How can we allow only certain page to be placed in iframe? The rest of the pages will have X-Frame-Options deny and CSP that blocks iframe

Hi Andrew, Thanks for all the blog posts. And your book.

I found my way to this library because of Edge Dev Tools Issues.

And it solved the one security issue it was warning me about. But created another with the following message and link:

"The 'X-Frame-Options' header should not be used. A similar effect, with more consistent support and stronger checks, can be achieved with the 'Content-Security-Policy' header and 'frame-ancestors' directive."

https://webhint.io/docs/user-guide/hints/hint-no-disallowed-headers/?source=devtools

It seems like there are some opportunities for simplification. Nearly every header class has a static method that returns an instance of said header class. Then there is an extension method that shares nearly the same xml documentation and a similar name which calls the static method. Wouldn't it be less maintenance to remove the static header method? For example, a current method inside XssProtectionHeader:

        /// <summary>
        /// Enables the XSS Protections
        /// </summary>
        /// <returns></returns>
        public static XssProtectionHeader Enabled()
        {
            return new XssProtectionHeader("1");
        }

The related method inside XssProtectionHeaderExtensions:

        /// <summary>
        /// Add X-XSS-Protection 1 to all requests.
        /// Enables the XSS Protections
        /// </summary>
        /// <param name="policies">The collection of policies</param>
        public static HeaderPolicyCollection AddXssProtectionEnabled(this HeaderPolicyCollection policies)
        {
            return policies.ApplyPolicy(XssProtectionHeader.Enabled());
        }

Since the extension method is the only place where XssProtectionHeader.Enabled() is used, why not remove the Enabled() method and implement directly inside the extension like so?

        /// <summary>
        /// Add X-XSS-Protection 1 to all requests.
        /// Enables the XSS Protections
        /// </summary>
        /// <param name="policies">The collection of policies</param>
        public static HeaderPolicyCollection AddXssProtectionEnabled(this HeaderPolicyCollection policies)
        {
            return policies.ApplyPolicy(new XssProtectionHeader("1"));
        }

That way you wouldn't need to repeat the documentation in multiple places, and you would have fewer methods to test. What do you think?

I've been tweaking the security headers in my APIs this morning as what I had there was a couple years old and the grade on securityheaders.com had went down from an A to a C.

Just getting then newest version of the library and swapping out all the individual header tweaks with the extension method for the defaults got it back up to A.

        var policyCollection = new HeaderPolicyCollection()
            .AddDefaultSecurityHeaders();

The only complaint from securityheaders.com was "strict-transport-security" with the message:

HTTP Strict Transport Security is an excellent feature to support on your site and strengthens your implementation of TLS by getting the User Agent to enforce the use of HTTPS. Recommended value "strict-transport-security: max-age=31536000; includeSubDomains".

So I changed my code to:

        var policyCollection = new HeaderPolicyCollection()
            .AddDefaultSecurityHeaders()
            .AddStrictTransportSecurityMaxAgeIncludeSubDomains(maxAgeInSeconds: 31_536_000);

However, this had no impact at all on securityheaders.com. It gave me the exact same message.

The API can only be reached via an API manager (I'm using Ocelot for this) and I'm wondering if this is interfering. Ocelot interfered with two other (very minor) attributes (server and X-Powered-By) but so far everything else from the API headers seems ok?

Any thoughts as to why this might not be working as I expected?

Hi - I've been using this project to improve my site content security policy. After running through some of the web-based tools to score my policy, I found one that recommended using 'report-sample' with script-src and style-src.

I noticed that this package has a .ReportSample() for AddScriptSrc(), but not for AddStyleSrc().

@andrewlock - would you be happy if I added a .ReportSample() fluent extension for AddStyleSrc() directive? I've coded the changes in my fork already and can submit changes with a pull request if you're happy with the idea.

Thanks!
Jeremy

It looks like a small copy paste error. The wrong class name is mentioned on the line linked above.

Wouldn't it be better to register singleton service instead of transient, since it is executed on every request?

Some public classes lack xml documentation. Some xml documentation comments contain sentences that end in periods. Others contain sentences that end with no period. From a programming perspective, this ticket is fairly inconsequential. From a library adoption perspective, this ticket is important. Having consistent and complete documentation helps give library consumers confidence that the library author pays great attention to detail, and thus leads to a belief that said author will catch more bugs in the library before releasing.

Code is commented out

It would be really cool if all you had to do was to add this to the Startup.cs:

app.UseCustomHeadersMiddleware();

It would then use a set of good default policies that would work for most websites. The reason for this suggestion is:

1. Makes my Configure method less cluttered
2. I don't have to learn about security in order to secure my app
3. Using the default ensures secure headers. Customize to make less secure
4. Default doesn't add unneeded headers. For instance, X-Frame-Options and X-XSS-Protection should only be added to text/html responses and not to CSS and image files.

We have in-house infrastructure code that is being used across multiple services. We have started integrating this library when setting up our CSP header. Our idea is that each application exposes a report url where we can send data to our logging system.

Currently we have multiple applications hosted on the same IIS site using different IIS applications. IIS transmits the the application path using the HttpContext.Request.BasePath. In the future we are moving over to Kubernetes which may use a different setup.

In order to create code that can adapt to the running environment, I need to discover at runtime what context the application is running in. I tried subclassing CspDirectiveBuilderBase but that contains internal abstract methods.

Is there any way to easily support this?
The next option to explore is to patch the raw header value before it's sent back; not something I would like to do.

Consistency is good, though is a breaking change. Perhaps depreciate the current method and add a new method with the consistent name.

Appears to be the only one:

I've been more recently requiring the use of nonce based entries when using the asp helper tags for example;

<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/semantic-ui/2.2.6/semantic.min.css"
asp-fallback-href="~/lib/semantic/dist/semantic.min.css"
asp-fallback-test-class="sr-only" asp-fallback-test-property="position" asp-fallback-test-value="absolute"/>

Where the fallback tests create inline meta as such;

<script>!function(a,b,c,d){var e,f=document,g=f.getElementsByTagName("SCRIPT"),h=g[g.length-1].previousElementSibling,i=f.defaultView&&f.defaultView.getComputedStyle?f.defaultView.getComputedStyle(h):h.currentStyle;if(i&&i[a]!==b)for(e=0;e<c.length;e++)f.write('<link href="'+c[e]+'" '+d+"/>")}("position","absolute",["\/lib\/semantic\/dist\/semantic.min.css"], "rel=\u0022stylesheet\u0022 nws-csp-add-nonce=\u0022true\u0022 ");</script>

Any chance this could be added?

Also, thanks for adding the "AddReferrerPolicyStrictOriginWhenCrossOrigin" recently 👍

Boz.

Hello,

In our project we use your library, we've implemented the newest version and add some new stuff (We've added following methods - grandnode/grandnode@529594a ) , we noticed following problem: "The source list for Content Security Policy directive 'script-src' contains an invalid source: ''strict-dynamic''. It will be ignored."

Is it something on our side or it should be fixed directly in the library? Thanks for any help!

Having checked the issue #19, which is kind of related to this, I wonder if there is a solution since a couple of years passed already.

The problem:

Having this:

<script src="https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/js/bootstrap.min.js" integrity="sha384-JjSmVgyd0p3pXB1rRibZUAYoIIy6OrQ6VrjIEaFf/nJGzIxFDsf4x0xIM+B07jRM"
    asp-fallback-src="~/js/bootstrap.min.js"
    asp-fallback-test="window.jQuery && window.jQuery.fn && window.jQuery.fn.modal"
    crossorigin="anonymous" asp-add-nonce="true"></script>

Will generate this:

<script src="https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/js/bootstrap.min.js" 
        integrity="sha384-JjSmVgyd0p3pXB1rRibZUAYoIIy6OrQ6VrjIEaFf/nJGzIxFDsf4x0xIM+B07jRM" 
        crossorigin="anonymous" nonce="x&#x2B;2R9PRWupQLWDUYp1vp3uGsAMPpOIouI2TfKcZdVxQ="></script>
<script>(window.jQuery && window.jQuery.fn && window.jQuery.fn.modal||document.write("\u003Cscript src=\u0022/js/bootstrap.min.js\u0022 crossorigin=\u0022anonymous\u0022\u003E\u003C/script\u003E"));</script>

Which will result into this:

Obviously the solution could be to ignore asp-fallback-* attributes and implement that by yourself, but I was wondering if there is a way for asp-fallback-test script that is generated to have nonce attribute when AddScriptSrc().WithNonce() is present.

Thank you!

When using the Response Caching middleware new nonces & thus new headers are always generated leading to csp failures for cached responses since the nonce in the cached html is now different than the new header.

It would be a nice to have, if we can add the (upcoming) Expect-CT header in the same friendly way as the existing headers.
I know, I can add it actually with AddCustomHeader.

Some Explanation: https://scotthelme.co.uk/a-new-security-header-expect-ct/

Btw: Thanks for this great library

When setting the default security headers, I get the following error in my browser (Chrome 58 beta):

Failed to set referrer policy: The value 'strict-origin-when-cross-origin' is not one of 'no-referrer', 'no-referrer-when-downgrade', 'origin', 'origin-when-cross-origin', or 'unsafe-url'. The referrer policy has been left unchanged.

Apparently strict-origin-when-cross-origin is not sent along in the preflight headers. Is this something we can pick-up ourselves, or should this package solve this?

Hello
Are you planning release latest version?

Including but not limited to:

unsafe-eval on scripts
=> ScriptSourceDirectiveBuilder.AllowUnsafeEval()
unsafe-inline on scripts and styles
=> ScriptSourceDirectiveBuilder.AllowUnsafeInline() | StyleSourceDirectiveBuilder.AllowUnsafeInline()
strict-dynamic on scripts
=> ScriptSourceDirectiveBuilder.UseStrictDynamic()
block-all-mixed-content tag
=> CspBuilder.AddBlockAllMixedContent()
base-uri source set
=> CspBuilder.AddBaseUriSrc()

I've added suggested fluent signatures for them.

I installed with Nuget but found out there's only one method AddDefaultSecurityHeaders available
you might need to open up other methods which is in the tutorial readme :)

I have an array of urls in my configuration which I need to add to CSP, so I've tried the following code:

List<string> scripts = configuration.GetSection("Scripts").Get<List<string>>();
List<string> styles = configuration.GetSection("Styles").Get<List<string>>();
List<string> images = configuration.GetSection("Images").Get<List<string>>();
List<string> connect = configuration.GetSection("Connect").Get<List<string>>();
List<string> frameAncestors = configuration.GetSection("FrameAncestors").Get<List<string>>();
scripts.ForEach(s => csp.AddScriptSrc().From(s));
styles.ForEach(s => csp.AddStyleSrc().From(s));
images.ForEach(s => csp.AddImgSrc().From(s));
connect.ForEach(s => csp.AddConnectSrc().From(s));
frameAncestors.ForEach(s => csp.AddFrameAncestors().From(s));

However, at runtime, the directive sources only have one entry in them which is the last one in the array.

I can't find a way of adding multiple entries to the same directive. How can I go about doing this?

It would be really nice if library consumers didn't have to instantiate a HeaderPolicyCollection to customize the middleware. Would you be willing to add an overload such as the following (for us lazy folks)?

public static IApplicationBuilder UseSecurityHeaders(
    this IApplicationBuilder app,
    Action<HeaderPolicyCollection> configure)

Hello,
As we know the 'Feature-Policy' header has been renamed to 'Permissions-Policy' with the change in setting values in the header.
Ref: W3 org
Ref: Scott Helme blog
Do we have any ETA on being this implemented?

Thanks in advance

We swapped our solution from custom header notation to use the inbuilt functions provided by the package:

When releasing into our test environment with our CDN we found our site broke due to the CORP policy not being applied to our resources:

I suggest that the issue is relating to the use of a HtmlOnly header for CORP. Which when you consider it's expected to be present on the resources makes little sense: https://github.com/andrewlock/NetEscapades.AspNetCore.SecurityHeaders/blob/45da7a4bf59b1680652e50e70d61f7e23483d2bf/src/NetEscapades.AspNetCore.SecurityHeaders/Headers/CrossOriginResourcePolicyHeader.cs

I imagine it's a simple change to use the standard HeaderPolicyBase instead.

I'm going to revert that header only and push out into test to see if all our issues are resolved, in case we experience any issues with the other two headers.

In the average application it's easy for the Startup file to get untidy and require a lot of scrolling to find what you need. For this reason we consistently use ConfigureOptions to move as much out of our Startup file as possible

With this package, when you have an application that has some specific security headers including a more complex CSP, you can end up adding a good chunk of code into the Startup file.

This is a request to see if it's possible to permit the configuration of security headers though options configuration.

I'd certainly retain the current inline configuration as an option but perhaps if someone uses app.UseSecurityHeaders(); it'd be great to attempt to resolve the configuration from the options e.g:

        public static IApplicationBuilder UseSecurityHeaders(
            this IApplicationBuilder app)
        {
            var headerPolicy = app
                .ApplicationServices
                .GetService<IOptions<SecurityHeaderOptions>>()
                ?.HeaderPolicy;
                
            // Use `headerPolicy`
        }

I've not looked at the code for HeaderPolicyCollection so I don't know how feasible this is.

On a separate note, I always like to take a moment to say thank you for producing this package. It seems like the best option around right now and I hope you continue to develop it. Thanks again for your efforts so far!

This new header adds additional protection over some pretty important browser features eg. camera, microphone, payment. Would be a great addition to this package.
https://scotthelme.co.uk/a-new-security-header-feature-policy/

var collection = new HeaderPolicyCollection();
collection.AddCustomHeader(null, "asdf");

The snippet above throws an ArgumentNullException with the following message: "Value cannot be null.
". This is misleading because it is actually the header parameter that is null, not the value parameter.

Since you are willing to bypass marking something as obsolete for a package version less than v1, why not remove the existing classes that are marked as obsolete?

Hi Andrew,

This is a great library, very useful to add a little bit of fire and forget hardening to our microservices. There's just one issue and that's our CI machines don't like it due to it not being signed and our locked down environments. If you could sign the dlls then I could ask that the public key is added to our whitelisted producers?

I can provide some example signing code if that helps, but you'd need to produce the certificate of course!

Thanks,
Ben

how can i add securityheaders in ajax request?
thanks.

Accessing context?.Request then checking context == null results in two null checks of context. We can reduce the number of null checks by utilizing something like the following:

if (context == null)
{
    throw new ArgumentNullException(nameof(context));
}

var request = context.Request;

As discussed in #25 and on twitter, Some security headers are only required for text/html content.

The following headers can be omitted unless the response is text/html:

• Content-Security-Policy
• X-XSS-Protection
• Referrer-Policy
• X-Frame-Options

References:

• https://sonarwhal.com/docs/user-guide/rules/no-html-only-headers/
• https://scotthelme.co.uk/micro-optimisation-for-fun/

"Apply" seems a bit misleading because you aren't really applying anything. You are really just adding something to a collection. I propose it be renamed to AddPolicy. The xml documentation even states "Add the policy to the policy collection", supporting this rename.

Okay so this might be user error, but I have a test page with the following scripts:

<script nonce="@Context.GetNonce()">
            console.log("JS running with an injected nonce");
</script> 

<script asp-add-nonce>
            console.log("JS running with a tag helper nonce");
</script>

<script asp-add-content-to-csp csp-hash-type="SHA384">
            console.log("JS running with the hashtags");
</script>

Just as tests for whether the CSP is allowing scripts with nonces to run.

If my CSP is set as follows:

.AddContentSecurityPolicy(builder =>
                {
                    builder.AddUpgradeInsecureRequests();

                    builder.AddObjectSrc().None();

                    builder.AddScriptSrc()
                        .Self()
                        .UnsafeInline()
                        .StrictDynamic()
                        .WithHashTagHelper();
                    
                    builder.AddBaseUri().None();

                    builder.AddReportUri().To("/csp/report");

                });

Nothing loads.

If I remove the StrictDynamic() part, things start working again and those three scripts run.

Am I doing something stupid, or are the taghelpers not running for strict dynamic?

It seems that the intention was to use XssProtectionHeader.Report(url) instead.

Is it possible to configure manifest-src?

If not, I might try to submit a PR

Hi Andrew

There are a few relatively new security headers (COOP/CORP/COEP) that would be really nice to have in the library - more information here:
https://scotthelme.co.uk/coop-and-coep/
https://web.dev/coop-coep/
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy

I'm added these using the 'AddCustomHeader' extension right now.

I've a couple of potential implementation design suggestions below (using the Cross-Origin-Opener-Policy header for the example):

First (my preference):

var policyCollection = new HeaderPolicyCollection()
		.AddCrossOriginOpenerPolicy(builder =>
                {
                    builder
			.ReportTo("default")
                        .UnsafeNone();

			// you could alternatively use one of the fluent extensions below in your policy collection instead of unsafe-none
			//.SameOrigin()
			//.SameOriginAllowPopups();
                });

		// ...
		// or use the implementation below for reporting only
                .AddCrossOriginOpenerPolicyReportOnly(builder =>
                {
                    builder
			.ReportTo("default")
                        .UnsafeNone();

			// you could alternatively use one of the fluent extensions below in your policy collection instead of unsafe-none
			//.SameOrigin()
			//.SameOriginAllowPopups();
                });

Pros: Consistency with existing features like CSP, also very extensible if the standard changes
Cons: More complex implementation for end users in the Startup.cs file

Second:

var policyCollection = new HeaderPolicyCollection() 
	.AddCrossOriginOpenerPolicyUnsafeNone(); 

	// also need to write code for the extensions below
	.AddCrossOriginOpenerPolicyUnsafeNone(reportTo:"default")
	.AddCrossOriginOpenerPolicyUnsafeNoneReportOnly(reportTo:"default")
	.AddCrossOriginOpenerPolicySameOrigin()
	.AddCrossOriginOpenerPolicySameOrigin(reportTo:"default")
	.AddCrossOriginOpenerPolicySameOriginReportOnly(reportTo:"default")
	.AddCrossOriginOpenerPolicySameOriginAllowPopups()
	.AddCrossOriginOpenerPolicySameOriginAllowPopups(reportTo:"default")
	.AddCrossOriginOpenerPolicySameOriginAllowPopupsReportOnly(reportTo:"default")

Pros: Simple implementation in the Startup.cs file
Cons: Risk of an unwieldy amount of code in the source library, expecially if the standard changes.

Or the implementation could be something else I haven't considered :)

What do you think? I've started writing code for a pull request but wanted to ask your views before doing too much.

Jeremy

Is there a way to change the CSP after it has been built with AddContentSecurityPolicy? As far as I can see the only option is overwrite it by calling the method again but I am utilising this in a common library of my own and I would like the consumer of my common library to be able to change the policy from the default that is set.

Hi Andrew,

I've read Chrome is experimenting with a new ad selection feature called FLoC, more info here: https://web.dev/floc/

And more information/opinions at the links below:
https://scotthelme.co.uk/what-the-floc/
https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-idea
https://seirdy.one/2021/04/16/permissions-policy-floc-misinfo.html
https://floc.glitch.me/

To make sure pages are opted-out of the calculation, we can add this response header:
Permissions-Policy: interest-cohort=()

It would be useful to update the SecurityHeaders library so that a site can declare that it does not want to be included in the user's list of sites for cohort calculation.

My suggestion for a new extension is below, which hopefully is consistent with the other directive extensions:

var policyCollection = new HeaderPolicyCollection()
                                      .AddPermissionsPolicy(
                                          options =>
                                          {
                                              options.AddFederatedLearningOfCohortsCalculation().None();
                                          }
                                      );

Note: It's possible that since FLoC is only in trial at the moment, the response header specifics might change later.

I've already made changes in a feature branch in my fork - pull request coming soon for review. And as always, thank you for maintaining this fantastic library!

CSP level 3 add new directives, and some of them appear to be missing:

• prefetch-src
• script-src-elem
• script-src-attr
• style-src-elem
• style-src-attr
• sandbox
• navigate-to

Using AddCustomDirective isn't a proper workaround, because some of these directives need the Nonce, and I'm not sure how to access it while creating the CSP.

Is there any way I can force to add XSS Protection, "X-Frame-Options" and "Strict Transport Security" to the response header if my content type is JSON? I know it is only applied to text/html but curious if i can add it in case of json as well?
Thanks

there is no option for worker-src, we can get around it using script-src fallback, but it would be nice to add.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/worker-src

It would be goud to be able to remove custom header in similar way like AddCustomHeader is working.

Kestrel seems to add the server header later in the pipeline than when the middleware can interact with them.

Fortunately there is a workaround, in your WebHostBuilder add the following options when you setup kestrel:

.UseKestrel(o => o.AddServerHeader = false)

Not really a bug but someone else may run into the same problem.

Shaun

Hi there,

Firstly a great library. This is more a question rather than an issue.

If I am using a 3rd party nuget package that injects an inline script tag
<script>alert('3rd party tool');</script>

Would I have to manually add nonce=XXXX using HttpContext.GetNonce(); through some sort of rewrite middleware?

Thanks for your time and effort

As it is now, the only way to set which security headers are to be used is at the middleware level. This lacks flexibility, as path-dependent policies become hard to set up.

The foundations for this seems to be already layed of in #57 , but it went stale as ATM the lack of interest in this feature does not justify the added complexity that it would become for the maintainer(s) once its merged.

This issue is meant to track the interest in this functionality, so please add your upvote/reaction and feel free to discuss about your own use cases where this feature would help you.

Hi,

I've been using your library for a while now to populate CSP headers, Permission Policy headers and a couple of others and they have been very successful, I moved to this solution rather than embedding headers via nginx as my dev environment then behaves largely like my production environment.

Following a fairly recent post by Scott Helme I thought I'd look into nonces once again, I've looked in the past as a way to banish unsafe-inline but never manged to get things working.

So, I've added both the SecurityHeaders NuGet package (was already present) and the extra SecurityHeaders.TagHelpers NuGet package.

I already had the middleware running in Program.cs (I'm using ASP.NET 6 and the new WebApplication.CreateBuilder layout, so no Startup.cs).

app.UseSecurityHeaders(SecurityHeaders.GetHeaderPolicyCollection(app.Environment.IsDevelopment()));

Which calls the following code, which works fine, I just added the two marked .WithNonce() entries:

namespace HRW;

public class SecurityHeaders
{
	public static HeaderPolicyCollection GetHeaderPolicyCollection(bool isDev)
	{
		var policy = new HeaderPolicyCollection()
			.AddContentTypeOptionsNoSniff()
			.AddFrameOptionsSameOrigin()
			.AddXssProtectionBlock()
			.AddReferrerPolicyStrictOriginWhenCrossOrigin()

			.AddContentSecurityPolicy(builder =>
			{
				builder.AddUpgradeInsecureRequests();
				builder.AddBlockAllMixedContent();

				builder.AddDefaultSrc()
					.None();

				builder.AddStyleSrc()
					.Self()
					.UnsafeInline()
					.WithNonce()  // Recently added this line
					.From("fonts.googleapis.com");

				builder.AddScriptSrc()
					.Self()
					.UnsafeInline()
					.WithNonce()  // Recently added this line
					.From("kit.fontawesome.com")
					.From("maps.googleapis.com");

				builder.AddImgSrc()
					.Self()
					.Data()
					.From("maps.gstatic.com")
					.From("maps.googleapis.com")
					.From("cbks0.googleapis.com")
					.From("geo0.ggpht.com")
					.From("geo1.ggpht.com")
					.From("geo2.ggpht.com")
					.From("geo3.ggpht.com")
					.From("lh3.ggpht.com")
					.From("khms0.googleapis.com")
					.From("khms1.googleapis.com");

				builder.AddFontSrc()
					.Self()
					.From("fonts.gstatic.com");

				builder.AddConnectSrc()
					.Self()
					.From("ka-f.fontawesome.com")
					.From("maps.googleapis.com");

				builder.AddManifestSrc()
					.Self();

				builder.AddFrameAncestors()
					.Self();

				builder.AddFormAction()
					.Self();

				builder.AddBaseUri()
					.Self();

				builder.AddReportUri()
					.To("https://roseitsolutions.dev/CSP");
			})

			.AddPermissionsPolicy(builder =>
			 {
				 builder.AddAccelerometer().Self();
				 builder.AddAutoplay().None();
				 builder.AddCamera().None();
				 builder.AddEncryptedMedia().None();
				 builder.AddFullscreen().None();
				 builder.AddGeolocation().Self();
				 builder.AddGyroscope().Self();
				 builder.AddMagnetometer().Self();
				 builder.AddMicrophone().None();
				 builder.AddMidi().None();
				 builder.AddPayment().None();
				 builder.AddPictureInPicture().None();
				 builder.AddSyncXHR().None();
				 builder.AddUsb().None();
			 });

		if (!isDev)
		{
			policy.AddStrictTransportSecurityMaxAgeIncludeSubDomainsAndPreload(maxAgeInSeconds: 63072000);
		}

		return policy;
	}
}

When I run the website I can see the nonce header getting generated in DevTools:

content-security-policy: style-src 'self' 'unsafe-inline' fonts.googleapis.com 'nonce-LMxrnSne0Hb5I/UIyrIcKs15XHVy46zV4puSOLU3TWE='; script-src 'self' 'unsafe-inline' kit.fontawesome.com maps.googleapis.com 'nonce-LMxrnSne0Hb5I/UIyrIcKs15XHVy46zV4puSOLU3TWE='; upgrade-insecure-requests; block-all-mixed-content; default-src 'none'; img-src 'self' data: maps.gstatic.com maps.googleapis.com cbks0.googleapis.com geo0.ggpht.com geo1.ggpht.com geo2.ggpht.com geo3.ggpht.com lh3.ggpht.com khms0.googleapis.com khms1.googleapis.com; font-src 'self' fonts.gstatic.com; connect-src 'self' ka-f.fontawesome.com maps.googleapis.com; manifest-src 'self'; frame-ancestors 'self'; form-action 'self'; base-uri 'self'; report-uri https://roseitsolutions.dev/CSP;

I can also use var nonce = HttpContext.GetNonce(); and output the result to the page but wherever I use asp-add-nonce nothing happens and I get a CSP error saying inline script execution has failed.

I'm not sure what I'm missing so any help would be greatly appreciated.

Some header classes such as ReferrerPolicyHeader set the value parameter inside their constructor. This is unnecessary because the value parameter is set to the same thing in the HeaderPolicyBase class.