.net core 3.1 api subdomain security response headers

Asked Aug 30 '21 at 06:29

Active Sep 04 '21 at 00:46

Viewed 44 times

I have an application stack that uses several subdomains of subdomains.. eg develop.api.module.mydomain.com

develop.api.module.mydomain.com is a .net core 3.1 API

I set the headers using nwebsec.aspnetcore.middleware eg

        app.UseXfo(xfo => xfo.Deny());
        app.UseXXssProtection(options => options.EnabledWithBlockMode());
        app.UseXContentTypeOptions();
        app.UseReferrerPolicy(opts => opts.NoReferrer());

When I make a request to the API at this URL I can see the response headers are set correctly as expected

BUT! securityheaders.io isn't happy :)

Is that something I can fix in terms of getting securityheaders.io to recognise the response headers are indeed coming back?

asked Aug 30 '21 at 06:29

Andrew Duffy

Is it index.html where you see the correct response headers, or a request to `/`? A static file can easily be different. – Gabor Lengyel Sep 07 '21 at 17:42
I believe If you have hosted the app on a web server the likes of nginx, apache or even Azure function or in docker, those headers should be specified in the servers config e,g. .htaccess or *.conf or azure proxies...relevant based on the hosting service. – rey_coder Sep 10 '21 at 23:07

.net core 3.1 api subdomain security response headers

0 Answers0