Content Security Policy

johnstaveley / SecurityEssentials

Raise your baseline in security by using this as your template instead of default Mvc project. Keep your app secure by continuously applying Security rules

142 stars 47 forks source link

Content Security Policy #7

Closed feldrim closed 7 years ago

feldrim commented 7 years ago

A content security policy is missing in web.config. I believe it would be good to let Nwebsec handle setting a defense in depth.

johnstaveley commented 7 years ago

Hi, the CSP is enabled through the class HttpHeaders. You can also achieve the same effect by using web.config. All the headers NWebSec cover are enabled in the application. NWebSec does not enable defense in depth it just enables headers. In terms of the OWASP Top ten NWebSec does not protect you against the majority of issues in it, hence the need for this project.

feldrim commented 7 years ago

It's my fault not to see them. I hoped to see CSP on web.config and opened the issue when I couldn't. Of course the term "defense in depth" does not necessarily a part of NWebsec but the CSP, which means not the whole of the measures to be taken, only the last line of defense. I suggested NWebsec as a simple solution for CSP, however it's already implemented. I guess it's OK to close the issue.