Class SecurityHeadersOptions

Namespace

Compendium.Adapters.AspNetCore.Security

Assembly

Compendium.Adapters.AspNetCore.dll

Configuration options for security headers middleware. Implements OWASP security best practices for HTTP headers.

public sealed class SecurityHeadersOptions

Inheritance

object

SecurityHeadersOptions

Inherited Members

object.Equals(object)

object.Equals(object, object)

object.GetHashCode()

object.GetType()

object.ReferenceEquals(object, object)

object.ToString()

Properties

ContentSecurityPolicy

Gets or sets the Content-Security-Policy directive. Default: Restrictive policy suitable for APIs.

public string ContentSecurityPolicy { get; set; }

Property Value

string

Remarks

For APIs: "default-src 'none'; frame-ancestors 'none'" For web apps: Customize based on your needs. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

EnableContentSecurityPolicy

Gets or sets a value indicating whether to set Content-Security-Policy. Default: true.

public bool EnableContentSecurityPolicy { get; set; }

Property Value

bool

Remarks

CSP helps prevent XSS, clickjacking, and other code injection attacks.

EnableFrameOptions

Gets or sets a value indicating whether to set X-Frame-Options. Default: true.

public bool EnableFrameOptions { get; set; }

Property Value

bool

Remarks

Prevents clickjacking attacks by controlling iframe embedding.

EnableHsts

Gets or sets a value indicating whether to enable HTTP Strict Transport Security (HSTS). Default: true.

public bool EnableHsts { get; set; }

Property Value

bool

Remarks

HSTS forces browsers to use HTTPS instead of HTTP. Recommended max-age: 31536000 seconds (1 year).

EnableNoSniff

Gets or sets a value indicating whether to set X-Content-Type-Options to nosniff. Default: true.

public bool EnableNoSniff { get; set; }

Property Value

bool

Remarks

Prevents browsers from MIME-sniffing responses, reducing XSS attacks.

EnablePermissionsPolicy

Gets or sets a value indicating whether to set Permissions-Policy. Default: true.

public bool EnablePermissionsPolicy { get; set; }

Property Value

bool

Remarks

Controls browser features and APIs (formerly Feature-Policy).

EnablePermittedCrossDomainPolicies

Gets or sets a value indicating whether to set X-Permitted-Cross-Domain-Policies. Default: true.

public bool EnablePermittedCrossDomainPolicies { get; set; }

Property Value

bool

Remarks

Controls cross-domain policy files (e.g., Adobe Flash, PDF). Recommended: "none" to prevent cross-domain data loading.

EnableReferrerPolicy

Gets or sets a value indicating whether to set Referrer-Policy. Default: true.

public bool EnableReferrerPolicy { get; set; }

Property Value

bool

Remarks

Controls how much referrer information is included with requests.

FrameOptionsValue

Gets or sets the X-Frame-Options value. Default: DENY.

public string FrameOptionsValue { get; set; }

Property Value

string

Remarks

Options: DENY, SAMEORIGIN, ALLOW-FROM uri. DENY is most secure but prevents all iframe embedding.

HstsIncludeSubDomains

Gets or sets a value indicating whether to include subdomains in HSTS. Default: true.

public bool HstsIncludeSubDomains { get; set; }

Property Value

bool

HstsMaxAgeSeconds

Gets or sets the HSTS max-age in seconds. Default: 31536000 (1 year).

public int HstsMaxAgeSeconds { get; set; }

Property Value

int

HstsPreload

Gets or sets a value indicating whether to enable HSTS preload. Default: false (requires manual submission to HSTS preload list).

public bool HstsPreload { get; set; }

Property Value

bool

PermissionsPolicyValue

Gets or sets the Permissions-Policy directive. Default: Restrictive policy disabling all features.

public string PermissionsPolicyValue { get; set; }

Property Value

string

Remarks

Example: "geolocation=(), microphone=(), camera=()" For APIs, typically disable all: "geolocation=(), microphone=(), camera=(), payment=(), usb=()"

PermittedCrossDomainPoliciesValue

Gets or sets the X-Permitted-Cross-Domain-Policies value. Default: none.

public string PermittedCrossDomainPoliciesValue { get; set; }

Property Value

string

ReferrerPolicyValue

Gets or sets the Referrer-Policy value. Default: strict-origin-when-cross-origin.

public string ReferrerPolicyValue { get; set; }

Property Value

string

Remarks

Options: no-referrer, no-referrer-when-downgrade, origin, origin-when-cross-origin, same-origin, strict-origin, strict-origin-when-cross-origin, unsafe-url.

RemoveServerHeader

Gets or sets a value indicating whether to remove the Server header. Default: true.

public bool RemoveServerHeader { get; set; }

Property Value

bool

Remarks

Removing the Server header reduces information disclosure. Prevents attackers from knowing server technology.

RemoveXPoweredByHeader

Gets or sets a value indicating whether to remove the X-Powered-By header. Default: true.

public bool RemoveXPoweredByHeader { get; set; }

Property Value

bool

Remarks

Removes technology fingerprinting headers.

Methods

ForApi()

Gets a default configuration suitable for REST APIs.

public static SecurityHeadersOptions ForApi()

Returns

SecurityHeadersOptions

ForWebApp()

Gets a default configuration suitable for web applications with static content.

public static SecurityHeadersOptions ForWebApp()

Returns

SecurityHeadersOptions