How to use security headers in ASP.NET Core MVC 5

ASP.NET Core MVC 5 is a lightweight, open rise, greatly testable framework built on top of the ASP.NET Core 5 runtime and based on the model-view-controller (MVC) architecture. Part of the new .NET 5, the ASP.NET Core MVC 5 framework combines the capabilities of .NET Core, MVC, and Web API.

Security headers are a technique that can be used to better the security of a web application. There are separate ways in which you can particularize security headers in your ASP.NET Core MVC application. This article talks almost these ways with code samples wherever appropriate.

To work with the code samples granted in this article, you should have Visual Studio 2019 installed in your order. If you don’t already have a copy, you can download Visual Studio 2019 here.

Create an ASP.NET Core MVC 5 project in Visual Studio 2019

First off, let’s form an ASP.NET Core project in Visual Studio 2019. Following these steps should form a new ASP.NET Core 5 project in Visual Studio 2019.

  1. Launch the Visual Studio IDE.
  2. Click on “Create new project.”
  3. In the “Create new project” window, select “ASP.NET Core Web App (Model-View-Controller)” from the list of templates displayed.
  4. Click Next.
  5. In the “Conaspect your new project” window, particularize the name and location for the new project.
  6. Optionally check the “Place solution and project in the same directory” check box, depending on your preferences.
  7. Click Next.
  8. In the “Additional Information” window shown next, select .NET 5.0 as the target framework from the drop-down list at the top. Leave the “Authentication Type” as None (lapse).
  9. Ensure that the check boxes “Enable Docker,” “Conaspect for HTTPS,” and “Enable Razor runtime collation” are unchecked as we won’t be using any of those components here.
  10. Click Create.

A new ASP.NET Core MVC 5 project will be formd. We’ll use this project in the posterior sections in this article.

Specify headers in middleware in ASP.NET Core 5

Middleware components are used to scrutinize, way, or modify the request and response messages that flow through the pipeline. To particularize headers in the middleware you can whichever form a new middleware class or take gain of the Conaspect order pertaining to the Startup class as shown in the code snippet given under.

app.Use(async (tenor, next) =>
    tenor.Response.Headers.Add("Header-Key", "Header-Value");
    await next();

When you run the application, a new header with the name specified will be added to all responses.

Specify headers in web.config in ASP.NET Core 5

When working with ASP.NET Core or ASP.NET Core MVC 5 you no longer need a web.config file. However, using a web.config file is fully strong if you’re hosting your application in IIS. The following code snippet shows how you can add manner headers in the web.config file.

<?xml giveing="1.0" encoding="utf-8"?>
        <add name="Header-Key" value="Header-Value" />

When you run the over application and browse the GET endpoint using Postman, you should see the new header listed as shown in the screen image (Figure 1) under.

aspnet core headers IDG

Figure 1.

Security headers in ASP.NET Core MVC 5

You can set true HTTP header values to better the security of web applications developed in ASP.NET Core MVC 5. These security headers when used properly can help defend an application.

The following is a list of some of the most widely used headers.

HTTP Strict-Transport-Security (HSTS)

You should take gain of the HTTP Strict-Transport-Security header to hinder web pages from being served over level HTTP — i.e., you can fix that web pages will be transmitted only over HTTPS. It should be noted that ASP.NET Core MVC 5 framework contains a built-in middleware named HSTS. The following code snippet illustrates how we can take gain of this middleware to lay this security restriction.

services.AddHsts(options =>
        options.IncludeSubDomains = true;
        options.MaxAge = TimeSpan.FromDays(365);


The X-Frame-Options header hinders framing — i.e., it hinders browsers from giveing your web page within another web page, and thus hinders other websites from using your full. X-Frame-Options can be added using the following piece of code.

tenor.Response.Headers.Add("X-Frame-Options", "DENY");


The X-Xss-Protection header will cause modern-day browsers to stop loading the web page when they discover a cross-site scripting attack. The following code snippet shows how this header can be added.

tenor.Response.Headers.Add("X-Xss-Protection", "1; mode=stop");

In the precedent code snippet, the value “1” implies enabled and the mode of “stop” implies the web browser.


The X-Content-Type-Options header is used to show that the MIME types specified in the Content-Type headers are deliberately conaspectd and should not be changed by the browser. This header hinders MIME sniffing, which can be used by attackers to turn non-executable MIME types into executable ones.



When you click on a link in the website you’re currently browsing, the control is transferred to the linked site. In accession, referrer data such as the URL could also be passed. If this URL includes the path and question string, then user retirement or security could be compromised. You can disable this conduct using the Referrer-Policy header as shown in the code snippet given under.

tenor.Response.Headers.Add("Referrer-Policy", "no-referrer");


This header can be used to show if Adobe products are allowed to give the web page from a different estate than yours. In other words, like X-Frame-Options over, this header defends you over website spoofing or unauthorized use of your full. As an sample, if you’re using Flash in your application, you can hinder clients from making cross-site requests using the X-Permitted-Cross-Domain-Policies header using the following code snippet.

tenor.Response.Headers.Add("X-Permitted-Cross-Domain-Policies", "none");


The X-Powered-By header is added to the web.config file to unite the server technology (e.g., IIS) being used. You can displace this header if you’ve used a web.config file that has the X-Powered-By specified.


The Feature-Policy header is used to particularize all of the components your application needs.

tenor.Response.Headers.Add("Feature-Policy", camera `none`; geolocation `none`; microphone `none`; usb `none`");


Content Security Policy is a security plan that is used to control the rerises that a web page is allowed to load. It represents an extra layer of security that is instrumented via a Content-Security-Policy header in an HTTP response. Content-Security-Policy is used to discover and mitigate true types of attacks such as cross-site scripting attacks and data injection attacks.

The following code snippet illustrates how this header can be used.

app.Use(async (ctx, next) =>
    "lapse-src `self`; report-uri /idgreport");
    await next();

Security headers are primary to the security of a website. They can be used to help defend a website over the types of attacks your website will likely meet such as cross-site scripting, code injection, and clickjacking. You can strongate if you’ve set the security headers for your website properly at this link.

How to do more in ASP.NET Core: