Section 6 of 6

HTTPS and Security Headers

🎯 What You'll Learn

  • Enforcing HTTPS
  • HSTS (HTTP Strict Transport Security)
  • Security headers
  • Content Security Policy
  • X-Frame-Options

Enforcing HTTPS

Program.cs C# 
var app = builder.Build();

if (!app.Environment.IsDevelopment())
{
    app.UseHttpsRedirection(); // Redirect HTTP to HTTPS
    app.UseHsts();              // HTTP Strict Transport Security
}

HSTS (HTTP Strict Transport Security)

HSTS tells browsers to only use HTTPS for your site.

Configure HSTS C# 
builder.Services.AddHsts(options =>
{
    options.MaxAge = TimeSpan.FromDays(365);
    options.IncludeSubDomains = true;
    options.Preload = true;
});

Security Headers

1. X-Content-Type-Options

Prevents MIME type sniffing.

Add Header C# 
app.Use(async (context, next) =>
{
    context.Response.Headers.Add("X-Content-Type-Options", "nosniff");
    await next();
});

2. X-Frame-Options

Prevents clickjacking by controlling iframe embedding.

Add Header C# 
context.Response.Headers.Add("X-Frame-Options", "DENY");
// or "SAMEORIGIN" to allow same-origin framing

3. X-XSS-Protection

Enables browser's XSS filter (legacy, CSP is better).

Add Header C# 
context.Response.Headers.Add("X-XSS-Protection", "1; mode=block");

4. Referrer-Policy

Controls how much referrer information is sent.

Add Header C# 
context.Response.Headers.Add("Referrer-Policy", "strict-origin-when-cross-origin");

5. Content-Security-Policy (CSP)

Controls which resources can be loaded.

Add CSP Header C# 
context.Response.Headers.Add(
    "Content-Security-Policy",
    "default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self' data:; font-src 'self'"
);

Complete Security Headers Middleware

Program.cs C# 
app.Use(async (context, next) =>
{
    context.Response.Headers.Add("X-Content-Type-Options", "nosniff");
    context.Response.Headers.Add("X-Frame-Options", "DENY");
    context.Response.Headers.Add("X-XSS-Protection", "1; mode=block");
    context.Response.Headers.Add("Referrer-Policy", "strict-origin-when-cross-origin");
    context.Response.Headers.Add(
        "Content-Security-Policy",
        "default-src 'self'; script-src 'self'; style-src 'self'"
    );
    await next();
});

Best Practices

  • Always use HTTPS: In production
  • Enable HSTS: Force HTTPS
  • Add security headers: Defense in depth
  • Use CSP: Prevent XSS and injection
  • Test headers: Use securityheaders.com

Key Takeaways

  • UseHttpsRedirection(): Redirect to HTTPS
  • UseHsts(): HTTP Strict Transport Security
  • X-Content-Type-Options: Prevent MIME sniffing
  • X-Frame-Options: Prevent clickjacking
  • CSP: Control resource loading
  • Security headers: Multiple layers of protection
🎉 Part XIV Complete!

Congratulations! You've completed Part XIV: Security Best Practices. You now understand:

  • ✅ OWASP Top 10 vulnerabilities and prevention
  • ✅ XSS protection (Razor encoding, CSP)
  • ✅ CSRF protection (anti-forgery tokens)
  • ✅ SQL Injection prevention (parameterized queries, EF Core)
  • ✅ Data Protection API (encryption/decryption)
  • ✅ HTTPS enforcement and security headers

You now have the knowledge to build secure ASP.NET Core applications! 🔒