SafeWebCore is a lightweight, high-performance .NET 10 middleware library that adds security headers to your ASP.NET Core applications. It targets an A+ rating on securityheaders.com out of the box โ zero configuration required.
- ๐ A+ in one line โ
AddNetSecureHeadersStrictAPlus()configures the strictest security headers instantly - ๐ ๏ธ Fully custom โ
AddNetSecureHeaders(opts => { ... })gives you complete control over every header - ๐งฉ Nonce-based CSP โ per-request cryptographic nonces for
script-srcandstyle-src - ๐ Full CSP Level 3 (W3C Recommendation) โ all directives including
worker-src,manifest-src,frame-src,script-src-elem/attr,style-src-elem/attr,report-to, nonce/hash support,strict-dynamic - ๐ฎ CSP Level 4 ready โ Trusted Types (
require-trusted-types-for,trusted-types),fenced-frame-src(Privacy Sandbox) - ๐ฏ Fluent CSP Builder โ type-safe, chainable API with full XML documentation for every directive
- โก Zero-allocation nonce generation โ
stackalloc+RandomNumberGeneratoron the hot path, plusTryWriteNonce(Span<char>)for fully heap-free scenarios - ๐
HttpContext.GetCspNonce()โ discoverable extension method to retrieve the per-request nonce - ๐ Server header removal โ hides server technology from attackers
- ๐ Extensible โ add custom
IHeaderPolicyimplementations for any header - ๐ CSP violation reporting โ built-in middleware for
/csp-reportendpoint using Reporting API v1
| Standard | Status | Coverage |
|---|---|---|
| CSP Level 3 (W3C Recommendation) | โ Full | All 22 directives, nonce/hash, strict-dynamic, report-to |
| CSP Level 4 (Emerging) | โ Ready | Trusted Types, fenced-frame-src (Privacy Sandbox) |
v1.1.0 is a performance and developer-experience release โ fully backwards compatible with v1.0.0.
| Improvement | Detail |
|---|---|
| Pre-built CSP template | CSP header string is computed once at startup, not per-request |
StringBuilder-based Build() |
Eliminates ~20 intermediate string allocations in CSP header generation |
HttpContext.GetCspNonce() |
New extension method โ no more magic string lookups |
NonceService.TryWriteNonce(Span<char>) |
Zero-allocation nonce generation for high-throughput paths |
NonceService.NonceLength |
Public constant (44) for pre-allocating nonce buffers |
| CancellationToken in CSP reporting | Report reads now respect client disconnects |
| Modern C# patterns | Pattern matching, cleaner preset application, reduced boilerplate |
See the full CHANGELOG for details.
dotnet add package SafeWebCoreusing SafeWebCore.Extensions;
var builder = WebApplication.CreateBuilder(args);
// Adds ALL security headers with the strictest A+ configuration
builder.Services.AddNetSecureHeadersStrictAPlus();
var app = builder.Build();
app.UseNetSecureHeaders();
app.MapGet("/", () => "Hello, secure world!");
app.Run();That's it! Your application now returns these headers on every response:
| Header | Value |
|---|---|
Strict-Transport-Security |
max-age=63072000; includeSubDomains; preload |
X-Frame-Options |
DENY |
X-Content-Type-Options |
nosniff |
Referrer-Policy |
no-referrer |
Permissions-Policy |
All features denied |
Cross-Origin-Embedder-Policy |
require-corp |
Cross-Origin-Opener-Policy |
same-origin |
Cross-Origin-Resource-Policy |
same-origin |
X-DNS-Prefetch-Control |
off |
X-Permitted-Cross-Domain-Policies |
none |
Content-Security-Policy |
Nonce-based, strict-dynamic, Trusted Types |
Server |
(removed) |
The preset is intentionally strict. Relax only what your app needs. CSP directives are space-separated โ add multiple origins in a single string:
builder.Services.AddNetSecureHeadersStrictAPlus(opts =>
{
// Multiple CDNs โ just separate with spaces
opts.Csp = opts.Csp with { ImgSrc = "'self' https://cdn1.example.com https://cdn2.example.com data:" };
// Multiple directives at once using 'with { ... }'
opts.Csp = opts.Csp with
{
ConnectSrc = "'self' https://api.example.com wss://ws.example.com",
FontSrc = "'self' https://fonts.gstatic.com https://cdn.example.com"
};
// Non-CSP headers are simple string properties
opts.ReferrerPolicyValue = "strict-origin-when-cross-origin";
});๐ก Tip: Each CSP directive is one string with space-separated sources. Use a single
with { ... }block to change multiple directives at once.
For complete control, use AddNetSecureHeaders with the fluent CSP builder:
using SafeWebCore.Builder;
using SafeWebCore.Extensions;
builder.Services.AddNetSecureHeaders(opts =>
{
opts.EnableHsts = true;
opts.HstsValue = "max-age=31536000; includeSubDomains";
opts.EnableXFrameOptions = true;
opts.XFrameOptionsValue = "SAMEORIGIN";
opts.ReferrerPolicyValue = "strict-origin-when-cross-origin";
// Use the fluent CSP builder
opts.Csp = new CspBuilder()
.DefaultSrc("'none'")
.ScriptSrc("'nonce-{nonce}' 'strict-dynamic' https:")
.StyleSrc("'nonce-{nonce}'")
.ImgSrc("'self' https: data:")
.FontSrc("'self' https://fonts.gstatic.com")
.ConnectSrc("'self' wss://realtime.example.com")
.FrameAncestors("'none'")
.BaseUri("'none'")
.FormAction("'self'")
.UpgradeInsecureRequests()
.Build();
});SafeWebCore generates a unique cryptographic nonce per request. Use it in your scripts and styles:
using SafeWebCore.Attributes;
[CspNonce]
public class HomeController : Controller
{
public IActionResult Index() => View();
}<!-- In your Razor view -->
<script nonce="@ViewData["CspNonce"]">
console.log("This script is allowed by CSP");
</script>
<style nonce="@ViewData["CspNonce"]">
body { font-family: sans-serif; }
</style>using SafeWebCore.Extensions;
// In Minimal APIs, middleware, Razor Pages, etc.
var nonce = HttpContext.GetCspNonce();var nonce = HttpContext.Items[NetSecureHeaders.CspNonceKey] as string;Enable the built-in CSP report endpoint to catch policy violations:
var app = builder.Build();
app.UseCspReport(); // Handles POST /csp-report
app.UseNetSecureHeaders();
app.Run();Configure the CSP to send reports:
builder.Services.AddNetSecureHeadersStrictAPlus(opts =>
{
opts.Csp = opts.Csp with { ReportTo = "default" };
});Violations are logged at Warning level via ILogger.
SafeWebCore/
โโโ src/SafeWebCore/
โ โโโ Abstractions/ # IHeaderPolicy interface
โ โโโ Attributes/ # [CspNonce] action filter
โ โโโ Builder/ # Fluent CspBuilder
โ โโโ Constants/ # Header name constants
โ โโโ Extensions/ # DI and middleware extensions
โ โโโ Infrastructure/ # NonceService, CspReportMiddleware
โ โโโ Middleware/ # NetSecureHeadersMiddleware
โ โโโ Options/ # NetSecureHeadersOptions, CspOptions
โ โโโ Presets/ # SecurePresets (Strict A+)
โโโ tests/SafeWebCore.Tests/ # xUnit v3 tests
โโโ docs/ # Documentation
โโโ .github/ # CI, issue templates
| Document | Description |
|---|---|
| Getting Started | Installation, first setup, verification |
| Security Headers | Every header explained with rationale |
| CSP Configuration | CSP builder, nonces, directives guide |
| Presets | Strict A+ preset details and customization |
| Advanced Configuration | Custom policies, reporting, per-route config |
# Build
dotnet build
# Run tests
dotnet test
# Run tests with coverage
dotnet tool install -g dotnet-coverage
dotnet-coverage collect -f cobertura -o coverage.cobertura.xml dotnet testAfter deploying your application, verify your headers with these tools:
Scans all response headers and grades your site A+ through F. Validates HSTS, CSP, X-Frame-Options, Permissions-Policy, Referrer-Policy, and more.
With SafeWebCore's Strict A+ preset you should score A+ immediately.
Paste your Content-Security-Policy header value to check for common CSP misconfigurations:
- โ Missing
object-src 'none' - โ
'unsafe-inline'without a nonce or hash - โ Missing
'strict-dynamic'for trust propagation - โ Overly permissive wildcards (
*,https:) - โ
Nonce-based policy with
'strict-dynamic'(SafeWebCore default)
Open DevTools โ Network tab โ Response Headers to inspect headers on every request. Any CSP violations will also appear in the Console tab.
See CONTRIBUTING.md for guidelines.
This project is licensed under the MIT License. See LICENSE for details.
See CHANGELOG.md for release history.