Class SecurityHeadersMiddleware

Namespace

arolariu.Backend.Core.Domain.General.Middlewares

Assembly

arolariu.Backend.Core.dll

Middleware that adds security headers to all HTTP responses to enhance application security posture. Implements defense-in-depth security strategy through standardized HTTP response headers.

[ExcludeFromCodeCoverage]
internal sealed class SecurityHeadersMiddleware

Inheritance

object

SecurityHeadersMiddleware

Inherited Members

object.Equals(object)

object.Equals(object, object)

object.GetHashCode()

object.GetType()

object.ReferenceEquals(object, object)

object.ToString()

Examples

// Register in middleware pipeline (typically in WebApplicationExtensions)
app.UseMiddleware<SecurityHeadersMiddleware>();

Remarks

This middleware adds the following security headers to every response:

X-Content-Type-Options: Prevents MIME type sniffing attacks by ensuring browsers respect the declared Content-Type header. Set to "nosniff" to block interpretation of non-executable files as executable content.

X-Frame-Options: Prevents clickjacking attacks by controlling whether the page can be embedded in frames or iframes. Set to "DENY" to completely prohibit framing.

X-XSS-Protection: Enables XSS filtering in legacy browsers that still support this header. Modern browsers rely on Content Security Policy instead.

Referrer-Policy: Controls how much referrer information is included with requests. Set to "strict-origin-when-cross-origin" to send full URL for same-origin requests and only origin for cross-origin requests over HTTPS.

Permissions-Policy: Restricts access to browser features and APIs to prevent unauthorized use of sensitive capabilities like camera, geolocation, and microphone.

Strict-Transport-Security (HSTS): Enforces HTTPS connections for one year, including all subdomains. Only applied in production environments. Includes preload directive for browser HSTS preload lists.

Content-Security-Policy (CSP): Defines allowed sources for various resource types to prevent XSS and data injection attacks. Only applied in production to avoid development friction.

Constructors

SecurityHeadersMiddleware(RequestDelegate)

Middleware that adds security headers to all HTTP responses to enhance application security posture. Implements defense-in-depth security strategy through standardized HTTP response headers.

public SecurityHeadersMiddleware(RequestDelegate next)

Parameters

next RequestDelegate

The next middleware delegate in the request pipeline.

Examples

// Register in middleware pipeline (typically in WebApplicationExtensions)
app.UseMiddleware<SecurityHeadersMiddleware>();

Remarks

This middleware adds the following security headers to every response:

X-Content-Type-Options: Prevents MIME type sniffing attacks by ensuring browsers respect the declared Content-Type header. Set to "nosniff" to block interpretation of non-executable files as executable content.

X-Frame-Options: Prevents clickjacking attacks by controlling whether the page can be embedded in frames or iframes. Set to "DENY" to completely prohibit framing.

X-XSS-Protection: Enables XSS filtering in legacy browsers that still support this header. Modern browsers rely on Content Security Policy instead.

Referrer-Policy: Controls how much referrer information is included with requests. Set to "strict-origin-when-cross-origin" to send full URL for same-origin requests and only origin for cross-origin requests over HTTPS.

Permissions-Policy: Restricts access to browser features and APIs to prevent unauthorized use of sensitive capabilities like camera, geolocation, and microphone.

Strict-Transport-Security (HSTS): Enforces HTTPS connections for one year, including all subdomains. Only applied in production environments. Includes preload directive for browser HSTS preload lists.

Content-Security-Policy (CSP): Defines allowed sources for various resource types to prevent XSS and data injection attacks. Only applied in production to avoid development friction.

Fields

_next

private readonly RequestDelegate _next

Field Value

RequestDelegate

Methods

AddCommonSecurityHeaders(HttpContext)

Adds security headers that are safe and recommended for all environments.

private static void AddCommonSecurityHeaders(HttpContext context)

Parameters

context HttpContext

The HTTP context containing the response headers.

AddProductionSecurityHeaders(HttpContext)

Adds security headers that should only be applied in production environments.

private static void AddProductionSecurityHeaders(HttpContext context)

Parameters

context HttpContext

The HTTP context containing the response headers.

Remarks

These headers are excluded from development to avoid interference with local debugging and to allow HTTP connections during development.

InvokeAsync(HttpContext)

Processes an HTTP request by adding security headers to the response.

public Task InvokeAsync(HttpContext context)

Parameters

context HttpContext

The HttpContext for the current request.

Returns

Task

A task that represents the asynchronous operation.

Remarks

This method adds security headers before invoking the next middleware in the pipeline. Headers are added early in the response lifecycle to ensure they are present even if downstream middleware modifies the response.