is defined by us to add or delete header information, and then our middleware:


public class SecurityHeadersMiddleware 
{
 private readonly RequestDelegate _next;
 private readonly SecurityHeadersPolicy _policy;

 public SecurityHeadersMiddleware(RequestDelegate next, SecurityHeadersPolicy policy)
 {
 _next = next;
 _policy = policy;
 }

 public async Task Invoke(HttpContext context)
 { 
 IHeaderDictionary headers = context.Response.Headers;

 foreach (var headerValuePair in _policy.SetHeaders)
 {
  headers[headerValuePair.Key] = headerValuePair.Value;
 }

 foreach (var header in _policy.RemoveHeaders)
 {
  headers.Remove(header);
 }

 await _next(context);
 }
}

Based on iaapplicationbuilder interface, an extension method of middleware is proposed


public static class MiddlewareExtensions 
{
 public static IApplicationBuilder UseSecurityHeadersMiddleware(this IApplicationBuilder app, SecurityHeadersBuilder builder)
 {
 SecurityHeaderPolicy policy = builder.Build();
 return app.UseMiddleware<SecurityHeadersMiddleware>(policy);
 }
}

Package the related security classes:


public class SecurityHeadersBuilder 
{
 private readonly SecurityHeadersPolicy _policy = new SecurityHeadersPolicy();

 public SecurityHeadersBuilder AddDefaultSecurePolicy()
 {
 AddFrameOptionsDeny();
 AddXssProtectionBlock();
 AddContentTypeOptionsNoSniff();
 AddStrictTransportSecurityMaxAge();
 RemoveServerHeader();

 return this;
 }

 public SecurityHeadersBuilder AddFrameOptionsDeny()
 {
 _policy.SetHeaders[FrameOptionsConstants.Header] = FrameOptionsConstants.Deny;
 return this;
 }

 public SecurityHeadersBuilder AddFrameOptionsSameOrigin()
 {
 _policy.SetHeaders[FrameOptionsConstants.Header] = FrameOptionsConstants.SameOrigin;
 return this;
 }

 public SecurityHeadersBuilder AddFrameOptionsSameOrigin(string uri)
 {
 _policy.SetHeaders[FrameOptionsConstants.Header] = string.Format(FrameOptionsConstants.AllowFromUri, uri);
 return this;
 }

 public SecurityHeadersBuilder RemoveServerHeader()
 {
 _policy.RemoveHeaders.Add(ServerConstants.Header);
 return this;
 }

 public SecurityHeadersBuilder AddCustomHeader(string header, string value)
 {
 _policy.SetHeaders[header] = value;
 return this;
 }

 public SecurityHeadersBuilder RemoveHeader(string header)
 {
 _policy.RemoveHeaders.Add(header);
 return this;
 }

 public SecurityHeadersPolicy Build()
 {
 return _policy;
 }
}

Finally, it is injected into the input stream of http:


app.UseSecurityHeadersMiddleware(new SecurityHeadersBuilder() 
.AddDefaultSecurePolicy()
);

Then we can browse the webpage and see it in the HTTP header:


HTTP/1.1 200 OK 
Content-Type: text/html; charset=utf-8 
X-Frame-Options: DENY 
X-XSS-Protection: 1; mode=block 
X-Content-Type-Options: nosniff 
Strict-Transport-Security: max-age=31536000 
X-Powered-By: ASP.NET

Another is the protection of CSRF. If you have used asp.net MVC before, in the most basic MVC template, you may notice that the form form in the existing cshtml page has the following sentence:


@Html.AntiForgeryToken()

This is the way Microsoft provides us with CSRF protection in MVC framework. We can use the above code directly in the form, and then in the action method of form submission:


[ValidateAntiForgeryToken]
[HttpPost]
public IActionResult AntiForm(string message)
{
return Content(message);
}

Use the [validateantiforgerytoken] property to validate the CSRF.

Reference link:

  • How to add security headers in asp.net core using custom Middleware
  • How to deal with CSRF in asp.net core

Code address:

https://github.com/RyanOvO/aspnetcore-fileup-demo

summary

The above is the whole content of this article. I hope that the content of this article has a certain reference learning value for everyone’s study or work. If you have any questions, you can leave a message and exchange. Thank you for your support for developepaar.