Stats
Actions
Tags
From affolternet-web-bff
Configure security headers, CORS, antiforgery, and the IConfigurableOptions pattern for affolterNET.Web.Bff. Use when setting up CSP, HSTS, CSRF protection, or custom options.
How this skill is triggered — by the user, by Claude, or both
Slash command
/affolternet-web-bff:securityThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Configure security headers, CORS, antiforgery, and the options pattern.
Configure security headers, CORS, antiforgery, and the options pattern.
For complete reference, see Library Guide.
{
"affolterNET": {
"Web": {
"SecurityHeaders": {
"EnableHsts": true,
"AllowedConnectSources": ["https://api.example.com"],
"AllowedImageSources": ["https://cdn.example.com"],
"CustomCspDirectives": {
"script-src": "'self'"
}
}
}
}
}
{
"affolterNET": {
"Web": {
"Cors": {
"AllowedOrigins": ["https://app.example.com"],
"AllowedMethods": ["GET", "POST", "PUT", "DELETE"],
"AllowedHeaders": ["Content-Type", "Authorization", "X-XSRF-TOKEN"],
"AllowCredentials": true
}
}
}
}
{
"affolterNET": {
"Web": {
"Auth": {
"AntiForgery": {
"HeaderName": "X-XSRF-TOKEN",
"CookieName": ".MyApp.Antiforgery"
}
}
}
}
}
// Get the antiforgery token from cookie or meta tag
const token = document.querySelector('meta[name="csrf-token"]')?.getAttribute('content');
// Include in requests
fetch('/api/data', {
method: 'POST',
headers: {
'Content-Type': 'application/json',
'X-XSRF-TOKEN': token
},
body: JSON.stringify(data)
});
All options follow a three-tier configuration pattern:
var options = builder.Services.AddBffServices(isDev, config, opts => {
// Lambda configuration (highest priority)
opts.EnableSecurityHeaders = true;
});
| Section | Options Class |
|---|---|
affolterNET:Web:SecurityHeaders | SecurityHeadersOptions |
affolterNET:Web:Cors | AffolterNetCorsOptions |
affolterNET:Web:Auth:AntiForgery | BffAntiforgeryOptions |
Use CustomCspDirectives to override individual CSP directives. Any directive provided here completely replaces the built-in default for that directive.
{
"affolterNET": {
"Web": {
"SecurityHeaders": {
"CustomCspDirectives": {
"script-src": "'self'"
},
"AllowedConnectSources": ["https://api.example.com"],
"AllowedFontSources": ["https://fonts.googleapis.com"]
}
}
}
}
Note: The default script-src uses nonce + strict-dynamic, which requires server-rendered nonce attributes on <script> tags. For static SPAs (Vite/Vue/React builds), override with "script-src": "'self'" via CustomCspDirectives.
X-XSRF-TOKEN in AllowedHeadersAllowCredentials is true for cookie authnpx claudepluginhub affolternet/affolternet.web --plugin affolternet-web-bffSecurity headers configuration and best practices for ASP.NET Core Razor Pages applications. Covers CSP, HSTS, X-Frame-Options, and comprehensive security middleware setup. Use when configuring security headers in ASP.NET Core applications, implementing Content Security Policy (CSP), or setting up HSTS and other security-related HTTP headers.
Prevents CSRF attacks by validating request origin and using unpredictable tokens for state-changing operations. Covers SameSite cookies, sync token pattern, double-submit cookie pattern, and origin header validation.
Configures HTTP security headers like HSTS, CSP, X-Frame-Options, X-Content-Type-Options for Express, Nginx, Flask. Protects against XSS, clickjacking, MIME sniffing; useful for hardening web apps and passing audits.