NWebSec Support for ASP.Net Core Applications

Posted by Phil on April 06, 2017

Security is often considered something of a dark art even to experienced developers. It's not uncommon to assume that "we have an SSL certificate" is sufficient protection. While that's certainly a good start, there is a lot more that can be added to really ensure you've covered as many bases as possible. And to make this easier, NWebSec provides a set of libraries that can be quickly and easily plugged in to your site and configured to provide a comprehensive set of safeguards.

I've been working more and more with ASP.Net Core applications recently and while I'd normally add NWebSec to any web-facing project I was building, the support for Core has only recently been released.

This post isn't intended to be a particularly in-depth or technical coverage of either web security or the NWebSec library; other, more-qualified people have far more extensive treatments of both subjects. Rather, this is more a suggestion on where you can look to get started with implementing stronger security practices in your own code and how to begin familiarising yourself with some more technical concepts.


Security headers are a collection of settings or instructions that are included in a site's server response. The HTTP headers are included not as part of the page, specifically (e.g. the <head> tag in HTML), but as metadata delivered to the browser with each request.

The security headers define how the browser should interact with content of different types and from different sources. For example, the Content Security Policy defines how scripts or stylesheets should be treated depending on where they're sourced from. The Frames policy defines whether the browser should load any content contained within an iframe.

The range of headers supported is extensive:

  • Strict-Transport-Security
  • X-Content-Type-Options
  • X-Download-Options
  • X-Frame-Options
  • X-Xss-Protection
  • Content-Security-Policy
  • X-Robots-Tag

You can read more about browser security and headers here or check out Pluralsight for some excellent introductory material from Troy Hunt.

NWebSec Configuration

NWebSec provides an array of outputs that can be applied either through .Net Core middleware, tag helpers or MVC filter attributes.

By way of example, assuming you wanted to mitigate any cross-site scripting (XSS) vulnerabilities on your site, you'd look to apply a content security policy (CSP) that defined a white list of resources and their locations from which they were retrieved. NWebSec will accept a "UseCsp" method that allows us to specify at a granular level which content to include:


        // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
        public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)

            app.UseCsp(options => options
                .DefaultSources(s => s.Self())
                .ConnectSources(s => s.Self())
                .StyleSources(s => s.Self().CustomSources("ajax.aspnetcdn.com"))
                .ScriptSources(s => s.Self().CustomSources("localhost", "ajax.aspnetcdn.com", "ajax.googleapis.com"))


When rendered to the page, this code generates a new "content-security-policy" header that contains the following:

Content-Security-Policy: "script-src 'self' localhost ajax.aspnetcdn.com ajax.googleapis.com;style-src 'self' ajax.aspnetcdn.com;connect-src 'self'"

The NWebSec documentation is comprehensive and there is a LOT more in there that allows you to fully harden your code to mitigate most security vulnerabilities.

If you haven't already, start looking at your web security and how libraries such as NWebSec can win you some really easy points. Leaving security until last or as an afterthought is really no longer acceptable in 2017 and needs to be considered a first-class citizen in your coding processes. When it's as easy as this, there's really no excuse not to understand the basics and apply them.

Hope this helps!