This library allows you to add Content Security Policy, Strict Transport Security and Public Key Pin headers via middleware.
You can get the library from NuGet: https://www.nuget.org/packages/Joonasw.AspNetCore.SecurityHeaders
// Enable Strict Transport Security with a 30-day caching period
// Do not include subdomains
// Do not allow preload
app.UseHsts(new HstsOptions(TimeSpan.FromDays(30), includeSubDomains: false, preload: false));
// Use certificate pinning with:
// - 30-day caching period
// - One pin in SHA-256 form
// - Report-Only = Invalid certificate should not be reported, but:
// - Report problems to /hpkp-report
app.UseHpkp(hpkp =>
{
    hpkp.UseMaxAgeSeconds(30 * 24 * 60 * 60)
        .AddSha256Pin("nrmpk4ZI3wbRBmUZIT5aKAgP0LlKHRgfA2Snjzeg9iY=")
        .SetReportOnly()
        .ReportViolationsTo("/hpkp-report");
});
// Content Security Policy
app.UseCsp(csp =>
{
    // If nothing is mentioned for a resource class, allow from this domain
    csp.ByDefaultAllow
        .FromSelf();
    // Allow JavaScript from:
    csp.AllowScripts
        .FromSelf() //This domain
        .From("localhost:1591") //These two domains
        .From("ajax.aspnetcdn.com");
    // CSS allowed from:
    csp.AllowStyles
        .FromSelf()
        .From("ajax.aspnetcdn.com");
    csp.AllowImages
        .FromSelf();
    // HTML5 audio and video elemented sources can be from:
    csp.AllowAudioAndVideo
        .FromNowhere();
    // Contained iframes can be sourced from:
    csp.AllowFrames
        .FromNowhere(); //Nowhere, no iframes allowed
    // Allow AJAX, WebSocket and EventSource connections to:
    csp.AllowConnections
        .To("ws://localhost:1591")
        .To("http://localhost:1591")
        .ToSelf();
    // Allow fonts to be downloaded from:
    csp.AllowFonts
        .FromSelf()
        .From("ajax.aspnetcdn.com");
    // Allow object, embed, and applet sources from:
    csp.AllowPlugins
        .FromNowhere();
    // Allow other sites to put this in an iframe?
    csp.AllowFraming
        .FromNowhere(); // Block framing on other sites, equivalent to X-Frame-Options: DENY
    // Do not block violations, only report
    // This is a good idea while testing your CSP
    // Remove it when you know everything will work
    csp.SetReportOnly();
    // Where should the violation reports be sent to?
    csp.ReportViolationsTo("/csp-report");
    // Do not include the CSP header for requests to the /api endpoints
    csp.OnSendingHeader = context =>
    {
        context.ShouldNotSend = context.HttpContext.Request.Path.StartsWithSegments("/api");
        return Task.CompletedTask;
    };
});Content Security Policy can be quite daunting. Here is a nice page to find out what the options do: https://content-security-policy.com/
For violation reports, I recommend using Scott Helme's Report URI service at https://report-uri.io/.
CSP allows you to also specify a nonce value, which makes it easier to have inline script and style elements like this on a page:
<head>
  <script>
    console.log("Hello");
  </script>
  <style>
    h1 {
      color: red;
    }
  </style>
</head>To allow them without nonces, you might have to use the unsafe-inline option.
Instead of doing that, we can add the following service in Startup:
public void ConfigureServices(IServiceCollection services)
{
    // ... other service registrations
    // Add services necessary for nonces in CSP, 32-byte nonces
    services.AddCsp(nonceByteAmount: 32);
}Then you need to modify your CSP definition to include the nonce:
csp.AllowScripts
    .FromSelf()
    .From("localhost:1591")
    .From("ajax.aspnetcdn.com")
    .AddNonce(); //<----
csp.AllowStyles
    .FromSelf()
    .From("ajax.aspnetcdn.com")
    .AddNonce(); //<-----Then to use the nonce tag helper, we need to import it in _ViewImports.cshtml:
@addTagHelper *, Joonasw.AspNetCore.SecurityHeadersThen we just need to use it in the Razor view:
<head>
  <script asp-add-nonce="true">
    console.log("Hello");
  </script>
  <style asp-add-nonce="true">
    h1 {
      color: red;
    }
  </style>
</head>Now a unique nonce is generated every request and inserted into the CSP header + the elements you want.