How to add HTTP response headers to regular asp.net and asp.net core

By adding additional headers to your HTTP responses, you can help the browsers to protect the users as well as your site.

In regular asp.net you add the HTTP headers to the config file like this:

  <system.webServer>
    <httpProtocol>
      <customHeaders>
        <add name="X-Content-Type-Options" value="nosniff"/>
      </customHeaders>
    </httpProtocol>

But if you are working with asp.net core you instead configure the HTTP request pipeline by adding code to the Configure function in the Startup.cs file:

public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
    app.Use(async (c, n) =>
            
        c.Response.Headers.Add("X-Content-Type-Options", "nosniff")
        await n.Invoke()
    });

You could also use a NuGet packages for it like NWebsec.AspNetCore.Middleware making it harder to misspell anything. Also every header becomes a one-liner instead:

public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
	app.UseXContentTypeOptions();

And as a last option you could configure your webhost to deliver the http header as well, just search how for your choice of server.

How to add HTTP response headers to regular asp.net and asp.net core

Cecilia Wirén

Cecilia Wirén

The XML backdoor

X-Content-Type-Options