The ultimate guide to adding security headers in ASP.NET Core. Some features are built-in to core using middleware while others require manual work.

Utilize elmah.io to store actual Content-Security-Policy errors happening in your users browsers. We've developed a simple proxy to make it easy.

In this post, I'll explain the Content-Security-Policy header and how to set it up in an ASP.NET, MVC or Web API application. For existing websites, I'll show you how to add all the required bits gradually, by utilizing tools built into most modern browsers and elmah.io. Make sure no-one injects code on your website.

Improving the security in your ASP.NET MVC and Web API app is easy using custom headers and a bit of C#. Using this guide, you will learn about the entire list of headers needed to make it hard for hackers to exploit your website. No need to browse through outdated blog posts or MSDN articles. This is all you need.