The Content Security Policy middleware for ASP.NET Core adds the Content-Security-Policy HTTP response header to reduce the risks of XSS attacks on modern browsers.
- Include the ContentSecurityPolicy package in the project.json.
"dependencies": {
"ContentSecurityPolicy": ""
}- Modify the Configure method in startup.cs.
public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
{
app.UseContentSecurityPolicy(
new ContentSecurityPolicyHeader()
.AddDefaultContentSecurityPolicyDirectives()
);
app.Run(async (context) =>
{
await context.Response.WriteAsync("Hello Content Security Policy!");
});
}AddDefaultContentSecurityPolicyDirectives is a extension method on the ContentSecurityPolicyHeader class that adds a Content-Security-Policy with a default set of directives.
Content-Security-Policy:default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';