dotnet http-security-check

January 07, 2019 | 1 Minute Read

This global dotnet tool helps to secure your web application.

As everyone should know: security is important and critical - but not easily done right. The attack surface especially for public websites is fairly large and keeping everything secure is a challange. Using security headers and TLS (HTTPS) is a neat possibility to reduce this attack surface effectively.

The global tool DotnetHttpSecurityCheck implements different checks to ensure best practice and suggests improvements. They are splitted into two categories Header and Request.

  • A Header check examines the value of a response header field.
  • A Request check examines any other security related aspect (e.g. valid certificate).

Hopefully, by providing this tool, it helps everyone to assess and reinforce security.


Download and install the .NET Core 2.2 SDK or newer. Once installed, run the following command:

dotnet tool install DotnetHttpSecurityCheck -g

Execute a scan

After installation, you can use the tool directly from the CLI (command line interface):


Analyzing the results

Each check returns a result consisting of:

  • Actual value
  • Rating (see below)
  • Suggestion
Fig1. - Result explained


Everything is fine - the currently best known value is set.

Fig2. - Example for best result


The configuration is basically acceptable - but you could improve it accordingly to the suggestion.

Fig3. - Example for good result


Indicates you should fix the value accordingly to the suggestion - otherwise there is a security risk (e.g. unsecure connection, cross site scripting, …).

Fig4. - Example for bad result


This means the check is not applicable for the current request. For example the ‘Strict-Transport-Secuirty’ header is only recognized when sent over an HTTPS connection.

Fig5. - Example for bad skipped