layout | title | date |
---|---|---|
post |
dotnet http-security-check |
2019-01-07 |
This global dotnet tool helps to secure your web application.
As everyone should know: security is important and critical - but not easily done right. The attack surface especially for public websites is fairly large and keeping everything secure is a challange. Using security headers and TLS (HTTPS) is a neat possibility to reduce this attack surface effectively.
The global tool DotnetHttpSecurityCheck implements different checks to ensure best practice and suggests improvements. They are splitted into two categories Header and Request.
- A Header check examines the value of a response header field.
- A Request check examines any other security related aspect (e.g. valid certificate).
Hopefully, by providing this tool, it helps everyone to assess and reinforce security.
Download and install the .NET Core 2.2 SDK or newer. Once installed, run the following command:
{% highlight cmd %} dotnet tool install DotnetHttpSecurityCheck -g {% endhighlight %}
After installation, you can use the tool directly from the CLI (command line interface):
{% highlight cmd %} dotnet-http-security-check https://www.google.ch {% endhighlight %}
Each check returns a result consisting of:
- Actual value
- Rating (see below)
- Suggestion
Everything is fine - the currently best known value is set.
Fig2. - Example for best resultThe configuration is basically acceptable - but you could improve it accordingly to the suggestion.
Fig3. - Example for good resultIndicates you should fix the value accordingly to the suggestion - otherwise there is a security risk (e.g. unsecure connection, cross site scripting, ...).
Fig4. - Example for bad resultThis means the check is not applicable for the current request. For example the 'Strict-Transport-Secuirty' header is only recognized when sent over an HTTPS connection.
Fig5. - Example for bad skipped