dotnet http-security-check
This global dotnet tool helps to secure your web application.
As everyone should know: security is important and critical - but not easily done right. The attack surface especially for public websites is fairly large and keeping everything secure is a challange. Using security headers and TLS (HTTPS) is a neat possibility to reduce this attack surface effectively.
The global tool DotnetHttpSecurityCheck implements different checks to ensure best practice and suggests improvements. They are splitted into two categories Header and Request.
- A Header check examines the value of a response header field.
- A Request check examines any other security related aspect (e.g. valid certificate).
Hopefully, by providing this tool, it helps everyone to assess and reinforce security.
Installation
Download and install the .NET Core 2.2 SDK or newer. Once installed, run the following command:
dotnet tool install DotnetHttpSecurityCheck -gExecute a scan
After installation, you can use the tool directly from the CLI (command line interface):
dotnet-http-security-check https://www.google.chAnalyzing the results
Each check returns a result consisting of:
- Actual value
- Rating (see below)
- Suggestion
Best
Everything is fine - the currently best known value is set.
Good
The configuration is basically acceptable - but you could improve it accordingly to the suggestion.
Bad
Indicates you should fix the value accordingly to the suggestion - otherwise there is a security risk (e.g. unsecure connection, cross site scripting, …).
Skipped
This means the check is not applicable for the current request. For example the ‘Strict-Transport-Secuirty’ header is only recognized when sent over an HTTPS connection.
