Headers containing Http request and response information are activated when logging into the website via the browser. Basically, Http Security Header directs how the browser should behave by reporting information about the content of your site to the browser.

We can create a more secure infrastructure by adding Http Security Headers.

Security Headers supported by modern browsers are as follows;

1- HTTP Strict Transport Security (HSTS)

Http request Https response olarak dönüşü

HSTS automatically converts a user’s HTTP request from the browser to HTTPS .

2- X-Frame-Options

This issue is called clickjacking , by calling your site in iframe and clicking on the user, the attacker gets the desired activity to the user. X-Frame-Options has 3 different parameters.

Deny = Used to completely prevent the page from being called in any frame.

SAMEORIGIN = Used to prevent any domain other than your own from calling in the frame.

ALLOW-FROM uri: This feature is used only to allow frames to be made only from specially specified URLs (eg https://example.com) .

Dotnet core usage;

3- X-XSS-Protection

To protect your site from XSS ( Cross-Site-Scripting) attacks, some header information on the server side is added to the response header. Of course, priority should be used as an extra measure after performing XSS vulnerabilities through the application.

Dotnet core usage;

4- X-Content-Type-Options

Browsers try to decide the type of content by performing the analysis by reading the file tunnel bits called MIME Type Sniffing on the content offered by the web application .

Let’s try to understand the situation with an example: When we think of a file with an extension of jpeg but its content is text / html, the protections in the upload module are overcome with the extension, and the file is successfully uploaded. When the uploaded file is called through the URL, MIME Type sniffing will eventually return text / html and render the content as HTML. Thus, XSS and Sql Injection weaknesses will occur on your website .

5- Removing Server Header

Shows information about the server in the header content. Using this information in Dotnet core to prevent it from appearing;

6- CSP-Content Security Policy

The soft core of web security is that externally loaded resources such as Javascript and style files work in the / context of our page. Providing extra security for our javascript, css, font etc. files with CSP can be beneficial for us.

An example CSP header is as follows:

Content-Security-Policy: VALUES CONTROL_ AREA

Referrer-Policy

When a site is accessed through another site, it specifies its address with the referer header. The target site can also see the site that is the source of this navigation with the referer header. The referer header will be added not only when a link on the site is clicked, but also in style, image and script uploads, form submissions. However, sometimes the URL may contain some private information that is better not to be disclosed. It should be added in such cases.

Feature Policy

With Feature Policy, it is also possible to manage whether many scanner features such as access to location information, microphone and camera usage, multi media playback features, gyroscopes etc. sensors will be enabled, besides the user’s global browser settings.


Let’s write a middleware that covers all the Security Headers we have described above in parts;

If we want to make it more useful with an extension;


With Security Headers, we can make our web application more secure with simple details.

error: Content is protected !!