Skip to content
/ HardHat Public
forked from TerribleDev/HardHat

Help secure .net core apps with various HTTP headers (such as CSP's)

License

MIT license
0 stars 7 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

microbian-systems/HardHat

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

45 Commits
.vscode
.vscode
 
 
docs
docs
 
 
src
src
 
 
.gitattributes
.gitattributes
 
 
.gitignore
.gitignore
 
 
HardHat.sln
HardHat.sln
 
 
Hat.png
Hat.png
 
 
LICENSE.md
LICENSE.md
 
 
Readme.md
Readme.md
 
 
appveyor.yml
appveyor.yml
 
 

Repository files navigation

Hard Hat

Build status

HardHat is a set of .net core middleware that adds various headers to help protect your site from vulnerabilities. Inspired by helmetJS. We have some docs they are still a work in progress, so please feel free to submit changes to them.

In short this allows:

 // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
        public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
        {
            ...
            app.UseDnsPrefetch(allow: false); //turn off dns prefetch to protect the privacy of users
            app.UseFrameGuard(new FrameGuardOptions(FrameGuardOptions.FrameGuard.SAMEORIGIN)); //prevent clickjacking, by not allowing your site to be rendered in an iframe
            //  app.UseFrameGuard(new FrameGuardOptions("otherdomain.com")); or allow iframes on another domain
            app.UseHsts(maxAge: 5000, includeSubDomains: true, preload: false); //tell browsers to always use https for the next 5000 seconds
            app.UseReferrerPolicy(ReferrerPolicy.NoReferrer); // do not include the referrer header when linking away from your site to protect your users privacy
            app.UseIENoOpen(); // don't allow old ie to open files in the context of your site
            app.UseNoMimeSniff(); // prevent MIME sniffing https://en.wikipedia.org/wiki/Content_sniffing
            app.UseCrossSiteScriptingFilters(); //add headers to have the browsers auto detect and block some xss attacks
            app.UseContentSecurityPolicy( // Provide a security policy so only content can come from trusted sources
                new ContentSecurityPolicyBuilder()
                .WithDefaultSource(CSPConstants.Self)
                .WithImageSource("http://images.mysite.com")
                .WithFontSource(CSPConstants.Self)
                .WithFrameAncestors(CSPConstants.None)
                .BuildPolicy()
               );
            app.UseHpkp(maxAge: 5184000, keys: new List<PublicKeyPin>{ // Prevent man in the middle attacks by providing a hash of your public keys
                new PublicKeyPin("cUPcTAZWKaASuYWhhneDttWpY3oBAkE3h2+soZS7sWs=", HpKpCrypto.sha256),
                new PublicKeyPin("M8HztCzM3elUxkcjR2S5P4hhyBNf6lHkmjAHKhpGPWE=", HpKpCrypto.sha256)
            }, includeSubDomains: true, reportUri: "/report", reportOnly: false);
            ...
            app.UseMvc(routes =>
            {
                routes.MapRoute(
                    name: "default",
                    template: "{controller=Home}/{action=Index}/{id?}");
            });
        }
    }

Getting started

  • Install the nuget package Install-Package HardHat
  • Add the middleware you desire to your configure block.

About

Help secure .net core apps with various HTTP headers (such as CSP's)

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • C# 86.5%
  • HTML 12.2%
  • Other 1.3%