X-FRAME-OPTIONS is a web header that can be used to allow or deny a page to be iframed. This is very important when protecting against clickjacking attempts. Using this header you can ensure that your content is not rendered when placed inside an IFrame, or only rendered under certain conditions (Like when you are framing yourself).

A common alternative to protect against clickjacking is to use javascript code to “break” iframes when your website is placed in them. This works for the most part but will obviously fail if the user does not have JS enabled, or (more common than you think), you forget to load the JS file on a particular page.

X-Frame-Options Settings

Your options when setting the header as as follows.

X-FRAME-OPTIONS : DENY
The page cannot be put in a frame no matter who it is (Including the site framing itself). If you don’t use frames on your own site then this is a good catch all.

X-FRAME-OPTIONS : SAMEORIGIN
The page can be framed as long as the domain framing it is the same. This is good if you are using frames yourself.

X-FRAME-OPTIONS : ALLOW-FROM https://myotherdomain.com
The page can be framed by the specified domains. Good if you have two sites with one framing the other.

Note that Allow-From is only supported in Firefox and IE. Chrome and Safari have both said that they will not support it and instead implement “Content-Security-Policy”, an alternative way to prevent clickjacking (And the subject of a future post!). Because of that it is not recommended you use this setting, stick with DENY or SAMEORIGIN.

Setting X-Frame-Options At The Code Level

Adding X-FRAME-OPTIONS to your .net core app is very simple. In your Configure method in your startup.cs, you need to add a custom middleware like so :

And that’s all! Now every request that runs through your ASP.net core app will be protected.

Setting X-Frame-Options At The Server Level

You (or your dev ops team) may prefer to configure headers at the server level. In that case below are the various ways to add X-FRAME-OPTIONS to your web server so every request gains the header.

Setting X-FRAME-OPTIONS in IIS

The best way to do this if you are just using IIS to forward requests to Kestrel (Or even if this is actually being hosted in IIS), is to do this in IIS Manager.

  1. Open IIS Manager and on the left hand tree, left click the site you would like to manage.
  2. Doubleclick the “HTTP Response Headers” icon.
  3. Right click the header list and select “Add”
  4. For the “name” write “X-FRAME-OPTIONS” and for the value write in your desired option e.g. “SAME-ORIGIN”.

Setting X-FRAME-OPTIONS in Apache

In your httpd.conf file you need to append the following line :

Setting X-FRAME-OPTIONS in htaccess

If you are using shared hosting you may only have access to an HTAccess file. Or you may prefer to use HTAccess to manage redirects, headers etc anyway. If that’s the case you need to add the following to your .htaccess file.

Setting X-FRAME-OPTIONS in NGINX

In nginix.conf add the following line (And restart the nginx service afterwards).

Attempting to install a nuget package the other day I got the following error :

Package ‘xyz’ uses features that are not supported by the current version of NuGet. To upgrade NuGet, see http://docs.nuget.org/consume/installing-nuget.

Following the link takes you to this page. Because I am using the inbuild package manager console from Visual Studio, I followed the steps inside VS that say to go Tools > Extensions and Updates and then click the Updates tab to see if I had an update waiting.

I didn’t. Still stuck. Damn.

After a bit of searching I came across this page that has the Visual Studio extensions to be downloaded manually and installed. After downloading the package and installing manually, with a quick restart of visual studio we are up and running on the latest version of Nuget!

If you are unsure if you are on the latest version of Nuget, you can type “nuget help” in your package manager console and it will tell you the version.

Redis is a high performance distributed cache. It’s great for storing data that you are going to need again and again in a short period of time when you don’t want to use processing power to “create” that data again. Think number crunching or heavy SQL queries for data that doesn’t change often.

Roll Your Own

First off. You can absolutely roll your own Redis Cache services abstracted by your own interfaces etc. You may find it a little difficult to find libraries that target .net Core, but this will change over time.

In saying that, there is a “.net core” way of doing things that is a little different. It does tie you into the framework a little, but it abstracts away the caching completely and let’s Microsoft handle it and that’s what we are going to go over today.

The ASP.net Core Way

The first thing you need to do is add the Redis caching package provided by Microsoft. You can do this in your package manager console by running :

In your startup.cs, you now need to add the following to your ConfigureServices method. It should look something like :

For your Configuration, while I’ve hardcoded this to 127.0.0.1, you can obviously change this to pull from your configuration as required. Either from AppSettings/ConnectionStrings etc.

And as you can probably guess with the method signature of “AddDistributedRedisCache”, you can also use things like SQL or InMemory caches using a similar sort of method. We will go over this in future posts!

AddDistributedRedisCache actually adds an interface automagically to your service collection called “IDistributedCache” that you can then use to set and retrieve values. You can then use controller dependency injection to get this anywhere in your app. So say we have a controller called HomeController and it wants to use the RedisCache. It would go :

The first time we view this page, there is nothing in the cache so we are given a new time. And it’s added to the cache. If we refresh the page, we then end up with the time that was cached. So for example :

A couple more notes.

  • IDistributedCache has async methods. You should use these in all scenarios that are possible.
  • IDistributedCache allows for storing either string values or byte values. If you want to serialize an object and store the entire thing, you can either serialize it to bytes and save it as bytes, or serialize it to JSON and save it as a string if you prefer.
  • As discussed earlier, while this is a Redis distributed cache, there are other implementations available that follow the exact pattern for InMemory, SQL Server etc.

If you need to use an InMemory Cache rather than Redis, see our tutorial on In Memory Caching here

HttpContext has had a bit of a shifting around in ASP.net core. While everyone has their own ideas on best practices, it’s a bit of a consensus that the usage of calling “HttpContext.Current” outside the scope of a controller (For example in a service class) was getting out of hand. It also made testing just that little bit harder.

So how to do it now? There are two ways.

Inside Controllers

Inside a controller, you can still access HttpContext by doing the following :

No, there is nothing special that I have done to access the Property “HttpContext”, it’s just available when inheriting from the base “Controller” class. Simple!

Inside Services

Inside services is a little tricker, but still possible. Note that you may want further abstraction away from directly accessing an HTTPContext, for example if you are using it for “Sessions” you may want to abstract it away incase you scale your servers horizontally and you will no longer be able to use the HTTP Session object within C#. But if you don’t think you’ll need that, read on!

First in your startup.cs, you need to register IHttpContextAccessor as a service like so :

In earlier versions of .net Core, IHttpContextAccessor was automatically registered. This was removed and announced here. So you need to register it manually if you intend to use this inside services.

When you create a helper/service class, you can then inject in the IHttpContextAccessor and use it. It would look like something not too dissimilar to this :

Unfortunately if you have accessed HttpContext throughout your old .net 4.5 code and are looking to upgrade to .net Core, you will have to do a bit of work to get it working again. But it’s worth it for the nice clean approach to DI and better testability.

By default, browsers abide by the Same-Origin policy, which is that documents (Or in most cases scripts) cannot interact with a resource from another domain. It isolates, for example, a malicious script being able to do “too much”. A script loaded from a third party should not be able to call your own API. However in some cases this actually may be warranted.

Enter CORS

CORS or Cross-Origin Resource Sharing is a way to by-pass this limitation/security measure for legitimate reasons. The most common in the context of ASP.net core is that you are building a Single Page Application, and you wish to host your API on another domain. For example your website is www.mywebsite.com and your API is api.mywebsite.com. Any scripts be they from jQuery, Angular, React, Backbone, whatever cannot make HTTP calls from www.mywebsite.com to api.mywebsite.com.

Configuring CORS In ASP.net Core

Let’s get going and see how this works in ASP.net Core

First you need to add the Microsoft Cors package from Nuget.

You then need to add the CORS services. In your startup.cs in your ConfigureServices method you should have something similar to the following :

Next you need to add the CORS middleware to your app. In your startup.cs you should have a Configure method. You need to have it similar to this :

The options lambda is a fluent API so you can add/remove any extras you need. You can actually use the option “AllowAnyOrigin” to accept any domain, but I highly recommend you do not do this as it opens up cross origin calls from anyone. You can also limit cross origin calls to their HTTP Method (GET/PUT/POST etc) so you can only expose GET calls cross domain etc.

Important!

Two very important points.

  • Incase it wasn’t obvious, the above is to be done on your API not your web project!
  • Your protocol is important. http://www.mydomain.com is not the same as https://www.mydomain.com

It’s not like the war of Pascalcase vs Camelcase hasn’t been going on for a very long time, but in ASP.net core it flared up again with a breaking change in ASP.net core 1.0. You can read the actual change request here on Github, and then the subsequent announcement with some unhappy campers here.

To be clear.

In earlier versions of Web API and indeed early versions of ASP.net core, the default serialization of an object to JSON results in Pascalcase names. When a C# app is talking to another C# app, the casing actually doesn’t matter. You can send JSON data with mYVaRiAbLE and it will still be deserialized into MyVariable in C#.

The issue usually reared it’s head when you were using javascript to consume your Web API. Afterall, when Mozilla, Google, jQuery, WordPress and countless others cite camelCase as the standard for Javascript naming, it’s probably what most people expect to see. If you are binding a model using Angular or similar from a Web API, you probably want to keep with the same naming format. Not have properties that came from your API suddenly be in Pascal Case.

It mostly comes down to the 80/20 rule. I would say a large majority of people using ASP.net core are also using some sort of javascript framework to bind models. And for that, camelCase is best.

So, what are your options if you are still #TeamPascalCase?

Change To PascalCase In ASP.net Core 1.0+

Probably the most annoying thing about this change is that you need to change the ContractResolver for the Json Serializer. The thing that gets people’s goat is that the resolver that makes things PascalCase is actually called the “DefaultContractResolver”…. Even though in version 1.0 and onwards it isn’t the default at all…..

In anycase, in your startup.cs file, find your ConfigureServices method. You should already have an AddMVC call, and tack onto it like so :

Change To camelCase In ASP.net Core <1.0

Just incase you are behind with the times in ASP.net Core versions and you want to move to camelCase by default (Possibly in preparation for upgrading), you can do so by doing similar to the above, but instead making the contract resolver camel case like so :

In a previous article we went over how to read custom configurations into memory in ASP.net core. This is also the new way to do Appsettings. But did you know that you can also do “hot loading” of configurations? That is, while your app is running, you can change an appsetting or configuration and your application will reload it on the fly without an app pool recycle or restarting the web server? Pretty nifty! Let’s take a look.

A couple of notes before we start :

  • We will be reusing our code from the custom configurations in asp.net core tutorial. If you haven’t read that yet maybe take a quick read to make sure we are on the same page.
  • This only works in ASP.net core 1.1 and up. Before that there were a couple of hot loading options that made it into early versions but ended up being problamatic and being removed. In earlier versions this was named IOptionsMonitor (Which is still there under the hood).

First, in your Startup.cs ensure that when you load your appSettings.json, that reloadOnChange is set to true. It should look something like this :

When you load your configuration into your services collection, you now must load it as configuration as opposed to loading it as a POCO. That means it should look like this :

When you request it into your controller/service, you then need to use IOptionsSnapshot rather than IOptions.

And that’s all! Now whenever you change configuration, your configuration is reloaded and your changes are seen instantly without a large restart required. This would be handy if you were deploying a prototype or a new feature that you’re unsure of how it would perform and need a way to tune it or disable the feature all together without requiring wholesale restarts.

Important. It’s A Snapshot!

It should be noted that the name IOptionsSnapshot is as the name implies, it’s a snapshot. If you for example take the value and hold onto that for some reason (In your own cache for example), these will not be hot loaded when changing configuration. Instead each time IOptionsSnapshot is injected into a class it will be given it’s unique value. This is very important to remember. Consider the following code :

Where the configuration value of MyProperty is a boolean. If between the first and second calls to the value of MyProperty, I go into the configuration and change the value. What do you think this action will return? The answer is true as IOptionsSnapshot only reads the configuration when being created, not when you request the value from it.

In our example here, we are using an MVC controller which is Transient scope. Meaning that each time we request the controller, our DI recreates it for us. But it’s important to remember that if you are using something with a Singleton scope (Or to some extent a “scoped” scope), and injecting IOptionsSnapshot into that, the options will never be updated.

Frustratingly .net Core early releases were without URL Encode and Decode methods. Whereas previously you were able to access the HTTPUtility namespace for encoding and decoding strings, this was not ported to .net core.

Until now!

Microsoft has moved the UrlEncode and Decode methods into a WebUtility static class. If you are super nosy you can see the code that’s doing your encoding here.

To get access you need to install this nuget package, which at the time of writing means running this command from your package command line :

Now you have access to URL Encoding

So you’ve heard about ASP.net Core and you’re considering the move, but you want to know if it’s really worth it. You will always have to weigh up the pros and cons, especially if you are intending to move an existing app into .net core. But here’s 5 reasons you should definitely consider ASP.net core for your next project.

It’s A Small Learning Curve

Yes it’s true that there is a learning curve when learning .net core, even if you’re a seasoned ASP.net developer, but it’s not as big as you might think. For example, the language is still C#, namespaces are often the same or have been lifted and shifted to an easy location, and many classes/pieces of code you already have are usually able to be moved without too much hassle.

With that being said, there are a few notable exceptions. Things like cryptography services have either been severely changed. In some cases classes like the FTPWebRequest have been completely removed, much to the annoyance of some (Although should be added back in the future). If you are doing a small test application in .net core or have full embraced microservices, you will quickly be able to validate if .net core has everything you need. If you are attempting to port a massive monolith, it might be worthwhile researching into the few things .net core is currently lacking before setting off.

Multi Platform

Usually seen as the number one reason to make the switch. ASP.net Core is able to be run (And developed) on Windows, Mac and Linux. While Visual Studio is still Windows only, VS Code and Jetbrains Rider are available on all OS to develop .net core solutions. Your devops team will no doubt love you with the ability to now deploy the code on cheaper (And to some people, more reliable) Linux machines too!

It’s not like you are left on your own to work it out either. Microsoft has published documentation on getting ASP.net core running on Ubuntu, documentation on getting ASP.net core running on Apache with CentOS, and even how to get everything up and running on Docker. Imagine that happening just 5 years ago!

One Web Framework To Learn

In previous versions of ASP.net you had a difference between MVC controllers and API controllers. It seemed simple enough, but you then ended up with different ways to configure your web app. You could be half way through a ModelBinding tutorial before you realized it was for MVC only and you had to do something slightly different to get it working in the API. It was super frustrating! But in .net Core, It is all one and the same. One action can return JSON data, one can return an ActionResult, all in the same controller!

It’s Light

Previously you had to have the .net framework installed on your target machine when deploying. Not anymore! When deploying .net applications you can package up everything your app needs into a single zip and deploy only that. That means that your only shifting exactly what you need, as well as reducing the complexity of a machine setup if you are doing horizontal scaling.

It’s Fast

While the results are somewhat disputed on how “useful” and “real world” they are. The current benchmarks of ASP.net core’s web server (Kestrel), can currently serve over 1.2 million requests per second. For comparison in that benchmark, standard IIS can server around around 60k per second. These are plaintext benchmarks so it’s not running actual .net core code, but it’s still interesting to see the huge improvement in web server performance.

 

If you’re using Gulp across many projects (especially across many open source ones), you may come across errors that look similar to the following :

The issue is caused by having a local gulp install for your project and one installed globally. You can check this by running the command “gulp -v” from a command line. You should see something similar to :

How to fix it? Well first it’s maybe better to understand why this is the case. Why do we have a “local” version of gulp and a global version installed?

The local version is there because it ensures that gulp runs the same on any machine the code is run on. Including your build server or other development machines. Ensuring that the same version is run everywhere is a great way to ensure consistency.

The global version is there because it allows you to type “Gulp” from the command line essentially. Having the executable in your system path is very handy.

The Sledgehammer Fix

I call this the sledgehammer fix because it’s really just brutalizing a solution that happens to work. This fix is to simply update both your CLI and Local Gulp to the same version. You can do this by going into your web project in a command prompt and calling :

Warning. If for any reason your local version or global version was on a specific version of gulp, then you’ve just massacred it. If you’re working in a team you should ask before you do this or be prepared to lose friends in the workplace. Of course, if you’re a one man band and you haven’t picked a version of gulp for any particular reason, then this will work just fine.

The “Slightly More Elegant” Fix

The second fix does take a while of getting used to. Inside your package.json file you can add the following :

You can now run the local installed version of gulp (Without calling the global version), by typing “npm run gulp” from a command line inside your web project. It does take some getting used to if you’ve always just typed straight “gulp” from the command line.

What this does mean is that passing in various options and flags for gulp gets a bit gnarly. You usually end up with something more like the following :

Essentially spelling out all your different options for gulp (Including watches etc) within your scripts section.

The “Elegant” Fix

A more elegant fix is actually by removing gulp entirely from your globals and installing only the CLI. Run the following

This first command removes gulp globally (But not from local installs such as in your web project). The second command installs Gulp-CLI. The CLI is the command line interface for gulp and is the minimum amount to run gulp from the command line, but not actually have any of it’s “working parts” if you will globally. This is great because as above, we learned that the only reason we really have gulp globally is for the command line, not for any working parts. This solves our issue perfectly!