Is it possible to add multiple Content Security Policy directive in Asp.net Web.config?

asp.net security content-security-policy

17,469

You may want to use NWebsec. Please look at following example from Troy Hunt.(http://www.troyhunt.com/2015/05/implementing-content-security-policy.html)

 <content-Security-Policy enabled="true">
  <default-src self="true" />
  <script-src unsafeInline="true" unsafeEval="true" self="true">
    <add source="https://www.google.com" />
    <add source="https://www.google-analytics.com" />
    <add source="https://cdnjs.cloudflare.com" />
  </script-src>
  <style-src unsafeInline="true" self="true">
    <add source="https://cdnjs.cloudflare.com"/>
  </style-src>
  <img-src self="true">
    <add source="https://az594751.vo.msecnd.net"/>
    <add source="https://www.google.com"/>
    <add source="https://www.google-analytics.com" />
  </img-src>
  <font-src>
    <add source="https://cdnjs.cloudflare.com"/>
  </font-src>
  <object-src none="false" />
  <media-src none="false" />
  <frame-src none="false" />
  <connect-src none="false" />
  <frame-ancestors none="false" />
  <report-uri enableBuiltinHandler="true"/>
</content-Security-Policy>

NWebsec is an easy to use security library for ASP.NET applications. With a few lines of config it lets you set important security headers, detect potentially dangerous redirects, control cache headers, and remove version headers. See project website for documentation.

I believe it's capable to add multi line of CSP rules.

https://www.nuget.org/packages/NWebsec

17,469

jtabuloc

Updated on June 04, 2022

Comments

jtabuloc almost 2 years
I'm currently applying security measures in our Asp.net applications and had to solved a few issues like x-frame-options but had a difficulties on how to add multiple Content Security Policy directives.

I've searched a lot and haven't found exactly solution on how to add multiple CSP directives in web.config but only through code like blog.simontimms.com.

Currently this is the CSP I have :
```
<httpProtocol>
  <customHeaders>
    <clear />
    <add name="X-Frame-Options" value="ALLOW-FROM http://subdomain.domain.com" />
    <add name="Content-Security-Policy" value="frame-ancestors http://subdomain.domain.com" />
  </customHeaders>
</httpProtocol>
```
My question is how to add multiple Content Security Policy directives in Asp.net web.config? I tried configuration below delimited by semi colon but it doesn't work :(
```
<add name="Content-Security-Policy" value="frame-ancestors http://subdomain.domain.com; img-src *; " />
```
Update:

I think the above code was the right syntax for adding multiple directive. I only missed 'self' right after frame-ancestors that cause an error on run-time that makes me think that it was wrong at first.

Additional information:

If you ran some issues where in you have a lot of sub-domain you can put wildcard '*' on it like :
```
<add name="Content-Security-Policy" value="frame-ancestors 'self' http://*.domain.com; img-src *; " />
```
SOReader about 7 years

How do you vary it based on resource location like describe at the bottom of the following article? pokeinthe.io/2016/04/09/black-icons-with-svg-and-csp
Lincon Ribeiro over 4 years

For those looking for more info about where to include the info into webconfig, here is the link docs.nwebsec.com/en/4.1/nwebsec/Configuration.html