Welcome to the SafeWebCore documentation. SafeWebCore is a .NET 10 middleware library that adds security headers to ASP.NET Core applications, targeting an A+ rating on securityheaders.com out of the box.
- Getting Started β Installation, minimal setup (v1.1.0+), verifying headers, using nonces
- Security Headers β Every header explained, defaults vs strict A+, header comparison table
- CSP Configuration β Full CSP Level 3 & Level 4 reference, builder, nonces, performance optimizations (v1.1.0+)
- Presets β All five presets (StrictAPlus, Api, Mvc, Blazor, SpaReverseProxy), comparison, decision guide
- Advanced Configuration β Path policies, report-only, CSP reporting, custom sinks, endpoint overrides, testing, troubleshooting
- Examples β Three runnable projects (MinimalApi, MvcApp, ApiService) with feature matrix
- Benchmarks β Running BenchmarkDotNet suites, result interpretation, creating new benchmarks
- Archive β Obsolete v1.2 planning documents (implementation plan, roadmap)
| I want to... | Go to |
|---|---|
| Get A+ in one line | Getting Started |
| Run a working example | Examples |
| Configure everything custom | Getting Started |
| Access CSP nonce | Getting Started |
| Understand what each header does | Security Headers |
| Configure CSP with advanced directives | CSP Configuration |
| Choose the right preset | Presets |
| Use path-based policies | Advanced Configuration |
| Set up CSP violation reporting | Advanced Configuration |
| Debug CSP violations | Advanced Configuration |
| Create custom headers | Advanced Configuration |
| Add endpoint overrides | Advanced Configuration |
| Test security headers | Advanced Configuration |
| Feature | Link |
|---|---|
Per-request nonce access via HttpContext.GetCspNonce() |
Getting Started |
Zero-allocation nonce generation TryWriteNonce(Span<char>) |
Getting Started |
| Pre-built CSP template (startup-only computation) | CSP Configuration |
| TagHelper nonce auto-injection | Getting Started |
| All v1.2 features now shipped | Presets and Advanced Configuration |
Generated from XML documentation comments. Key classes:
| Class | Purpose |
|---|---|
SecurePresets |
Pre-configured security option sets |
NetSecureHeadersOptions |
Root configuration for all headers |
CspOptions |
CSP directive configuration (C# record) |
CspBuilder |
Fluent API for CSP configuration |
ReferrerPolicyBuilder |
Typed builder for Referrer-Policy |
PermissionsPolicyBuilder |
Typed builder for Permissions-Policy |
CrossOriginPolicyBuilder |
Typed builder for COEP/COOP/CORP |
NonceService |
Nonce generation (GenerateNonce(), TryWriteNonce()) |
ICspReportSink |
Custom CSP violation handling |
IHeaderPolicy |
Custom header implementations |
- GitHub: MPCoreDeveloper/SafeWebCore
- NuGet: SafeWebCore
- Security Grades:
- securityheaders.com β Full header scanning
- Google CSP Evaluator β CSP analysis
- Standards: