Developer forum

Forum » Dynamicweb 10 » HTTP Security Headers are not set on GetImage and static files requests

HTTP Security Headers are not set on GetImage and static files requests

E-mail notifications
Kevin Steffer
Kevin Steffer
Reply
Posted on 19/09/2025 10:41:03

When I set these security headers 

 

They are not being sent on the response on requests to 
GetImage handler

Or static files:


 


Replies

 
Nicolai Pedersen Dynamicweb Employee
Nicolai Pedersen
Posted on 19/09/2025 14:41:38
Reply

They are not.

Generally they do not make that much sense for static ressources. STS is the most important but only has to be send once for the domain.

X-Content-Type-Options is the only one you could argue to add for css/js files - but the rest is just adding more data to send with no real effect.

 

You can probably do something like this custom if you want it:

using Dynamicweb.Host.Core;
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Http;
using Microsoft.Extensions.DependencyInjection;
using System.Threading.Tasks;

namespace CustomCode
{
    public class SecurityHeadersPipeline : IPipeline
    {
        public int Rank => 200;  // Ensure runs after built-in pipelines

        public void RegisterServices(IServiceCollection services, IMvcCoreBuilder mvcBuilder)
        {
            // no extra services needed here, unless your middleware depends on some
        }

        public void RegisterApplicationComponents(IApplicationBuilder app)
        {
            app.UseMiddleware<SecurityHeadersMiddleware>();
        }

        public void RunInitializers()
        {
            // not needed here
        }
    }

    public class SecurityHeadersMiddleware
    {
        private readonly RequestDelegate _next;

        public SecurityHeadersMiddleware(RequestDelegate next)
        {
            _next = next;
        }

        public async Task Invoke(HttpContext context)
        {
            // Before next()
            
            // Always send certain headers
            context.Response.OnStarting(() =>
            {
                // HSTS (only on HTTPS)
                if (context.Request.IsHttps)
                {
                    context.Response.Headers["Strict-Transport-Security"] = "max-age=2592000";  // adjust as needed
                }

                // X-Content-Type-Options
                context.Response.Headers["X-Content-Type-Options"] = "nosniff";

                // Now decide if it's HTML
                var path = context.Request.Path.Value;

                bool isHtml = false;
                // Option 1: check path extension
                if (path != null && (path.EndsWith(".html", System.StringComparison.OrdinalIgnoreCase) 
                                     || path.EndsWith("/")  // maybe default pages
                                     || path.EndsWith(".cshtml")))  // if dynamic rendering etc
                {
                    isHtml = true;
                }
                // Option 2: check Content-Type later in response
                // but note that at this moment usually content type isn’t known

                if (isHtml)
                {
                    context.Response.Headers["X-Frame-Options"] = "sameorigin";
                    context.Response.Headers["X-XSS-Protection"] = "1; mode=block";
                    // Referrer-Policy etc
                    context.Response.Headers["Referrer-Policy"] = "no-referrer-when-downgrade";
                }

                return Task.CompletedTask;
            });

            await _next(context);

            // Optionally, after next, could check response.ContentType to see if HTML and add headers then if needed
        }
    }
}

 

You must be logged in to post in the forum