Is it possible to add multiple Content Security Policy directive in Asp.net Web.config?

asp.net security content-security-policy
jtabuloc picture jtabuloc · Nov 3, 2015 · Viewed 15.1k times · Source

I'm currently applying security measures in our Asp.net applications and had to solved a few issues like x-frame-options but had a difficulties on how to add multiple Content Security Policy directives.

I've searched a lot and haven't found exactly solution on how to add multiple CSP directives in web.config but only through code like blog.simontimms.com.

Currently this is the CSP I have :

<httpProtocol>
  <customHeaders>
    <clear />
    <add name="X-Frame-Options" value="ALLOW-FROM http://subdomain.domain.com" />
    <add name="Content-Security-Policy" value="frame-ancestors http://subdomain.domain.com" />
  </customHeaders>
</httpProtocol>

My question is how to add multiple Content Security Policy directives in Asp.net web.config? I tried configuration below delimited by semi colon but it doesn't work :(

<add name="Content-Security-Policy" value="frame-ancestors http://subdomain.domain.com; img-src *; " />

Update:

I think the above code was the right syntax for adding multiple directive. I only missed 'self' right after frame-ancestors that cause an error on run-time that makes me think that it was wrong at first.

Additional information:

If you ran some issues where in you have a lot of sub-domain you can put wildcard '*' on it like :

<add name="Content-Security-Policy" value="frame-ancestors 'self' http://*.domain.com; img-src *; " />

Answer

Mehmet Ince picture Mehmet Ince · Nov 3, 2015

You may want to use NWebsec. Please look at following example from Troy Hunt.(http://www.troyhunt.com/2015/05/implementing-content-security-policy.html)

 <content-Security-Policy enabled="true">
  <default-src self="true" />
  <script-src unsafeInline="true" unsafeEval="true" self="true">
    <add source="https://www.google.com" />
    <add source="https://www.google-analytics.com" />
    <add source="https://cdnjs.cloudflare.com" />
  </script-src>
  <style-src unsafeInline="true" self="true">
    <add source="https://cdnjs.cloudflare.com"/>
  </style-src>
  <img-src self="true">
    <add source="https://az594751.vo.msecnd.net"/>
    <add source="https://www.google.com"/>
    <add source="https://www.google-analytics.com" />
  </img-src>
  <font-src>
    <add source="https://cdnjs.cloudflare.com"/>
  </font-src>
  <object-src none="false" />
  <media-src none="false" />
  <frame-src none="false" />
  <connect-src none="false" />
  <frame-ancestors none="false" />
  <report-uri enableBuiltinHandler="true"/>
</content-Security-Policy>

NWebsec is an easy to use security library for ASP.NET applications. With a few lines of config it lets you set important security headers, detect potentially dangerous redirects, control cache headers, and remove version headers. See project website for documentation.

I believe it's capable to add multi line of CSP rules.

https://www.nuget.org/packages/NWebsec

Related questions

What are all the user accounts for IIS/ASP.NET and how do they differ?

Under Windows Server 2008 with ASP.NET 4.0 installed there is a whole slew of related user accounts, and I can't understand which one is which, how to they differ, and which one is REALLY the one that my app runs under. …

Read More
X-Frame-Options Allow-From multiple domains

I have an ASP.NET 4.0 IIS7.5 site which I need secured using the X-Frame-Options header. I also need to enable my site pages to be iframed from my same domain as well as from my facebook app. Currently I have …

Read More
ASP.NET Identity's default Password Hasher - How does it work and is it secure?

I am wondering wether the Password Hasher that is default implemented in the UserManager that comes with MVC 5 and ASP.NET Identity Framework, is secure enough? And if so, if you could explain to me how it works? IPasswordHasher interface …

Read More