Is CSP (Content Security Policy) activated by default in .net core 3.1? Or does it need be added manually in the startup?
sorry if this has been asked here before but I can't seem to find the answer.
The framework doesn't have any way of knowing what specific content policy would be appropriate for your application, so it cannot add one by default. You need to add one yourself.
It's fairly straightforward to do, using middleware. For example, you can just set up a delegate:
app.Use(async (context, next) =>
{
context.Response.Headers.Add("Content-Security-Policy", "...");
await next();
});
But don't let its simplicity fool you. Be thoughtful: there are several things you'll want to consider when deciding specifically what content security policy to use, and when to apply it. For example, in your development environment, you may want a different security policy (e.g. one that doesn't require the use of https
) than when you're in production. Also consider whether your client-side code is using application technologies that need to allow things like iframes, 'unsafe-inline'
scripts, etc.
Once you've crafted a Content Security Policy, run it through Google's CSP Evaluator to get insights to things you might not have considered.