For those who do not followmyself orFranziska Bühler, we have an open source project together calledOWASP DevSlop in which we explore DevSecOps through writing vulnerable apps, creating pipelines, publishing proof of concepts, and documenting what we’ve learned on ourYouTube Channel and our blogs. In this article we will explore adding security headers to our proof of concept website, DevSlop.co. This blog post is closely related to Franziska’s postOWASP DevSlop’s journey to TLS and Security Headers. If you like this one, read hers too. :)

Franziska Bühler and I installed several security headers during the OWASP DevSlop Show in Episode2,2.1 and2.2. Unfortunately we found out that .Net Core apps don’t have a web.config, so the next time we published it wiped out the beautiful security headers we had added. Although that is not good news, it was another chance to learn, and it gave me great excuse to finally write mySecurity Headers blog post that I have been promising. Here we go!

Just now, I added back the headers but I added them to the startup.cs file in my .Net Core app, which you canwatch here. Special thanks toDamien Bod for help with the.Net Core twist.

If you want in-depth details about what we did on the show and what each security header means, you shouldread Franziska’s blog post. She explains every step, and if you are trying to add security headers for the first time to your web.config (ASP.Net, not.Net CORE), you should definitely read it.

The new code for ASP.Net in your web.config looks like this:

**<! — Start Security Headers ->**<httpProtocol> <customHeaders> <add name=”X-XSS-Protection” value=”1; mode=block”/> <add name=”Content-Security-Policy” value=”default-src ‘self’”/> <add name=”X-frame-options” value=”SAMEORIGIN”/> <add name=”X-Content-Type-Options” value=”nosniff”/> <add name=”Referrer-Policy” value=”strict-origin-when-cross-origin”/> <remove name=”X-Powered-By”/> </customHeaders> </httpProtocol>**<! — End Security Headers ->**

And the new code for my startup.cs (.Net CORE), looks like this (Thank you Damien Bod):

//Security headers make me happy
app.UseHsts(hsts => hsts.MaxAge(365).IncludeSubdomains());
app.UseXContentTypeOptions();
app.UseReferrerPolicy(opts => opts.NoReferrer());
app.UseXXssProtection(options => options.EnabledWithBlockMode());
app.UseXfo(options => options.Deny());
app.UseCsp(opts => opts
.BlockAllMixedContent()
.StyleSources(s => s.Self())
.StyleSources(s => s.UnsafeInline())
.FontSources(s => s.Self())
.FormActions(s => s.Self())
.FrameAncestors(s => s.Self())
.ImageSources(s => s.Self())
.ScriptSources(s => s.Self())
);
//End Security Headers

In future episodes we will also add:

• Secure settings for our cookies
• X-Permitted-Cross-Domain-Policies: none
• Expect-CT: (not currently supported by our provider)
• Feature-Policy: camera ‘none’; microphone ‘none’; speaker ‘self’; vibrate ‘none’; geolocation ‘none’; accelerometer ‘none’; ambient-light-sensor ‘none’; autoplay ‘none’; encrypted-media ‘none’; gyroscope ‘none’; magnetometer ‘none’; midi ‘none’; payment ‘none’; picture-in-picture ‘none’; usb ‘none’; vr ‘none’; fullscreen *;

For more information on all of these security headers, I strongly suggest you read theOWASP Security Headers Guidance.

We now have good marks from all of the important places,https://securityheaders.com,https://www.ssllabs.com andhttp://hardenize.com), but hope to improve our score even further.

For more information, watch our show onYouTube!

Please use every security header that is available and applicable to you.