'How to add to a ASP.NET Core (.NET6) project OWASP recommendation
I am creating a new ASP.NET Core project with .NET6. I have a UI project that calls the API project. Fonts are coming from Google and the avatar from Gravatar.
In the Program.cs I added those lines
app.Use((context, next) =>
{
context.Response.GetTypedHeaders().CacheControl =
new Microsoft.Net.Http.Headers.CacheControlHeaderValue()
{
MustRevalidate = true,
NoCache = true,
NoStore = true,
};
context.Response.Headers.Add("X-Content-Type-Options", "nosniff");
context.Response.Headers.Add("Content-Security-Policy",
"base-uri 'self'; " +
"connect-src 'self' localhost:44381 localhost:44399 localhost:59145 api-portal-dev.mysite.com; " +
"form-action 'self'; " +
"font-src 'self' fonts.googleapis.com https://www.gravatar.com https://fonts.gstatic.com; " +
"frame-ancestors 'none'; " +
"img-src https:;");
return next.Invoke();
});
If I run the test with the OWASP Zap, I have a lot of alerts.
| Alert type | Risk | Count |
|---|---|---|
| CSP: Wildcard Directive | Medium | 3 (30.0%) |
| Absence of Anti-CSRF Tokens | Low | 2 (20.0%) |
| Cookie with SameSite Attribute None | Low | 2 (20.0%) |
| Cookie without SameSite Attribute | Low | 1 (10.0%) |
| Incomplete or No Cache-control Header Set | Low | 3 (30.0%) |
| Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) | Low | 1 (10.0%) |
| Timestamp Disclosure - Unix | Low | 9 (90.0%) |
| CSP: X-Content-Security-Policy | Informational | 1 (10.0%) |
| Information Disclosure - Suspicious Comments | Informational | 13 (130.0%) |
| Loosely Scoped Cookie | Informational | 3 (30.0%) |
| Total | 10 |
How can I fix them?
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|