Skip to main content
Version: Next

Security Headers

Sharkable provides an opt-in middleware that adds standard security HTTP response headers. All headers are disabled by default — you choose which ones to enable.

Quick Start

builder.Services.AddShark(opt =>
{
opt.ConfigureSecurityHeaders(h =>
{
h.ContentTypeOptions = true;
h.FrameOptions = "DENY";
h.ReferrerPolicy = "no-referrer";
h.StrictTransportSecurity = true;
});
});

var app = builder.Build();
app.UseShark();

This adds X-Content-Type-Options: nosniff, X-Frame-Options: DENY, Referrer-Policy: no-referrer, and Strict-Transport-Security: max-age=31536000 to every response.

Configuration

opt.ConfigureSecurityHeaders(h =>
{
h.ContentTypeOptions = true;
h.FrameOptions = "DENY";
h.ReferrerPolicy = "strict-origin-when-cross-origin";
h.ContentSecurityPolicy = "default-src 'none'";
h.PermissionsPolicy = "geolocation=()";
h.StrictTransportSecurity = true;
h.HstsMaxAge = 63072000;
h.CrossOriginResourcePolicy = "same-origin";
h.CrossOriginOpenerPolicy = "same-origin";
h.CrossOriginEmbedderPolicy = "require-corp";
h.ExcludePaths = ["/healthz", "/openapi"];
});
OptionTypeDefaultDescription
ContentTypeOptionsboolfalseAdds X-Content-Type-Options: nosniff
FrameOptionsstring?nullX-Frame-Options value (e.g. "DENY", "SAMEORIGIN")
ReferrerPolicystring?nullReferrer-Policy value
ContentSecurityPolicystring?nullContent-Security-Policy value
PermissionsPolicystring?nullPermissions-Policy value
StrictTransportSecurityboolfalseAdds HSTS with configurable max-age
HstsMaxAgeint31536000HSTS max-age in seconds (1 year)
CrossOriginResourcePolicystring?nullCross-Origin-Resource-Policy value
CrossOriginOpenerPolicystring?nullCross-Origin-Opener-Policy value
CrossOriginEmbedderPolicystring?nullCross-Origin-Embedder-Policy value
ExcludePathsstring[][]Path prefixes to skip (e.g. "/healthz")

How It Works

Headers are registered via context.Response.OnStarting() — they are added just before the first byte is written, so they appear on all responses including error responses. The middleware runs early in the pipeline (after response compression, before graceful shutdown).

AOT

Fully AOT-compatible. No reflection used.

Security

All user-supplied header values are validated at startup against CR/LF/NUL characters to prevent header injection attacks. Values containing these characters produce a startup error via ConfigurationValidator.