bitzorcas
EN

Concept

CORS and security headers

CORS configuration and security headers — ASP.NET Core CORS policy, nonce-based CSP, and standard security header recommendations.

Last updated

BitzOrcas configures CORS and security headers through ASP.NET Core’s standard middleware pipeline.

CORS policy

// Configured in ApiPipelineRegistration
// Development: permissive for local development
// Production: restrict to known origins

Configuration

{
  "Cors": {
    "AllowedOrigins": ["https://app.example.com", "https://admin.example.com"],
    "AllowedMethods": ["GET", "POST", "PUT", "PATCH", "DELETE"],
    "AllowedHeaders": ["Content-Type", "Authorization", "X-Idempotency-Key",
                       "X-Correlation-Id", "X-Signature", "X-API-Key"],
    "AllowCredentials": true,
    "MaxAgeSeconds": 3600
  }
}

Security headers

Recommended security headers for production:

X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 0  (deprecated, prefer CSP)
Referrer-Policy: strict-origin-when-cross-origin
Content-Security-Policy: default-src 'none'; frame-ancestors 'none'
Permissions-Policy: camera=(), microphone=(), geolocation=()

Nonce store

BitzOrcas registers a nonce store for HMAC anti-replay:

services.AddSingleton<INonceStore, MemoryNonceStore>();

Custom headers

HeaderDirectionPurpose
X-Correlation-IdResponseRequest correlation identifier
X-Tenant-IdResponse (debug)Resolved tenant identifier
Retry-AfterResponse (429)Seconds until retry allowed

See also