Configure security headers, CORS, antiforgery, and the IConfigurableOptions pattern for affolterNET.Web.Bff. Use when setting up CSP, HSTS, CSRF protection, or custom options.
Configure security headers, CORS, and CSRF protection for affolterNET.Web.Bff using appsettings.json. Use when setting up HSTS, CSP, antiforgery tokens, or cross-origin API access for SPAs.
/plugin marketplace add Mcafee123/affolterNET.Web/plugin install affolternet-web-bff@affolternet-webThis skill inherits all available tools. When active, it can use any tool Claude has access to.
Configure security headers, CORS, antiforgery, and the options pattern.
For complete reference, see Library Guide.
{
"affolterNET": {
"Web": {
"SecurityHeaders": {
"EnableHsts": true,
"EnableXFrameOptions": true,
"EnableXContentTypeOptions": true,
"EnableReferrerPolicy": true,
"ContentSecurityPolicy": "default-src 'self'; script-src 'self' 'unsafe-inline'"
}
}
}
}
{
"affolterNET": {
"Web": {
"Cors": {
"AllowedOrigins": ["https://app.example.com"],
"AllowedMethods": ["GET", "POST", "PUT", "DELETE"],
"AllowedHeaders": ["Content-Type", "Authorization", "X-XSRF-TOKEN"],
"AllowCredentials": true
}
}
}
}
{
"affolterNET": {
"Web": {
"Auth": {
"AntiForgery": {
"HeaderName": "X-XSRF-TOKEN",
"CookieName": ".MyApp.Antiforgery"
}
}
}
}
}
// Get the antiforgery token from cookie or meta tag
const token = document.querySelector('meta[name="csrf-token"]')?.getAttribute('content');
// Include in requests
fetch('/api/data', {
method: 'POST',
headers: {
'Content-Type': 'application/json',
'X-XSRF-TOKEN': token
},
body: JSON.stringify(data)
});
All options follow a three-tier configuration pattern:
var options = builder.Services.AddBffServices(isDev, config, opts => {
// Lambda configuration (highest priority)
opts.EnableSecurityHeaders = true;
});
| Section | Options Class |
|---|---|
affolterNET:Web:SecurityHeaders | SecurityHeadersOptions |
affolterNET:Web:Cors | AffolterNetCorsOptions |
affolterNET:Web:Auth:AntiForgery | BffAntiforgeryOptions |
{
"affolterNET": {
"Web": {
"SecurityHeaders": {
"ContentSecurityPolicy": "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' https://api.example.com"
}
}
}
}
X-XSRF-TOKEN in AllowedHeadersAllowCredentials is true for cookie authConfigure Static Application Security Testing (SAST) tools for automated vulnerability detection in application code. Use when setting up security scanning, implementing DevSecOps practices, or automating code vulnerability detection.