Security headers? How?

[asadsahi]

I can see security headers added on live site, but can't find middleware reponsible for it?

[madskristensen]

Check out _ViewStart.cshtml

[asadsahi]

Thanks @madskristensen wonderful.

Can web.config items be handled in same file as well?

 <httpProtocol>
      <customHeaders>
        <add name="X-Content-Type-Options" value="nosniff"/>
        <remove name="X-Powered-By" />
      </customHeaders>
    </httpProtocol>

[madskristensen]

That one should be middleware instead of web.config and it cannot be _ViewStart.cshtml because those headers applies to more than just text/html

[asadsahi]

Interesting. In SPA application will the ViewStart headers be applied to all requests? If not, what middleware do you reckon for asp.net core, something like helmet?

[asadsahi]

for now I have used https://github.com/andrewlock/NetEscapades.AspNetCore.SecurityHeaders

But was looking if Microsoft has a builtin way to add such middleware.

Thanks for this wondersful effort of creating blog engine. I have taking some nice concepts from this such as SEO and implementing in my own application.

Great work :)

[madskristensen]

@asadsahi It looks like @andrewlock might modify his awesome security headers NuGet package so we can use it in Miniblog.Core. That would be great.

[asadsahi]

Nice. I am currently using @andrewlock 's package for security headers and @juunas11 's package for CSP. Asked Andrew if he can combine concepts of both types of security headers into one package to make job easier. Will make life easy rather relying on multiple packages. Also I really like your suggestion of simplifying Andrew's package.

[andrewlock]

Just FYI, I'm going to try and add CSP and get the simplified method in this week :)

[asadsahi]

@andrewlock great 👍