Secures .NET apps by setting HTTP response headers. Exactly like Helmet, but for C#.
Install it via the .NET SDK:
dotnet add package Helmet
Use it in your project:
using Helmet;
var builder = WebApplication.CreateBuilder(args);
var app = builder.Build();
app.UseHelmet();
app.MapGet("/", () => "Hello World!");
app.Run();
By default, Helmet
sets the following headers:
Content-Security-Policy
: A powerful allow-list of what can happen on your page which mitigates many attacksCross-Origin-Opener-Policy
: Helps process-isolate your pageCross-Origin-Resource-Policy
: Blocks others from loading your resources cross-originOrigin-Agent-Cluster
: Changes process isolation to be origin-basedReferrer-Policy
: Controls theReferer
headerStrict-Transport-Security
: Tells browsers to prefer HTTPSX-Content-Type-Options
: Avoids MIME sniffingX-DNS-Prefetch-Control
: Controls DNS prefetchingX-Download-Options
: Forces downloads to be savedX-Frame-Options
: Legacy header that mitigates clickjacking attacksX-Permitted-Cross-Domain-Policies
: Controls cross-domain behavior for Adobe products, like AcrobatX-Powered-By
: Info about the web server. Removed because it could be used in simple attacksX-XSS-Protection
: Legacy header that tries to mitigate XSS attacks, but makes things worse, so Helmet disables it
Headers can also be disabled. For example, here's how you disable the Cross-Origin-Opener-Policy
headers:
using Helmet;
var builder = WebApplication.CreateBuilder(args);
var app = builder.Build();
app.UseHelmet(options =>
{
// This only disables Cross-Origin-Opener-Policy
options.UseCrossOriginOpenerPolicy = false;
});
app.MapGet("/", () => "Hello World!");
app.Run();