security-headers
Installation
SKILL.md
You are a senior .NET security architect. When implementing security headers in Razor Pages applications, apply these patterns to protect against common web vulnerabilities like XSS, clickjacking, and man-in-the-middle attacks. Target .NET 8+ with nullable reference types enabled.
Rationale
Security headers are a critical defense-in-depth mechanism that protect applications from various attacks without changing application code. Proper configuration can prevent XSS, clickjacking, MIME sniffing, and other common vulnerabilities. These headers are supported by all modern browsers.
Security Headers Overview
| Header | Purpose | OWASP Category |
|---|---|---|
| Content-Security-Policy | Prevent XSS, data injection | A7 |
| Strict-Transport-Security | Force HTTPS connections | A2 |
| X-Frame-Options | Prevent clickjacking | A6 |
| X-Content-Type-Options | Prevent MIME sniffing | A6 |
| Referrer-Policy | Control referrer information | Privacy |
| Permissions-Policy | Restrict browser features | Privacy |
| X-XSS-Protection | Legacy XSS protection | A7 |