What is the best practice of adding security headers to a response

bokamera · January 16, 2024, 2:23pm

Hi,
we want to add the following security headers to each response. What is the best way to do that

Strict-Transport-Security “max-age=31536000; includeSubDomains” always;
X-XSS-Protection “1; mode=block”;
X-frame-options “SAMEORIGIN”;
X-Content-Type-Options “nosniff”;

I can create a response filter but not sure this is the correct way

mythz · January 16, 2024, 2:36pm

If they’re static I would add them to the GlobalResponseHeaders, e.g:

SetConfig(new HostConfig {
    GlobalResponseHeaders =
    {
        ["Strict-Transport-Security"] = "...",
        ["X-XSS-Protection"] = "...",
        ["X-frame-options"] = "...",
        ["X-Content-Type-Options"] = "...",
    }
});

If they need to be dynamically applied, e.g. conditionally per request I’d add them in a Global Response Filter.

bokamera · January 16, 2024, 3:02pm

mythz:

 GlobalResponseHeaders =
    {
        ["Strict-Transport-Security"] = "...",
        ["X-XSS-Protection"] = "...",
        ["X-frame-options"] = "...",
        ["X-Content-Type-Options"] = "...",
    }

Thx just what i was looking for!