Story behind the project

SafeWebCore was born from 28+ years of real-world experience building web applications that must perform under pressure. Inconsistent security headers across projects led to audit failures and exposure. The goal: a reusable, strict foundation that gives teams A+ security out of the box — built to the same standard we demand from client work.

Problem this solves

Many .NET teams struggle with fragmented header configuration. CSP, HSTS, COOP/COEP, Permissions Policy and Referrer-Policy are set differently per project, often incomplete or overly permissive. Result: weak A+ scores, XSS risks, and maintenance pain as browsers tighten rules. Without nonce support for inline scripts/styles in Razor Pages, true CSP requires unsafe-inline.

Architecture

Middleware + strongly-typed Options pattern with strict defaults. Path-based policies for exceptions without weakening the baseline. Nonce integration for scripts and styles in Razor via SafeWebCore CSP nonce provider. Minimal runtime overhead: headers computed once and cached per request.

graph TD
    A[Request] --> B[NetSecureHeadersMiddleware]
    B --> C{Path Policy?}
    C -->|Match| D[Apply Strict Policy + Nonces]
    C -->|No| E[Fallback to Baseline]
    D --> F[Add CSP + HSTS + COOP/COEP]
    E --> F
    F --> G[Response]

Lessons learned

Security must live in the defaults, not optional configuration. Great DX and clear validation drive adoption. After 28 years we see that 'configure it yourself' always leaves gaps. By making nonces, A+ defaults and Razor integration first-class, the secure path becomes the easy path. No jQuery, no unsafe-inline, no compromises.

Screenshots

SafeWebCore screenshot

Code snippets

SafeWebCore
// Program.cs / Startup - one line for A+ baseline
builder.Services.AddNetSecureHeadersStrictAPlus();
app.UseNetSecureHeaders();

// Razor Page with nonce (automatic via Context)
<script nonce="@Context.GetCspNonce()">/* safe inline */</script>
<style nonce="@Context.GetCspNonce()">/* safe inline styles */</style>
SafeWebCore
// Custom path policy example
options.PathPolicies.Add("/admin/*", new NetSecureHeadersOptions
{
    ContentSecurityPolicy = "default-src 'self'; script-src 'self' 'nonce-{nonce}'",
    PermissionsPolicy = "geolocation=(), camera=()"
});

Ready to use?

View the full source, documentation and releases on GitHub. Open source under MIT license.

View on GitHub Discuss integration