NpgsqlRest

Appearance

Comments
Written with Claude
IMPORTANT

As you may notice, this page and pretty much the entire website were obviously created with the help of AI. I wonder how you could tell? Was it a big "Written With Claude" badge on every page? I moved it to the top now (with the help of AI of course) to make it even more obvious. There are a few blogposts that were written by me manually, the old-fashioned way, I hope there will be more in the future, and those have a similar "Human Written" badge. This project (not the website), on the other hand, is a very, very different story. It took me more than two years of painstaking and unpaid work in my own free time. A story that, hopefully, I will tell someday. But meanwhile, what would you like me to do? To create a complex documentation website with a bunch of highly technical articles with the help of AI and fake it, to give you an illusion that I also did that manually? Like the half of itnernet is doing at this point? How does that makes any sense? Is that even fair to you? Or maybe to create this website manually, the old-fashioned way, just for you? While working a paid job for a salary, most of you wouldn't even get up in the morning. Would you like me to sing you a song while we're at it? For your personal entertainment? Seriously, get a grip. Do you find this information less valuable because of the way this website was created? I give my best to fix it to keep the information as accurate as possible, and I think it is very accurate at this point. If you find some mistakes, inaccurancies or problems, there is a comment section at the bottom of every page, which I also made with the help of the AI. And I woould very much appreciate if you leave your feedback there. Look, I'm just a guy who likes SQL, that's all. If you don't approve of how this website was constructed and the use of AI tools, I suggest closing this page and never wever coming back. And good riddance. And I would ban your access if I could know how. Thank you for your attention to this matter.

Security Headers

New in 3.6.0

Security Headers middleware was added in version 3.6.0.

Configurable security headers middleware to protect against common web vulnerabilities. The middleware adds HTTP security headers to all responses.

Overview

json
{
  "SecurityHeaders": {
    "Enabled": false,
    "XContentTypeOptions": "nosniff",
    "XFrameOptions": "DENY",
    "ReferrerPolicy": "strict-origin-when-cross-origin",
    "ContentSecurityPolicy": null,
    "PermissionsPolicy": null,
    "CrossOriginOpenerPolicy": null,
    "CrossOriginEmbedderPolicy": null,
    "CrossOriginResourcePolicy": null
  }
}

Settings Reference

SettingTypeDefaultDescription
EnabledboolfalseEnable security headers middleware. When enabled, configured headers are added to all HTTP responses.
XContentTypeOptionsstring"nosniff"Prevents browsers from MIME-sniffing a response away from the declared content-type. Set to null to not include this header.
XFrameOptionsstring"DENY"Controls whether the browser should allow the page to be rendered in a frame. Values: "DENY", "SAMEORIGIN". Set to null to not include.
ReferrerPolicystring"strict-origin-when-cross-origin"Controls how much referrer information should be included with requests. Set to null to not include.
ContentSecurityPolicystringnullDefines approved sources of content that the browser may load. Helps prevent XSS and code injection attacks.
PermissionsPolicystringnullControls which browser features and APIs can be used.
CrossOriginOpenerPolicystringnullControls how your document is shared with cross-origin popups.
CrossOriginEmbedderPolicystringnullPrevents a document from loading cross-origin resources that don't explicitly grant permission.
CrossOriginResourcePolicystringnullIndicates how the resource should be shared cross-origin.

X-Content-Type-Options

Prevents browsers from MIME-sniffing a response away from the declared content-type, reducing exposure to drive-by download attacks.

json
{
  "SecurityHeaders": {
    "Enabled": true,
    "XContentTypeOptions": "nosniff"
  }
}

The recommended value is "nosniff".

X-Frame-Options

Controls whether the browser should allow the page to be rendered in a <frame>, <iframe>, <embed> or <object>. Prevents clickjacking attacks.

json
{
  "SecurityHeaders": {
    "Enabled": true,
    "XFrameOptions": "DENY"
  }
}
ValueDescription
DENYNever allow the page to be framed
SAMEORIGINAllow framing from the same origin only

WARNING

This header is skipped if Antiforgery is enabled, as Antiforgery already sets X-Frame-Options: SAMEORIGIN by default via its SuppressXFrameOptionsHeader setting.

Referrer-Policy

Controls how much referrer information should be included with requests made from your site.

json
{
  "SecurityHeaders": {
    "Enabled": true,
    "ReferrerPolicy": "strict-origin-when-cross-origin"
  }
}
ValueDescription
no-referrerNever send referrer information
no-referrer-when-downgradeSend full URL for same-security requests, nothing for downgrades
originSend only the origin (scheme, host, port)
origin-when-cross-originSend full URL for same-origin, origin only for cross-origin
same-originSend full URL for same-origin, nothing for cross-origin
strict-originSend origin for same-security, nothing for downgrades
strict-origin-when-cross-originSend full URL for same-origin, origin for cross-origin same-security
unsafe-urlAlways send full URL (not recommended)

Content-Security-Policy

Defines approved sources of content that the browser may load. This is one of the most powerful headers for preventing XSS, clickjacking, and other code injection attacks.

json
{
  "SecurityHeaders": {
    "Enabled": true,
    "ContentSecurityPolicy": "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'"
  }
}

TIP

CSP should be configured based on your specific application needs. Start with a restrictive policy and loosen as needed.

Common directives:

  • default-src - Fallback for other directives
  • script-src - Valid sources for JavaScript
  • style-src - Valid sources for stylesheets
  • img-src - Valid sources for images
  • connect-src - Valid sources for fetch, WebSocket, etc.
  • font-src - Valid sources for fonts
  • frame-src - Valid sources for frames

Reference: MDN Content-Security-Policy

Permissions-Policy

Controls which browser features and APIs can be used by your application and any embedded content.

json
{
  "SecurityHeaders": {
    "Enabled": true,
    "PermissionsPolicy": "geolocation=(), microphone=(), camera=()"
  }
}

This example disables geolocation, microphone, and camera access entirely.

To allow features only from the same origin:

json
{
  "SecurityHeaders": {
    "PermissionsPolicy": "geolocation=(self), microphone=(self)"
  }
}

Reference: MDN Permissions-Policy

Cross-Origin Policies

Cross-Origin-Opener-Policy

Controls how your document is shared with cross-origin popups.

json
{
  "SecurityHeaders": {
    "CrossOriginOpenerPolicy": "same-origin"
  }
}
ValueDescription
unsafe-noneDefault browser behavior
same-origin-allow-popupsIsolate from cross-origin, allow popups
same-originFull isolation from cross-origin documents

Cross-Origin-Embedder-Policy

Prevents a document from loading cross-origin resources that don't explicitly grant permission.

json
{
  "SecurityHeaders": {
    "CrossOriginEmbedderPolicy": "require-corp"
  }
}
ValueDescription
unsafe-noneDefault browser behavior
require-corpRequire CORP or CORS for cross-origin resources
credentiallessLoad cross-origin resources without credentials

TIP

require-corp along with CrossOriginOpenerPolicy: same-origin enables access to SharedArrayBuffer and high-resolution timers.

Cross-Origin-Resource-Policy

Indicates how the resource should be shared cross-origin.

json
{
  "SecurityHeaders": {
    "CrossOriginResourcePolicy": "same-origin"
  }
}
ValueDescription
same-siteOnly same-site requests allowed
same-originOnly same-origin requests allowed
cross-originAny origin can load the resource

Example Configurations

json
{
  "SecurityHeaders": {
    "Enabled": true,
    "XContentTypeOptions": "nosniff",
    "XFrameOptions": "DENY",
    "ReferrerPolicy": "strict-origin-when-cross-origin"
  }
}

API-Only Application

json
{
  "SecurityHeaders": {
    "Enabled": true,
    "XContentTypeOptions": "nosniff",
    "XFrameOptions": "DENY",
    "ReferrerPolicy": "no-referrer",
    "ContentSecurityPolicy": "default-src 'none'; frame-ancestors 'none'"
  }
}

Full Protection with CSP

json
{
  "SecurityHeaders": {
    "Enabled": true,
    "XContentTypeOptions": "nosniff",
    "XFrameOptions": "SAMEORIGIN",
    "ReferrerPolicy": "strict-origin-when-cross-origin",
    "ContentSecurityPolicy": "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; connect-src 'self'",
    "PermissionsPolicy": "geolocation=(), microphone=(), camera=()",
    "CrossOriginOpenerPolicy": "same-origin",
    "CrossOriginEmbedderPolicy": "require-corp",
    "CrossOriginResourcePolicy": "same-origin"
  }
}

Next Steps

Comments

Released under the MIT License.

Copyright © 2024-2026 VB Consulting