Skip to content

Recommended configuration for ASP.NET Core

Marthijn van den Heuvel edited this page Mar 18, 2026 · 4 revisions

In Program.cs:

using Sidio.Web.Security.AspNetCore;
using Sidio.Web.Security.AspNetCore.ContentSecurityPolicy;

// ...

// ### service configuration:
builder
    .Services
    .AddContentSecurityPolicy();

// ----------

// ### policy configuration:

// secure cookie policy
app.UseSecureCookiePolicy();

// ### middleware configuration:

// Microsoft middleware
app.UseHttpsRedirection();

// csp
app.UseContentSecurityPolicy(
    (services, b) =>
    {
        b.AddDefaultSrc(x => x.AllowSelf());
        b.AddScriptSrc(x => x.AllowStrictDynamic().AddNonce(services));
        b.AddStyleSrc(x => x.AddNonce(services));
        b.SetFrameAncestors(x => x.AllowNone());
        b.UpgradeInsecureRequests();
    });

// x-frame-options
app.UseXFrameOptions();

// x-content-type-options
app.UseXContentTypeOptions();

// hsts
app.UseStrictTransportSecurity();

// referrer-policy
app.UseReferrerPolicy();

Clone this wiki locally