NetEscapades.AspNetCore.SecurityHeaders

NetEscapades.AspNetCore.SecurityHeaders copied to clipboard

Consider adding support for unsafe-hashes for `style` attributes with the HashTagHelper

10

It's truly amazing to see that there is already support for `inline-hashes` on `style` attributes, and also how that works [under the hood](https://github.com/andrewlock/NetEscapades.AspNetCore.SecurityHeaders/blob/54185de6053f7406888c25a4c8f1542f4f1fa724/src/NetEscapades.AspNetCore.SecurityHeaders/SecurityHeadersMiddleware.cs#L67) (as you're dependent on the rendering of...

tiesmaster

Allow configuration through ConfigureOptions

4

In the average application it's easy for the Startup file to get untidy and require a lot of scrolling to find what you need. For this reason we consistently use...

AdamWillden

asp-fallback-test & nonce attribute

2

Having checked the issue #19, which is kind of related to this, I wonder if there is a solution since a couple of years passed already. ### The problem: Having...

panosru

Hi, I use `StyleSrc` for all pages ```javascript builder.AddStyleSrc().Self().UnsafeInline(); ... ``` I don't want to use `StyleSrc` on the `Contact.cshtml` page How do I disable only `StyleSrc` on a page...

vzsoft

Make CspDirectiveBuilder methods idempotent

2

We are using this library in an internal framework used by over 100 internal applications. Depending on how old they are, different sources need to be added. We have a...

kimbell

Allow use of named security header policies, similar to the CORS policy middleware

3

As it is now, the only way to set which security headers are to be used is at the middleware level. This lacks flexibility, as path-dependent policies become hard to...

jotatoledo

X-XSS-Protection should not be enabled by default

4

As mentioned on [the MDN documentation](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection), the non-standard `X-XSS-Protection` header *"can create XSS vulnerabilities in otherwise safe websites"*. Even with `mode=block`, it may still leave the site [vulnerable to side-channel...

RichardD2

Add support for trusted-types and require-trusted-types-for

2

memoryhash

Question: Response Headers missing in API calls

6

I try to lock down my APIs the headers are not applied to API calls. Looking into this now, maybe you have already experienced this. Here's a repo to reproduce:...

damienbod

Expose DocumentHeaderContentTypePrefixes as a collection?

1

Rather than having, or only having, DocumentHeaderContentTypePrefixes be completely replaced by one of the ApplyDocumentHeadersTo methods, would it make sense to expose the collection so that it can be selectively...

Aaron-P