Configuration (ASP.NET 4)

Those running an older versions should consult Breaking changes (ASP.NET 4) before upgrading major versions.

You’re strongly advised to upgrade if you’re still running NWebsec 2.x, as you can run into issues with async requests due to changes in ASP.NET.


Only the most basic configuration is added to web.config when installing the NWebsec library with the NuGet package manager. Here’s an example of what’s added to web.config:

    <sectionGroup name="nwebsec">
      <section name="httpHeaderSecurityModule" type="NWebsec.Modules.Configuration.HttpHeaderSecurityConfigurationSection, NWebsec, Version=, Culture=neutral, PublicKeyToken=3613da5f958908a1" requirePermission="false" />

    <httpRuntime enableVersionHeader="false"/>
      <add name="NWebsecHttpHeaderSecurityModule" type="NWebsec.Modules.HttpHeaderSecurityModule, NWebsec, Version=, Culture=neutral, PublicKeyToken=3613da5f958908a1" />
        <clear />
          <add segment="NWebsecConfig" />
    <httpHeaderSecurityModule xmlns="" xmlns:xsi="" xsi:noNamespaceSchemaLocation="NWebsecConfig/HttpHeaderSecurityModuleConfig.xsd">


The NWebsec config section is declared, the module is loaded, custom http headers will be cleared, the NWebsec configuration directory is declared as a hidden segment, and an empty NWebsec configuration section is added.

You’ll probably notice that configuration is also added to the <system.webserver> section in order to load the NWebsec httpHeaderModule . If you’re running on IIS 6 or in Classic Pipeline Mode you will have to do some manual changes to your web.config to load the module, see IIS 6 or IIS 7 Classic Pipeline Mode.

The configuration schema gives you intellisense for all NWebsec configuration elements, so feel free to start of with the empty section and add the security headers you need.

For the curious, here’s a complete configuration section with all headers disabled:


    <httpHeaderSecurityModule xmlns=""
      <redirectValidation enabled="false">
        <allowSameHostRedirectsToHttps enabled="false" httpsPorts="8443,443"/>
        <add allowedDestination=""/>
      <setNoCacheHttpHeaders enabled="false" />
      <x-Robots-Tag enabled="false"
        <x-Frame-Options policy="Disabled"/>
        <strict-Transport-Security max-age="00:00:00"
                                   preload="false" />
        <!--<public-Key-Pins max-age="00:00:10">
            <add thumbprint="cert thumbprint" storeName="Root" />
            <add pin="Base64 pin"/>
        <x-Content-Type-Options enabled="false" />
        <x-Download-Options enabled="false" />
        <x-XSS-Protection policy="Disabled" blockMode="true" />
        <content-Security-Policy enabled="false">
          <default-src self="true"/>
          <script-src self="true">
            <add source="" />
            <add source="" />
          <style-src unsafeInline="false" self="true" />
          <img-src self="true">
            <add source=""/>
          <object-src none="true" />
          <media-src none="true" />
          <frame-src none="true" />
          <font-src none="true" />
          <connect-src none="true" />
          <frame-ancestors none="true" />
          <base-uri self="true"/>
          <child-src self="true"/>
          <form-action self="true"/>
          <sandbox enabled="true"/>
            <add media-type="application/pdf"/>
          <report-uri enableBuiltinHandler="true"/>
        <!-- This section works exactly like "x-Content-Security-Policy", but will output report-only headers instead. -->
        <content-Security-Policy-Report-Only enabled="false">
          <default-src self="true" />
          <script-src unsafeEval="true" unsafeInline="true" />
            <add report-uri="/cspreporthandler" />


IIS 6 or IIS 7 Classic Pipeline Mode

If your application is running in Classic Pipeline Mode (as opposed to Integrated Pipeline Mode) you’ll have to use NWebsec version 2, as NWebsec 3 and later requires integrated pipeline mode due to breaking changes in ASP.NET.

If you want to run NWebsec 2 under Classic Pipeline Mode, you’ll have to add configuration by hand to load the HttpHeaderModule, here’s an example:

    <add name="NWebsecHttpHeaderSecurityModule" type="NWebsec.Modules.HttpHeaderSecurityModule, NWebsec, Version=, Culture=neutral, PublicKeyToken=3613da5f958908a1" />

You should also consider removing the <system.webServer> section if that did not exist before it was added by the NuGet installer.