Skip to content

getting-started.md

Latest commit

 

History

History
144 lines (104 loc) · 4.11 KB

getting-started.md

File metadata and controls

144 lines (104 loc) · 4.11 KB

Getting Started with SafeWebCore

Prerequisites

  • .NET 10 SDK or later
  • Visual Studio 2026+ / VS Code with C# Dev Kit / JetBrains Rider

Installation

dotnet add package SafeWebCore

Or add to your .csproj:

<PackageReference Include="SafeWebCore" Version="1.1.0" />

Minimal Setup (A+ in 3 lines)

using SafeWebCore.Extensions;

var builder = WebApplication.CreateBuilder(args);
builder.Services.AddNetSecureHeadersStrictAPlus();   // 1. Register services

var app = builder.Build();
app.UseNetSecureHeaders();                            // 2. Add middleware
app.MapGet("/", () => "Secure!");                     // 3. Your endpoints

app.Run();

Fully Custom Setup

Prefer full control? Use AddNetSecureHeaders and configure every header yourself:

using SafeWebCore.Builder;
using SafeWebCore.Extensions;

var builder = WebApplication.CreateBuilder(args);

builder.Services.AddNetSecureHeaders(opts =>
{
    opts.EnableHsts = true;
    opts.HstsValue = "max-age=31536000; includeSubDomains";

    opts.EnableXFrameOptions = true;
    opts.XFrameOptionsValue = "SAMEORIGIN";

    opts.EnableXContentTypeOptions = true;
    opts.EnableReferrerPolicy = true;
    opts.ReferrerPolicyValue = "strict-origin-when-cross-origin";

    opts.EnablePermissionsPolicy = true;
    opts.PermissionsPolicyValue = "camera=(), microphone=(), geolocation=()";

    opts.RemoveServerHeader = true;

    // CSP — use the fluent builder
    opts.Csp = new CspBuilder()
        .DefaultSrc("'none'")
        .ScriptSrc("'nonce-{nonce}' 'strict-dynamic' https:")
        .StyleSrc("'nonce-{nonce}'")
        .ImgSrc("'self' https: data:")
        .ConnectSrc("'self'")
        .FrameAncestors("'none'")
        .BaseUri("'none'")
        .FormAction("'self'")
        .UpgradeInsecureRequests()
        .Build();
});

var app = builder.Build();
app.UseNetSecureHeaders();
app.Run();

Both methods are defined in SafeWebCore.Extensions.ServiceCollectionExtensions.

Verifying Your Headers

Option A: Browser DevTools

  1. Open your app in the browser
  2. Open DevTools → Network tab
  3. Click on the page request
  4. Check the Response Headers section

You should see all security headers listed.

Option B: curl

curl -I https://localhost:5001

Expected output (truncated):

HTTP/2 200
strict-transport-security: max-age=63072000; includeSubDomains; preload
x-frame-options: DENY
x-content-type-options: nosniff
referrer-policy: no-referrer
permissions-policy: accelerometer=(), camera=(), microphone=(), ...
cross-origin-embedder-policy: require-corp
cross-origin-opener-policy: same-origin
cross-origin-resource-policy: same-origin
x-dns-prefetch-control: off
x-permitted-cross-domain-policies: none
content-security-policy: default-src 'none'; script-src 'nonce-abc123...' 'strict-dynamic'; ...

Option C: securityheaders.com

  1. Deploy your app to a public URL
  2. Visit securityheaders.com
  3. Enter your URL and scan
  4. You should see an A+ rating

This tool grades all security headers (HSTS, CSP, X-Frame-Options, Permissions-Policy, etc.) from A+ through F.

Option D: Google CSP Evaluator

  1. Copy the Content-Security-Policy header value from DevTools or curl output
  2. Visit csp-evaluator.withgoogle.com
  3. Paste the header value and click Check CSP
  4. All checks should be green with SafeWebCore's defaults

Google's CSP Evaluator checks for common misconfigurations like missing object-src, 'unsafe-inline' without nonce, and missing 'strict-dynamic'.

💡 Tip: Always validate with both tools after any CSP changes. See the CSP Configuration Guide for detailed usage instructions.

Next Steps

Topic Link
Understand each header Security Headers Guide
Configure CSP in detail CSP Configuration
Customize the A+ preset Presets
Custom policies & reporting Advanced Configuration