MPCoreDeveloper
diff --git a/‎.github/FUNDING.yml‎
Lines changed: 4 additions & 0 deletions b/‎.github/FUNDING.yml‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎PACKAGE.md‎
Lines changed: 143 additions & 0 deletions b/‎PACKAGE.md‎
Lines changed: 143 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 30 additions & 9 deletions b/‎README.md‎
Lines changed: 30 additions & 9 deletions
diff --git a/‎docs/README.md‎
Lines changed: 1 addition & 0 deletions b/‎docs/README.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎docs/csp-configuration.md‎
Lines changed: 110 additions & 4 deletions b/‎docs/csp-configuration.md‎
Lines changed: 110 additions & 4 deletions
@@ -0,0 +1,4 @@
+# These are supported funding model platforms
+# See: https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/displaying-a-sponsor-button-in-your-repository
+
+github: [MPCoreDeveloper]
@@ -0,0 +1,143 @@
+# 🛡️ SafeWebCore
+
+A lightweight, high-performance .NET 10 middleware library that adds security headers to your ASP.NET Core applications. Targets an **A+ rating** on [securityheaders.com](https://securityheaders.com) out of the box.
+
+## Two Ways to Use SafeWebCore
+
+### Option 1 — Strict A+ Preset (fastest)
+
+One line for the strictest A+ configuration. Defined in `ServiceCollectionExtensions.AddNetSecureHeadersStrictAPlus()`.
+
+```csharp
+using SafeWebCore.Extensions;
+
+var builder = WebApplication.CreateBuilder(args);
+builder.Services.AddNetSecureHeadersStrictAPlus();
+
+var app = builder.Build();
+app.UseNetSecureHeaders();
+app.Run();
+```
+
+Customize the preset — CSP directives are **space-separated**, add multiple origins in one string:
+
+```csharp
+builder.Services.AddNetSecureHeadersStrictAPlus(opts =>
+{
+    // Single origin
+    opts.Csp = opts.Csp with { ImgSrc = "'self' https://cdn.example.com" };
+
+    // Multiple origins — just separate with spaces
+    opts.Csp = opts.Csp with { ImgSrc = "'self' https://cdn1.example.com https://cdn2.example.com data:" };
+
+    // Multiple directives at once
+    opts.Csp = opts.Csp with
+    {
+        ConnectSrc = "'self' https://api.example.com wss://ws.example.com",
+        FontSrc = "'self' https://fonts.gstatic.com https://cdn.example.com"
+    };
+
+    // Non-CSP headers
+    opts.ReferrerPolicyValue = "strict-origin-when-cross-origin";
+});
+```
+
+### Option 2 — Fully Custom Configuration
+
+Full control over every header via `ServiceCollectionExtensions.AddNetSecureHeaders()`:
+
+```csharp
+using SafeWebCore.Builder;
+using SafeWebCore.Extensions;
+
+var builder = WebApplication.CreateBuilder(args);
+
+builder.Services.AddNetSecureHeaders(opts =>
+{
+    // Transport security
+    opts.EnableHsts = true;
+    opts.HstsValue = "max-age=31536000; includeSubDomains";
+
+    // Framing
+    opts.EnableXFrameOptions = true;
+    opts.XFrameOptionsValue = "SAMEORIGIN";
+
+    // MIME sniffing
+    opts.EnableXContentTypeOptions = true;
+    opts.XContentTypeOptionsValue = "nosniff";
+
+    // Referrer
+    opts.EnableReferrerPolicy = true;
+    opts.ReferrerPolicyValue = "strict-origin-when-cross-origin";
+
+    // Permissions
+    opts.EnablePermissionsPolicy = true;
+    opts.PermissionsPolicyValue = "camera=(), microphone=(), geolocation=()";
+
+    // Cross-Origin isolation
+    opts.EnableCoep = true;
+    opts.CoepValue = "require-corp";
+    opts.EnableCoop = true;
+    opts.CoopValue = "same-origin";
+    opts.EnableCorp = true;
+    opts.CorpValue = "same-origin";
+
+    // Server header
+    opts.RemoveServerHeader = true;
+
+    // CSP — use the fluent builder
+    opts.Csp = new CspBuilder()
+        .DefaultSrc("'none'")
+        .ScriptSrc("'nonce-{nonce}' 'strict-dynamic' https:")
+        .StyleSrc("'nonce-{nonce}'")
+        .ImgSrc("'self' https: data:")
+        .FontSrc("'self' https://fonts.gstatic.com")
+        .ConnectSrc("'self' wss://realtime.example.com")
+        .FrameAncestors("'none'")
+        .BaseUri("'none'")
+        .FormAction("'self'")
+        .UpgradeInsecureRequests()
+        .Build();
+});
+
+var app = builder.Build();
+app.UseNetSecureHeaders();
+app.Run();
+```
+
+Both methods are defined in **`SafeWebCore.Extensions.ServiceCollectionExtensions`**.
+
+## Strict A+ Headers
+
+| Header | Strict A+ Value |
+|--------|-----------------|
+| `Strict-Transport-Security` | `max-age=63072000; includeSubDomains; preload` |
+| `Content-Security-Policy` | Nonce-based, `strict-dynamic`, Trusted Types |
+| `X-Frame-Options` | `DENY` |
+| `X-Content-Type-Options` | `nosniff` |
+| `Referrer-Policy` | `no-referrer` |
+| `Permissions-Policy` | All 29 browser features denied |
+| `Cross-Origin-Embedder-Policy` | `require-corp` |
+| `Cross-Origin-Opener-Policy` | `same-origin` |
+| `Cross-Origin-Resource-Policy` | `same-origin` |
+| `Server` | _(removed)_ |
+
+## Features
+
+- 🔒 **Strict A+ preset** — one-line setup with the strictest security headers
+- 🛠️ **Fully custom** — configure every header and CSP directive individually
+- 🧩 **Nonce-based CSP** — per-request cryptographic nonces for scripts and styles
+- 📋 **Full CSP Level 3** (W3C Recommendation) — all 22 directives, nonce/hash support, `strict-dynamic`, `report-to`, `worker-src`, `frame-src`, `manifest-src`, `script-src-elem/attr`, `style-src-elem/attr`
+- 🔮 **CSP Level 4 ready** — Trusted Types (`require-trusted-types-for`, `trusted-types`), `fenced-frame-src` (Privacy Sandbox)
+- 🎯 **Fluent CSP Builder** — type-safe, chainable API with full XML documentation
+- ⚡ **Zero-allocation nonce generation** — `stackalloc` + `RandomNumberGenerator`
+- 🔌 **Extensible** — custom `IHeaderPolicy` implementations
+- 📊 **CSP violation reporting** — built-in `/csp-report` endpoint using Reporting API v1
+
+## Documentation
+
+Full documentation: [github.com/MPCoreDeveloper/SafeWebCore/docs](https://github.com/MPCoreDeveloper/SafeWebCore/tree/master/docs)
+
+## License
+
+MIT — see [LICENSE](https://github.com/MPCoreDeveloper/SafeWebCore/blob/master/LICENSE)
@@ -1,8 +1,12 @@
 # 🛡️ SafeWebCore
 
+[![NuGet](https://img.shields.io/nuget/v/SafeWebCore.svg?logo=nuget)](https://www.nuget.org/packages/SafeWebCore)
+[![NuGet Downloads](https://img.shields.io/nuget/dt/SafeWebCore.svg?logo=nuget)](https://www.nuget.org/packages/SafeWebCore)
 [![.NET 10](https://img.shields.io/badge/.NET-10-512BD4?logo=dotnet)](https://dotnet.microsoft.com)
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](LICENSE)
 [![securityheaders.com](https://img.shields.io/badge/securityheaders.com-A%2B-brightgreen)](https://securityheaders.com)
+[![CSP](https://img.shields.io/badge/CSP-Level%203%20%2B%20Level%204-blue?logo=w3c)](https://www.w3.org/TR/CSP3/)
+[![Sponsor](https://img.shields.io/badge/Sponsor-❤-ea4aaa?logo=githubsponsors)](https://github.com/sponsors/MPCoreDeveloper)
 
 **SafeWebCore** is a lightweight, high-performance .NET 10 middleware library that adds security headers to your ASP.NET Core applications. It targets an **A+ rating** on [securityheaders.com](https://securityheaders.com) out of the box — zero configuration required.
 
@@ -11,13 +15,23 @@
 ## ✨ Features
 
 - 🔒 **A+ in one line** — `AddNetSecureHeadersStrictAPlus()` configures the strictest security headers instantly
+- 🛠️ **Fully custom** — `AddNetSecureHeaders(opts => { ... })` gives you complete control over every header
 - 🧩 **Nonce-based CSP** — per-request cryptographic nonces for `script-src` and `style-src`
-- 📋 **CSP Level 3** — Trusted Types, `strict-dynamic`, `script-src-elem/attr`, `style-src-elem/attr`, `worker-src`, `fenced-frame-src`
-- 🎯 **Fluent CSP Builder** — type-safe, chainable API for building Content Security Policy
+- 📋 **Full CSP Level 3** (W3C Recommendation) — all directives including `worker-src`, `manifest-src`, `frame-src`, `script-src-elem/attr`, `style-src-elem/attr`, `report-to`, nonce/hash support, `strict-dynamic`
+- 🔮 **CSP Level 4 ready** — Trusted Types (`require-trusted-types-for`, `trusted-types`), `fenced-frame-src` (Privacy Sandbox)
+- 🎯 **Fluent CSP Builder** — type-safe, chainable API with full XML documentation for every directive
 - ⚡ **Zero-allocation nonce generation** — `stackalloc` + `RandomNumberGenerator` on the hot path
 - 🛑 **Server header removal** — hides server technology from attackers
 - 🔌 **Extensible** — add custom `IHeaderPolicy` implementations for any header
-- 📊 **CSP violation reporting** — built-in middleware for `/csp-report` endpoint
+- 📊 **CSP violation reporting** — built-in middleware for `/csp-report` endpoint using Reporting API v1
+
+### CSP Compliance
+
+| Standard | Status | Coverage |
+|----------|--------|----------|
+| **CSP Level 3** (W3C Recommendation) | ✅ Full | All 22 directives, nonce/hash, `strict-dynamic`, `report-to` |
+| **CSP Level 4** (Emerging) | ✅ Ready | Trusted Types, `fenced-frame-src` (Privacy Sandbox) |
+| Deprecated directives | ✅ Handled | `report-uri`, `block-all-mixed-content` marked `[Obsolete]` |
 
 ---
 
@@ -66,22 +80,29 @@ That's it! Your application now returns these headers on every response:
 
 ### 3. Strict A+ with customization
 
-The preset is intentionally strict. Relax only what your app needs:
+The preset is intentionally strict. Relax only what your app needs.
+CSP directives are **space-separated** — add multiple origins in a single string:
 
 ```csharp
 builder.Services.AddNetSecureHeadersStrictAPlus(opts =>
 {
-    // Allow images from your CDN
-    opts.Csp = opts.Csp with { ImgSrc = "'self' https://cdn.example.com" };
+    // Multiple CDNs — just separate with spaces
+    opts.Csp = opts.Csp with { ImgSrc = "'self' https://cdn1.example.com https://cdn2.example.com data:" };
 
-    // Allow API calls to your backend
-    opts.Csp = opts.Csp with { ConnectSrc = "'self' https://api.example.com" };
+    // Multiple directives at once using 'with { ... }'
+    opts.Csp = opts.Csp with
+    {
+        ConnectSrc = "'self' https://api.example.com wss://ws.example.com",
+        FontSrc = "'self' https://fonts.gstatic.com https://cdn.example.com"
+    };
 
-    // Use strict-origin-when-cross-origin instead of no-referrer
+    // Non-CSP headers are simple string properties
     opts.ReferrerPolicyValue = "strict-origin-when-cross-origin";
 });
 ```
 
+> 💡 **Tip:** Each CSP directive is one string with space-separated sources. Use a single `with { ... }` block to change multiple directives at once.
+
 ### 4. Full manual configuration
 
 For complete control, use `AddNetSecureHeaders` with the fluent CSP builder:
 
@@ -22,6 +22,7 @@ Welcome to the SafeWebCore documentation. SafeWebCore is a .NET 10 middleware li
 | I want to... | Go to |
 |---------------|-------|
 | Get A+ in one line | [Getting Started](getting-started.md) |
+| Configure everything custom | [Getting Started](getting-started.md#fully-custom-setup) |
 | Understand what each header does | [Security Headers](security-headers.md) |
 | Configure CSP with nonces | [CSP Configuration](csp-configuration.md) |
 | Customize the strict preset | [Presets](presets.md) |
 
@@ -2,6 +2,8 @@
 
 Content Security Policy (CSP) is the most powerful security header for preventing XSS attacks. SafeWebCore provides a fluent builder and nonce-based enforcement out of the box.
 
+SafeWebCore implements the **full CSP Level 3** (W3C Recommendation) directive set and forward-looking **CSP Level 4** features including Trusted Types and `fenced-frame-src`.
+
 ---
 
 ## How CSP Works
@@ -42,6 +44,7 @@ These control where resources can be loaded from.
 | `media-src` | `<audio>`, `<video>` | _(inherits 'none')_ |
 | `object-src` | `<object>`, `<embed>`, `<applet>` | `'none'` |
 | `child-src` | `<frame>`, `<iframe>`, workers | `'none'` |
+| `frame-src` | `<frame>`, `<iframe>` (CSP L3, split from child-src) | _(inherits child-src)_ |
 | `worker-src` | Worker, SharedWorker, ServiceWorker | `'self'` |
 | `manifest-src` | Web app manifest | `'self'` |
 | `fenced-frame-src` | `<fencedframe>` (2025+) | _(disabled)_ |
@@ -104,12 +107,12 @@ Every method returns `this` for chaining. Call `.Build()` at the end to get the
 
 ## Using CspOptions Directly
 
-Since `CspOptions` is a C# `record`, you can also use `with` expressions:
+Since `CspOptions` is a C# `record`, you can use `with` expressions. Each directive is a **space-separated** string of sources:
 
 ```csharp
 using SafeWebCore.Options;
 
-// Start from Strict A+ and relax
+// Start from scratch
 opts.Csp = new CspOptions() with
 {
     DefaultSrc = "'none'",
@@ -119,7 +122,7 @@ opts.Csp = new CspOptions() with
 };
 ```
 
-Or modify the Strict A+ preset:
+Or modify the Strict A+ preset — change only what you need, the rest stays strict:
 
 ```csharp
 builder.Services.AddNetSecureHeadersStrictAPlus(opts =>
@@ -132,6 +135,32 @@ builder.Services.AddNetSecureHeadersStrictAPlus(opts =>
 });
 ```
 
+### Multiple origins per directive
+
+Add as many origins as you need, separated by spaces:
+
+```csharp
+builder.Services.AddNetSecureHeadersStrictAPlus(opts =>
+{
+    opts.Csp = opts.Csp with
+    {
+        // Images from two CDNs + data URIs
+        ImgSrc = "'self' https://cdn1.example.com https://cdn2.example.com data:",
+
+        // API + WebSocket + analytics
+        ConnectSrc = "'self' https://api.example.com wss://ws.example.com https://analytics.example.com",
+
+        // Google Fonts + your own CDN
+        FontSrc = "'self' https://fonts.gstatic.com https://cdn.example.com",
+
+        // Multiple script hosts (loaded via strict-dynamic trust chain)
+        ScriptSrc = "'nonce-{nonce}' 'strict-dynamic'"
+    };
+});
+```
+
+> 💡 **Key rule:** one string per directive, spaces between origins. The `with { ... }` block lets you change multiple directives in one expression.
+
 ---
 
 ## Nonce Usage in HTML
@@ -254,8 +283,85 @@ opts.Csp = new CspBuilder()
     .ScriptSrc("'nonce-{nonce}' 'strict-dynamic'")
     .StyleSrc("'nonce-{nonce}'")
     .ImgSrc("'self' https://img.youtube.com")
-    .ChildSrc("https://www.youtube.com")
+    .FrameSrc("https://www.youtube.com")
     .FrameAncestors("'none'")
     .UpgradeInsecureRequests()
     .Build();
 ```
+
+---
+
+## CSP Level 3 / Level 4 Compliance
+
+SafeWebCore implements the **complete CSP Level 3** W3C Recommendation and includes forward-looking **CSP Level 4** directives.
+
+### CSP Level 3 (W3C Recommendation) — ✅ Full Coverage
+
+| Category | Directives | Status |
+|----------|------------|--------|
+| **Fetch** | `default-src`, `script-src`, `style-src`, `img-src`, `font-src`, `connect-src`, `media-src`, `object-src`, `child-src`, `frame-src`, `worker-src`, `manifest-src` | ✅ All 12 |
+| **Granular fetch (L3)** | `script-src-elem`, `script-src-attr`, `style-src-elem`, `style-src-attr` | ✅ All 4 |
+| **Document** | `base-uri`, `sandbox` | ✅ Both |
+| **Navigation** | `form-action`, `frame-ancestors` | ✅ Both |
+| **Reporting** | `report-to` (Reporting API v1) | ✅ |
+| **Transport** | `upgrade-insecure-requests` | ✅ |
+| **Nonce-based** | `'nonce-{nonce}'` per-request cryptographic nonces | ✅ |
+| **Hash-based** | `'sha256-...'`, `'sha384-...'`, `'sha512-...'` allowlisting | ✅ |
+| **Trust propagation** | `'strict-dynamic'` — trusted scripts can load further dependencies | ✅ |
+| **Deprecated (L3)** | `report-uri` → `[Obsolete]`, `block-all-mixed-content` → `[Obsolete]` | ✅ Handled |
+
+#### Key CSP Level 3 improvements implemented
+
+- **`frame-src` split from `child-src`** — In CSP Level 2, `child-src` governed both frames and workers. Level 3 separates them: `frame-src` for `<frame>`/`<iframe>`, `worker-src` for Worker/SharedWorker/ServiceWorker.
+- **`worker-src`** — Dedicated directive for controlling Worker, SharedWorker, and ServiceWorker sources.
+- **`manifest-src`** — Controls web app manifest loading.
+- **Granular script/style directives** — `script-src-elem`, `script-src-attr`, `style-src-elem`, `style-src-attr` provide fine-grained control beyond the base `script-src`/`style-src`.
+- **`report-to`** — Replaces the deprecated `report-uri` directive with the modern Reporting API v1.
+- **Nonce + hash + `strict-dynamic`** — The recommended approach per Google and the W3C. SafeWebCore generates a unique cryptographic nonce per request using `stackalloc` + `RandomNumberGenerator` (zero heap allocations).
+
+### CSP Level 4 (Emerging) — ✅ Ready
+
+| Directive | Purpose | Status |
+|-----------|---------|--------|
+| `require-trusted-types-for` | Enforces Trusted Types for DOM XSS sinks (`innerHTML`, `eval()`, etc.) | ✅ |
+| `trusted-types` | Controls which Trusted Type policy names are allowed | ✅ |
+| `fenced-frame-src` | Controls `<fencedframe>` sources (Privacy Sandbox) | ✅ |
+
+#### Trusted Types
+
+Trusted Types prevent DOM-based XSS at the API level by requiring all dangerous DOM sinks to use type-safe objects instead of raw strings:
+
+```csharp
+opts.Csp = new CspBuilder()
+    .DefaultSrc("'none'")
+    .ScriptSrc("'nonce-{nonce}' 'strict-dynamic'")
+    .RequireTrustedTypesFor("'script'")
+    .TrustedTypes("'none'")
+    .Build();
+```
+
+This blocks calls like `element.innerHTML = userInput` unless the value is wrapped in a Trusted Type policy.
+
+#### Hash-Based Allowlisting
+
+CSP Level 3 supports allowing specific inline scripts/styles by their SHA digest. Pass hash tokens directly in any directive value:
+
+```csharp
+opts.Csp = new CspBuilder()
+    .ScriptSrc("'sha256-abc123...' 'strict-dynamic'")
+    .StyleSrc("'sha256-def456...'")
+    .Build();
+```
+
+Supported algorithms: `sha256`, `sha384`, `sha512`.
+
+### Deprecated Directives
+
+SafeWebCore correctly handles deprecated directives:
+
+| Directive | Status | Replacement |
+|-----------|--------|-------------|
+| `report-uri` | `[Obsolete]` — still emitted when set for backward compatibility | `report-to` (Reporting API v1) |
+| `block-all-mixed-content` | `[Obsolete]` — modern browsers block mixed content by default | `upgrade-insecure-requests` |
+
+Both deprecated directives are excluded from `CspBuilder` but remain available on `CspOptions` with `[Obsolete]` attributes and compiler warnings.