A quick overview of securing a Net Core webapp using NWebSec and the web.config
First up, let's install NWebSec middleware from nuget via the package manager
PM> Install-Package NWebsec.AspNetCore.MiddlewareFor those of you (like me) who are a little rusty on security best practise, two of the general principles are:
Reduce attack surface (make it as hard as possible for potential attackers to glean information about your app) Restrict access (unless securely authorised)The ingredients for a safe Net Core app broadly feed into these practises and include the following (non-exhaustive) list:
[HSTS] HTTP Strict Transport Security Header X-XSS-Protection Header X-Frame-Options Header [CSP] Content-Security-Policy Header X-Content-Type-Options Header Referrer-Policy Http Header Remove the X-Powered-By header to remove the additional information transferred by verifying the app tech [HPKP] HTTP Public Key Pinning HeaderLet's take these one at a time!
[HSTS] HTTP Strict Transport Security HeaderThis is what it sounds like - force all comms to go through HTTPS! Using the .Preload() indicated below forces it from the first request.
app.UseHsts(options => options.MaxAge(365).IncludeSubdomains().Preload()); X-XSS-Protection HeaderThis response header prevents pages from loading in modern browsers when reflected cross-site scription is detected. This is often unnecessary if a site implements a strong Content-Security-Policy (spoilers!)
app.UseXXssProtection(options => options.EnabledWithBlockMode()); X-Frame-Options HeaderEnsure that site content is not being embedded in an iframe on other sites - used to avoid clickjacking attacks.
app.UseXfo(options => options.SameOrigin()); [CSP] Content-Security-Policy HeaderThe content security policy essentially allows you to whitelist resource origins when the site is loaded. These policies are usually to do with server and script origins.
There are a heap of different ways you can configure this and they are very much dependent upon your requirements and what you need to load in and out. You can read more about your options in the handy Mozilla docs
An example would be:
app.UseCsp(opts => opts .BlockAllMixedContent() .StyleSources(s => s.Self()) .StyleSources(s => s.UnsafeInline()) .FontSources(s => s.Self()) .FormActions(s => s.Self()) .FrameAncestors(s => s.Self()) .ImageSources(s => s.Self()) .ScriptSources(s => s.Self()) ); X-Content-Type-Options HeaderBlocks any content sniffing that could happen that might change an innocent MIME type (e.g. text/css) into something executable that could do some real damage.
app.UseXContentTypeOptions(); Referrer-Policy Http HeaderThis tells the site how much information to send along in the Referer header field (misspelt!). Default value is no-referrer-when-downgrade i.e. don't send any referrer data is we're downgrading security protocols and going HTTPS to an HTTP site.
This one depends a bit on your requirements, the options are listed in detail on Mozilla's dev site to help you make a decision. If you want to be super safe, then opt for:
app.UseReferrerPolicy(opts => opts.NoReferrer()); Remove X-Powered-By HeaderNow let's make sure that we're not giving information away regarding the technology in use (i.e. ASP.NET). To do this, we'll remove the X-Powered-By header by adding to the web.config
<system.web> <httpRuntime enableVersionHeader="false"/> </system.web> <system.webServer> ... <httpProtocol> <customHeaders> <remove name="X-Powered-By" /> </customHeaders> </httpProtocol> </system.webServer> [HPKP] HTTP Public Key Pinning HeaderThis one is interesting and to do with the whitelisting certificates. There are couple of plugins you can use to facilitate this and it's covered comprehensively in @JoonasWestlin blog here
Further links/reading: A good tool to test the security headers is using Geek Flare and a wealth of easy to digest information for general .NET security best practise is available at OWASP.org
This is just a quick point of reference to get started on Net Core site (mostly header-based) security - what's missing? Other recommendations?