In the last article we talked a bit about Content Security Policy. Now let’s see how to quickly apply it to an MVC project.

The MVC project have provided some extension points in the lifecycle of a request which allow you to hook in almost as if you’re using AOP.  The one we’re interested in today is the global action filter. This is fired for every request and is an ideal place to put in a hook for adding HTTP headers.

First we create an action filter attribute which extends ActionFilterAttribute

As you can see here I’ve put in all the different headers we talked about yesterday. You could make this more efficient by checking the browser and only sending the response which suits. That is kind of a pain to do as CSP is still in flux on most browsers. In a couple of years you will probably be able to only send one header.

Next we tie it into MVC. You can throw it into the FilterConfig.cs file like so:

(line 6 is the relevant one)

And you’re done!  I tested it by throwing in an inline alert(‘hi’) and found it to be effective. Well effective in Chrome and FireFox. IE10 still merrily threw up an alert. IE10 support is not there yet, perhaps in IE11.

There is one other good way to add CSP to an MVC project and we’ll cover that in a future post.