This article shows how to improve the security of an Umbraco 9 application by adding security headers to all HTTP Razor Page responses. In this article I'll show how to add security headers using the NetEscapades.AspNetCore.SecurityHeaders Nuget package from Andrew Lock.

If you would prefer to do this without using a package, please see the example at the bottom of this post.

First you will need to install the following two packages into the project containing the Umbraco 9 Website (the project containing the Startup.cs file).

dotnet add package NetEscapades.AspNetCore.SecurityHeaders
dotnet add package NetEscapades.AspNetCore.SecurityHeaders.TagHelpers

The NetEscapades.AspNetCore.SecurityHeaders contains the core functionality of the package.

The NetEscapades.AspNetCore.SecurityHeaders.TagHelpers package contains tag helpers which allow you to use the CSP nonce in the Razor Pages.

We highly recommend taking a look at to run a test of your website, the documentation found on the results page explains what each header protects extremely well.

The first class we need to create is called HeaderPolicyCollection.cs, by using this file to contain the header definitions we can keep the Startup.cs tidy.

In this policy as much is blocked as possible, you will need to customise to work with your website.

I highly recommend working through this alongside the readme from the GitHub repository:

Now you will need to add this to your Startup.cs class within the Configure method


If you are running the site with Kestrel, you can remove the server header by changing webuilder as follows in your program.cs file

    .ConfigureKestrel(options => 
        options.AddServerHeader = false)

If you are running the site with IIS, then you will need to add the following to your web.config

    <requestFiltering removeServerHeader="true" />

Next you will want to allow the CSP nonce to be used with the Razor Pages, to do this you need to add the NetEscapades.AspNetCore.SecurityHeaders to the _ViewImports.cshtml file.

@using NetEscapades.AspNetCore.SecurityHeaders

You can use the NonceTagHelper with an element by adding the following attribute:


Alternatively if you wish to use the HashTagHelper you can dd the following attribute:


Optionally you can choose between SHA256 or SHA512 by adding the following attribute:


If you would prefer not to use the tag helpers, you can retrieve the CSP nonce within a Razor Page from the HttpContext as follows:

var nonce = Context.GetNonce();

And it can be used with a script or css file by adding the following attribute:


If you would prefer to configure permissions without using a NuGet package then in your Startup.cs file you can add the following within the Configure method:

app.Use(async (context, next) =>
    context.Response.Headers.Add("X-Xss-Protection", "1; mode=block");
    context.Response.Headers.Add("Referrer-Policy", "no-referrer-when-downgrade");
    context.Response.Headers.Add("Permissions-Policy", "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()");
    context.Response.Headers.Add("Content-Security-Policy", "");
    await next();

Please note: The above Content-Security-Header has had the contents removed for abbreivation, you will need to enter your own requirements here for it to work.

For further reading I highly recommend the following links:

This post is based on the post by damienbod which can be found here


Post a comment

Fields marked with an * (asterisk) are required

Recent Posts

Umbraco Medium Security Vulnerability - 21st Ma...

Security patch now availabl...

Umbraco V14 - Why we won't be offering builds,...

We explain why we will not...

Tips & Tricks
How to use Cloudflare Workers and Transform Rul...

This post explains how to m...

UmbHost Limited is now a Silver Umbraco Partner

We are now officially a Sil...

How to pass a Content Security Nonce (CSP) to G...

How to use a CSP nonce with...

Browse Umbraco Hosting

Umbraco Hosting Starting At $26/month