This package builds security policies for ASP.NET projects, including both Blazor Server and the server part of a Server Hosted Blazor WebAssembly project.
We would recommend cloning or forking this repo and see how the example Blazor Server project builds its security policies in
Program.cs.
In general this package allows you to cleanly add a set of security headers to outgoing responses to requests for resources. The best references for both the CSP and miscellaneous security headers is found in the MDN documents starting here. An article specifically addressing ASP.Net Blazor is found here.
- Add
builder.Services.AddHttpsSecurityHeaders()in yourProgram.csfile, specifying the options that you require. - Add
app.UseHttpSecurityHeaders();withapp.UseCompressedStaticFiles();inStartup.Configure(). By default CompressedStaticFiles is configured to allow slightly larger files for some image formats as they can store more pixels per byte, this can be disabled by callingbuilder.CompressedStaticFileOptions.RemoveImageSubstitutionCostRatio().
An example can be found in the Example directory.
If you are running with a cloned repository you can remove the comment in _host.cshtml around "link rel='stylesheet' href='https://a.com/a.css'" to cause a security violation.