3

I'm using security headers middleware in a web app to add security headers to all outgoing http requests. Security headers seem to get added to all network requests to internal resources - that is resources that make up the web app such as the javascript scripts and the images used in the web app and the css and html files. However the security headers do not get added to any external http requests such as to an API that I made that the web app uses to get json data. How do I make it just add security headers to everything, rather than just to the web apps own resources?

Below is some of the relevant code that adds security headers middleware

startup.cs

private ILogger<SecurityHeadersBuilder> _logger;
private readonly SecurityHeadersPolicy _policy = new SecurityHeadersPolicy();

public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory, ISecurityHeadersBuilder securityHeadersBuilder)
{...
    app.UseSecurityHeadersMiddleware(
        securityHeadersBuilder.AddDefaultSecurePolicy()
    );

securityHeadersBuilder.cs

public SecurityHeadersBuilder AddDefaultSecurePolicy()
{
    AddFrameOptionsDeny();
    AddXssProtectionBlock();
    AddContentTypeOptionsNoSniff();
    AddNoCache();
    AddStrictTransportSecurityMaxAgeIncludeSubDomains();
    AddContentSecurityPolicyAllContentFromSelfAndGoogle();
    RemoveServerHeader();
    return this;
}

public SecurityHeadersBuilder AddFrameOptionsDeny()
{
    _policy.SetHeaders[FrameOptionsConstants.Header] = FrameOptionsConstants.Deny;
    _logger.LogInformation(string.Format("setting {0} http header value to {1}", FrameOptionsConstants.Header, FrameOptionsConstants.Deny));
    return this;
}
Improve this question

1 Answer 1

Reset to default
1

There are two type of headers: request headers and _response headers.

The server sets response headers to instruct the browser how to handle a response (block iframing for example). Therefore it would not make sense to do a request with (for example) the header X-Frame-Options : Deny. Because the client application could alter the value and ignore the security restriction. The server will not handle the value of the header anyway, the user-agent of the browser will use this response header.

If you do a call to an (external) API you should manually add request headers to an HttpClient and make the call. The API in turn can return the (security) response headers.

All the headers that you have in the example code are response headers and should not be set as request headers.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Could you explain further what you said about not making sense to request x-frame-options : deny from the server? Just trying to understand as it will teach me a lot. Regarding manually adding headers to the HttpClient do you mean adding them to the piece of code that sends out the http request from the web app? Thanks!
I did add the headers from the http client in the web app. I am just unsure that they do anything, which is in line with what you were saying I think, that some headers are pointless in the request. The content-security-policy header certainly does nothing when I add it to the http request. I just need to decide which ones do anything from the http request
I edited my answer for clarification. The headers you are trying to request are actually response headers, so they are indeed pointless.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.