arolariu.Backend.Core.Domain.General.Middlewares
arolariu.Backend.Core
arolariu.Backend.Core.Domain.General.Middlewares Namespace
Classes
SecurityHeadersMiddleware Class
Middleware that adds security headers to all HTTP responses to enhance application security posture. Implements defense-in-depth security strategy through standardized HTTP response headers.
internal sealed class SecurityHeadersMiddleware
Inheritance System.Object 🡒 SecurityHeadersMiddleware
Example
// Register in middleware pipeline (typically in WebApplicationExtensions)
app.UseMiddleware<SecurityHeadersMiddleware>();
Remarks
This middleware adds the following security headers to every response:
X-Content-Type-Options: Prevents MIME type sniffing attacks by ensuring browsers respect the declared Content-Type header. Set to "nosniff" to block interpretation of non-executable files as executable content.
X-Frame-Options: Prevents clickjacking attacks by controlling whether the page can be embedded in frames or iframes. Set to "DENY" to completely prohibit framing.
X-XSS-Protection: Enables XSS filtering in legacy browsers that still support this header. Modern browsers rely on Content Security Policy instead.
Referrer-Policy: Controls how much referrer information is included with requests. Set to "strict-origin-when-cross-origin" to send full URL for same-origin requests and only origin for cross-origin requests over HTTPS.
Permissions-Policy: Restricts access to browser features and APIs to prevent unauthorized use of sensitive capabilities like camera, geolocation, and microphone.
Strict-Transport-Security (HSTS): Enforces HTTPS connections for one year, including all subdomains. Only applied in production environments. Includes preload directive for browser HSTS preload lists.
Content-Security-Policy (CSP): Defines allowed sources for various resource types to prevent XSS and data injection attacks. Only applied in production to avoid development friction.
Constructors
SecurityHeadersMiddleware(RequestDelegate) Constructor
Middleware that adds security headers to all HTTP responses to enhance application security posture. Implements defense-in-depth security strategy through standardized HTTP response headers.
public SecurityHeadersMiddleware(Microsoft.AspNetCore.Http.RequestDelegate next);
Parameters
next Microsoft.AspNetCore.Http.RequestDelegate
The next middleware delegate in the request pipeline.
Example
// Register in middleware pipeline (typically in WebApplicationExtensions)
app.UseMiddleware<SecurityHeadersMiddleware>();
Remarks
This middleware adds the following security headers to every response:
X-Content-Type-Options: Prevents MIME type sniffing attacks by ensuring browsers respect the declared Content-Type header. Set to "nosniff" to block interpretation of non-executable files as executable content.
X-Frame-Options: Prevents clickjacking attacks by controlling whether the page can be embedded in frames or iframes. Set to "DENY" to completely prohibit framing.
X-XSS-Protection: Enables XSS filtering in legacy browsers that still support this header. Modern browsers rely on Content Security Policy instead.
Referrer-Policy: Controls how much referrer information is included with requests. Set to "strict-origin-when-cross-origin" to send full URL for same-origin requests and only origin for cross-origin requests over HTTPS.
Permissions-Policy: Restricts access to browser features and APIs to prevent unauthorized use of sensitive capabilities like camera, geolocation, and microphone.
Strict-Transport-Security (HSTS): Enforces HTTPS connections for one year, including all subdomains. Only applied in production environments. Includes preload directive for browser HSTS preload lists.
Content-Security-Policy (CSP): Defines allowed sources for various resource types to prevent XSS and data injection attacks. Only applied in production to avoid development friction.
Methods
SecurityHeadersMiddleware.AddCommonSecurityHeaders(HttpContext) Method
Adds security headers that are safe and recommended for all environments.
private static void AddCommonSecurityHeaders(Microsoft.AspNetCore.Http.HttpContext context);
Parameters
context Microsoft.AspNetCore.Http.HttpContext
The HTTP context containing the response headers.
SecurityHeadersMiddleware.AddProductionSecurityHeaders(HttpContext) Method
Adds security headers that should only be applied in production environments.
private static void AddProductionSecurityHeaders(Microsoft.AspNetCore.Http.HttpContext context);
Parameters
context Microsoft.AspNetCore.Http.HttpContext
The HTTP context containing the response headers.
Remarks
These headers are excluded from development to avoid interference with local debugging and to allow HTTP connections during development.
SecurityHeadersMiddleware.InvokeAsync(HttpContext) Method
Processes an HTTP request by adding security headers to the response.
public System.Threading.Tasks.Task InvokeAsync(Microsoft.AspNetCore.Http.HttpContext context);
Parameters
context Microsoft.AspNetCore.Http.HttpContext
The Microsoft.AspNetCore.Http.HttpContext for the current request.
Returns
System.Threading.Tasks.Task
A task that represents the asynchronous operation.
Remarks
This method adds security headers before invoking the next middleware in the pipeline. Headers are added early in the response lifecycle to ensure they are present even if downstream middleware modifies the response.