Stats
Actions
Tags
From affolternet-web-api
Configure security headers, CORS, and the IConfigurableOptions pattern for affolterNET.Web.Api. Use when setting up CSP, HSTS, CORS policies, or custom options.
How this skill is triggered — by the user, by Claude, or both
Slash command
/affolternet-web-api:securityThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Configure security headers, CORS, and the options pattern.
Configure security headers, CORS, and the options pattern.
For complete reference, see Library Guide.
{
"affolterNET": {
"Web": {
"SecurityHeaders": {
"EnableHsts": true,
"EnableXFrameOptions": true,
"EnableXContentTypeOptions": true,
"EnableReferrerPolicy": true,
"ContentSecurityPolicy": "default-src 'self'"
}
}
}
}
var options = builder.Services.AddApiServices(isDev, config, opts => {
opts.EnableSecurityHeaders = true;
});
{
"affolterNET": {
"Web": {
"Cors": {
"AllowedOrigins": ["https://app.example.com", "https://admin.example.com"],
"AllowedMethods": ["GET", "POST", "PUT", "DELETE"],
"AllowedHeaders": ["Content-Type", "Authorization"],
"AllowCredentials": true,
"MaxAge": 3600
}
}
}
}
All options follow a three-tier configuration pattern:
// 1. Defaults are set in constructor
// 2. appsettings.json values override defaults
// 3. Lambda configuration overrides appsettings
var options = builder.Services.AddApiServices(isDev, config, opts => {
// This lambda is tier 3 - highest priority
opts.ConfigureApi = api => {
api.AuthMode = AuthenticationMode.Authorize;
};
});
| Section | Options Class |
|---|---|
affolterNET:Web:SecurityHeaders | SecurityHeadersOptions |
affolterNET:Web:Cors | AffolterNetCorsOptions |
affolterNET:Web:Auth:Provider | AuthProviderOptions |
// CORS is typically more permissive in development
// The isDev flag passed to AddApiServices handles this
var options = builder.Services.AddApiServices(
builder.Environment.IsDevelopment(),
builder.Configuration);
{
"affolterNET": {
"Web": {
"SecurityHeaders": {
"ContentSecurityPolicy": "default-src 'none'; frame-ancestors 'none'"
}
}
}
}
AllowedOrigins includes the exact origin (including protocol and port)AllowedMethods includes the HTTP method being usedAllowCredentials is true if sending cookies/auth headersreport-uri directive for monitoringnpx claudepluginhub affolternet/affolternet.web --plugin affolternet-web-apiSecurity headers configuration and best practices for ASP.NET Core Razor Pages applications. Covers CSP, HSTS, X-Frame-Options, and comprehensive security middleware setup. Use when configuring security headers in ASP.NET Core applications, implementing Content Security Policy (CSP), or setting up HSTS and other security-related HTTP headers.
Configures CORS headers with explicit origin allowlists based on OWASP and W3C best practices. Prevents cross-origin data theft for APIs and web services called from browser JavaScript.
Configures HTTP security headers (CSP, HSTS, X-Frame-Options, X-Content-Type-Options) using Helmet.js to protect web apps against XSS, clickjacking, MIME sniffing, and info leakage.