Configure security headers, CORS, and the IConfigurableOptions pattern for affolterNET.Web.Api. Use when setting up CSP, HSTS, CORS policies, or custom options.
Configure security headers, CORS, and options for affolterNET.Web.Api. Use when setting up CSP, HSTS, CORS policies, or custom API configuration options.
/plugin marketplace add Mcafee123/affolterNET.Web/plugin install affolternet-web-api@affolternet-webThis skill inherits all available tools. When active, it can use any tool Claude has access to.
Configure security headers, CORS, and the options pattern.
For complete reference, see Library Guide.
{
"affolterNET": {
"Web": {
"SecurityHeaders": {
"EnableHsts": true,
"EnableXFrameOptions": true,
"EnableXContentTypeOptions": true,
"EnableReferrerPolicy": true,
"ContentSecurityPolicy": "default-src 'self'"
}
}
}
}
var options = builder.Services.AddApiServices(isDev, config, opts => {
opts.EnableSecurityHeaders = true;
});
{
"affolterNET": {
"Web": {
"Cors": {
"AllowedOrigins": ["https://app.example.com", "https://admin.example.com"],
"AllowedMethods": ["GET", "POST", "PUT", "DELETE"],
"AllowedHeaders": ["Content-Type", "Authorization"],
"AllowCredentials": true,
"MaxAge": 3600
}
}
}
}
All options follow a three-tier configuration pattern:
// 1. Defaults are set in constructor
// 2. appsettings.json values override defaults
// 3. Lambda configuration overrides appsettings
var options = builder.Services.AddApiServices(isDev, config, opts => {
// This lambda is tier 3 - highest priority
opts.ConfigureApi = api => {
api.AuthMode = AuthenticationMode.Authorize;
};
});
| Section | Options Class |
|---|---|
affolterNET:Web:SecurityHeaders | SecurityHeadersOptions |
affolterNET:Web:Cors | AffolterNetCorsOptions |
affolterNET:Web:Auth:Provider | AuthProviderOptions |
// CORS is typically more permissive in development
// The isDev flag passed to AddApiServices handles this
var options = builder.Services.AddApiServices(
builder.Environment.IsDevelopment(),
builder.Configuration);
{
"affolterNET": {
"Web": {
"SecurityHeaders": {
"ContentSecurityPolicy": "default-src 'none'; frame-ancestors 'none'"
}
}
}
}
AllowedOrigins includes the exact origin (including protocol and port)AllowedMethods includes the HTTP method being usedAllowCredentials is true if sending cookies/auth headersreport-uri directive for monitoringConfigure Static Application Security Testing (SAST) tools for automated vulnerability detection in application code. Use when setting up security scanning, implementing DevSecOps practices, or automating code vulnerability detection.