Improving your C# Skills
上QQ阅读APP看书,第一时间看更新
上一章目录下一章

Reinforcing security headers

Many modern browsers provide additional security features. These security features are automatically enabled by the browser running your site if the response contains those headers. In this section, we will discuss how we can add those headers in our ASP.NET Core application and enable additional security in the browser.

To investigate which headers are missing in our application, we can use the  www.SecurityHeaders.io site. However, to use this, we need our site to be publicly accessible on the internet.

Alternatively, we can use ngrok to make a HTTP tunnel to our local application, which makes our site accessible from the internet. The ngrok tool can be downloaded from the following link: https://ngrok.com/download.

You can select the version of OS you have and download a particular installer accordingly.

Once ngrok is installed, you can open it and the run following command. Please note that your site should be running locally before executing the following command:

ngrok http -host-header localhost 7204

You can replace localhost with your server IP and 7204 to the port your application is listening on.

Running the preceding command will generate the public URL, as specified in the Forwarding property, as follows:

We can now use this public URL in www.securityheaders.io,  which scans our site and gives us the result. It categorizes the site and provides an alphabet starting from A to F, where A is an excellent score that means the site contains all security headers, and F means that the site is not secure and does not contain security headers. Scanning the default ASP.NET Core site generated from the default template scored F, which is shown as follows. It also shows the missing headers, which are boxed in red:

First of all, we should enable HTTPS on our site. To enable HTTPS, please refer to the section related to SSL. Next, we will add the NWebsec.AspNetCore.Middleware package from NuGet as follows:

NWebsec comes with various middleware that can be added to our application from the Configure method of the Startup class.

上一章目录下一章