NWebsec is a collection of open source security libraries that manage security headers for ASP.NET applications.
Questions tagged [nwebsec]
21 questions
4
votes
1 answer
NWebsec's "A potentially dangerous redirect was detected" with Facebook logon
I have read through NWebSec's documentation to try and resolve the problem.
Set the web.config to
cowboypurest
- 43
- 5
3
votes
1 answer
.NET Core - nwebsec - csp - multiple urls?
I struggle to add multiple urls as script sources
I tried:
setting them all in the same ScriptSource string but it fails to run saying the url is invalid
so I chained them, yet it is not working as , only the last one is returned in the…
phil123456
- 1,192
- 2
- 10
- 26
3
votes
1 answer
When using both NWebSec.Mvc and NWebSec.OWIN, do I need to configue security in 2 places?
I have an ASP.NET MVC 5 site that uses ASP.NET Identity v2. I'm trying to use NWebSec to "harden" it.
Because the site uses MVC and Owin, I've installed the NWebSec.MVC and NWebSec.OWIN NuGet packages.
Reading the documentation, many of the options…
Gary McGill
- 26,400
- 25
- 118
- 202
2
votes
1 answer
How to implement content security policy with NWebsec
I am implementing content security policy in Asp.Net application.(.Net Framework 3.5). I have installed NWebSec (4.0) through nuget packages and added blow configuration in web.config.
…
user1886702
- 21
- 5
2
votes
1 answer
Using configSource with NWebsec
In an attempt to simplify our web.config, I wanted to break out the NWebsec configuration into a separate file using the configSource attribute:
web.config
Steve
- 1,618
- 3
- 17
- 30
1
vote
0 answers
.net core 3.1 api subdomain security response headers
I have an application stack that uses several subdomains of subdomains.. eg develop.api.module.mydomain.com
develop.api.module.mydomain.com is a .net core 3.1 API
I set the headers using nwebsec.aspnetcore.middleware eg
app.UseXfo(xfo =>…
Andrew Duffy
- 795
- 2
- 17
- 37
1
vote
1 answer
For content security policy how do I allow self and a static url as well as unsafe JS?
I am trying to configure this in an ASP.NET MVC application in the web.config as follows:
TheEdge
- 9,291
- 15
- 67
- 135
1
vote
1 answer
Applying different Content Security Policies to different directories with NWebSec
I've got an ASP.NET MVC website with a heavily customised Umbraco 6 backend as the site's CMS.
I've been upgrading the content security policy (CSP) headers all across the site, which I am doing by use of NWebsec, and the website now happily uses…
tenshi_a
- 181
- 2
- 10
1
vote
1 answer
How do I make Umbraco play nice with NWebSec's built in CSP Report event handler?
I'm working on a website which uses the Umbraco CMS version 7. I'm using NWebSec to implement a CSP header on the website. NWebSec has built in functionality to raise a .Net event when there's a CSP violation. Normally you'd catch that event with…
Necoras
- 6,743
- 3
- 24
- 45
0
votes
0 answers
Disabling NWebsec CSP in Admin folder
I am implementing csp with NWebsec in an MVC application (not core)
I am referring to this post: Applying different Content Security Policies to different directories with NWebSec
I have entries in the web.config file at the root of the site and…
user359409
- 41
- 9
0
votes
0 answers
Why is '[0] so commonly (and recently) appended to query strings?
I use a WAF that monitors suspicious query string and form POST values. Over the last several months I've noticed a dramatic uptick in query strings that have this sequence of 4 characters appended to the usual (i.e. 'normal') values:
'[0]
Why is…
CodeWhisperer
- 186
- 5
0
votes
0 answers
Add nonce generated by NWebSec to another attribute
I'm using NWebSec to add nonces to script tags, e.g.
However, I need to add the nonce to another attribute, so need to do something like this: