MPCoreDeveloper
diff --git a/‎README.md‎
Lines changed: 202 additions & 31 deletions b/‎README.md‎
Lines changed: 202 additions & 31 deletions
diff --git a/‎SafeWebCore.slnx‎
Lines changed: 0 additions & 20 deletions b/‎SafeWebCore.slnx‎
Lines changed: 0 additions & 20 deletions
diff --git a/‎docs/README.md‎
Lines changed: 37 additions & 9 deletions b/‎docs/README.md‎
Lines changed: 37 additions & 9 deletions
@@ -1,70 +1,241 @@
-# SafeWebCore
+# 🛡️ SafeWebCore
 
-A .NET 10 library for building secure web applications with sensible defaults.
+[![.NET 10](https://img.shields.io/badge/.NET-10-512BD4?logo=dotnet)](https://dotnet.microsoft.com)
+[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](LICENSE)
+[![securityheaders.com](https://img.shields.io/badge/securityheaders.com-A%2B-brightgreen)](https://securityheaders.com)
 
-## Features
+**SafeWebCore** is a lightweight, high-performance .NET 10 middleware library that adds security headers to your ASP.NET Core applications. It targets an **A+ rating** on [securityheaders.com](https://securityheaders.com) out of the box — zero configuration required.
 
-- Content Security Policy (CSP) middleware
-- Security header management
-- Zero-configuration secure defaults
+---
 
-## Getting Started
+## ✨ Features
 
-### Prerequisites
+- 🔒 **A+ in one line** — `AddNetSecureHeadersStrictAPlus()` configures the strictest security headers instantly
+- 🧩 **Nonce-based CSP** — per-request cryptographic nonces for `script-src` and `style-src`
+- 📋 **CSP Level 3** — Trusted Types, `strict-dynamic`, `script-src-elem/attr`, `style-src-elem/attr`, `worker-src`, `fenced-frame-src`
+- 🎯 **Fluent CSP Builder** — type-safe, chainable API for building Content Security Policy
+- ⚡ **Zero-allocation nonce generation** — `stackalloc` + `RandomNumberGenerator` on the hot path
+- 🛑 **Server header removal** — hides server technology from attackers
+- 🔌 **Extensible** — add custom `IHeaderPolicy` implementations for any header
+- 📊 **CSP violation reporting** — built-in middleware for `/csp-report` endpoint
 
-- [.NET 10 SDK](https://dotnet.microsoft.com/download)
+---
 
-### Installation
+## 🚀 Quick Start
+
+### 1. Install
 
 ```bash
 dotnet add package SafeWebCore
 ```
 
-### Usage
+### 2. One-line A+ setup (recommended)
 
 ```csharp
+using SafeWebCore.Extensions;
+
 var builder = WebApplication.CreateBuilder(args);
+
+// Adds ALL security headers with the strictest A+ configuration
+builder.Services.AddNetSecureHeadersStrictAPlus();
+
 var app = builder.Build();
 
-app.UseSafeWebCore();
+app.UseNetSecureHeaders();
+app.MapGet("/", () => "Hello, secure world!");
 
 app.Run();
 ```
 
-## Building
+That's it! Your application now returns these headers on every response:
 
-```bash
-dotnet build
+| Header | Value |
+|--------|-------|
+| `Strict-Transport-Security` | `max-age=63072000; includeSubDomains; preload` |
+| `X-Frame-Options` | `DENY` |
+| `X-Content-Type-Options` | `nosniff` |
+| `Referrer-Policy` | `no-referrer` |
+| `Permissions-Policy` | All features denied |
+| `Cross-Origin-Embedder-Policy` | `require-corp` |
+| `Cross-Origin-Opener-Policy` | `same-origin` |
+| `Cross-Origin-Resource-Policy` | `same-origin` |
+| `X-DNS-Prefetch-Control` | `off` |
+| `X-Permitted-Cross-Domain-Policies` | `none` |
+| `Content-Security-Policy` | Nonce-based, strict-dynamic, Trusted Types |
+| `Server` | _(removed)_ |
+
+### 3. Strict A+ with customization
+
+The preset is intentionally strict. Relax only what your app needs:
+
+```csharp
+builder.Services.AddNetSecureHeadersStrictAPlus(opts =>
+{
+    // Allow images from your CDN
+    opts.Csp = opts.Csp with { ImgSrc = "'self' https://cdn.example.com" };
+
+    // Allow API calls to your backend
+    opts.Csp = opts.Csp with { ConnectSrc = "'self' https://api.example.com" };
+
+    // Use strict-origin-when-cross-origin instead of no-referrer
+    opts.ReferrerPolicyValue = "strict-origin-when-cross-origin";
+});
 ```
 
-## Testing
+### 4. Full manual configuration
 
-```bash
-dotnet test
+For complete control, use `AddNetSecureHeaders` with the fluent CSP builder:
+
+```csharp
+using SafeWebCore.Builder;
+using SafeWebCore.Extensions;
+
+builder.Services.AddNetSecureHeaders(opts =>
+{
+    opts.EnableHsts = true;
+    opts.HstsValue = "max-age=31536000; includeSubDomains";
+
+    opts.EnableXFrameOptions = true;
+    opts.XFrameOptionsValue = "SAMEORIGIN";
+
+    opts.ReferrerPolicyValue = "strict-origin-when-cross-origin";
+
+    // Use the fluent CSP builder
+    opts.Csp = new CspBuilder()
+        .DefaultSrc("'none'")
+        .ScriptSrc("'nonce-{nonce}' 'strict-dynamic' https:")
+        .StyleSrc("'nonce-{nonce}'")
+        .ImgSrc("'self' https: data:")
+        .FontSrc("'self' https://fonts.gstatic.com")
+        .ConnectSrc("'self' wss://realtime.example.com")
+        .FrameAncestors("'none'")
+        .BaseUri("'none'")
+        .FormAction("'self'")
+        .UpgradeInsecureRequests()
+        .Build();
+});
+```
+
+---
+
+## 🔑 Using CSP Nonces in Razor Views
+
+SafeWebCore generates a unique cryptographic nonce per request. Use it in your scripts and styles:
+
+### With the `[CspNonce]` attribute
+
+```csharp
+using SafeWebCore.Attributes;
+
+[CspNonce]
+public class HomeController : Controller
+{
+    public IActionResult Index() => View();
+}
+```
+
+```html
+<!-- In your Razor view -->
+<script nonce="@ViewData["CspNonce"]">
+    console.log("This script is allowed by CSP");
+</script>
+
+<style nonce="@ViewData["CspNonce"]">
+    body { font-family: sans-serif; }
+</style>
+```
+
+### Direct access via `HttpContext.Items`
+
+```csharp
+var nonce = HttpContext.Items[NetSecureHeaders.CspNonceKey] as string;
+```
+
+---
+
+## 📊 CSP Violation Reporting
+
+Enable the built-in CSP report endpoint to catch policy violations:
+
+```csharp
+var app = builder.Build();
+
+app.UseCspReport();           // Handles POST /csp-report
+app.UseNetSecureHeaders();
+
+app.Run();
+```
+
+Configure the CSP to send reports:
+
+```csharp
+builder.Services.AddNetSecureHeadersStrictAPlus(opts =>
+{
+    opts.Csp = opts.Csp with { ReportTo = "default" };
+});
 ```
 
-## Project Structure
+Violations are logged at `Warning` level via `ILogger`.
+
+---
+
+## 📁 Project Structure
 
 ```
-src/
-  SafeWebCore/          # Main library
-tests/
-  SafeWebCore.Tests/    # Unit tests (xUnit)
-docs/                            # Documentation
-.github/                         # GitHub templates and workflows
-.editorconfig                    # Code style settings
-Directory.Build.props            # Shared MSBuild properties
-SafeWebCore.slnx        # Solution file
+SafeWebCore/
+├── src/SafeWebCore/
+│   ├── Abstractions/          # IHeaderPolicy interface
+│   ├── Attributes/            # [CspNonce] action filter
+│   ├── Builder/               # Fluent CspBuilder
+│   ├── Constants/             # Header name constants
+│   ├── Extensions/            # DI and middleware extensions
+│   ├── Infrastructure/        # NonceService, CspReportMiddleware
+│   ├── Middleware/             # NetSecureHeadersMiddleware
+│   ├── Options/               # NetSecureHeadersOptions, CspOptions
+│   └── Presets/               # SecurePresets (Strict A+)
+├── tests/SafeWebCore.Tests/   # xUnit v3 tests
+├── docs/                      # Documentation
+└── .github/                   # CI, issue templates
 ```
 
-## Contributing
+---
+
+## 📚 Documentation
+
+| Document | Description |
+|----------|-------------|
+| [Getting Started](docs/getting-started.md) | Installation, first setup, verification |
+| [Security Headers](docs/security-headers.md) | Every header explained with rationale |
+| [CSP Configuration](docs/csp-configuration.md) | CSP builder, nonces, directives guide |
+| [Presets](docs/presets.md) | Strict A+ preset details and customization |
+| [Advanced Configuration](docs/advanced-configuration.md) | Custom policies, reporting, per-route config |
+
+---
+
+## 🏗️ Building & Testing
+
+```bash
+# Build
+dotnet build
+
+# Run tests
+dotnet test
+
+# Run tests with coverage
+dotnet tool install -g dotnet-coverage
+dotnet-coverage collect -f cobertura -o coverage.cobertura.xml dotnet test
+```
+
+---
+
+## 🤝 Contributing
 
 See [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines.
 
-## License
+## 📄 License
 
 This project is licensed under the MIT License. See [LICENSE](LICENSE) for details.
 
-## Changelog
+## 📝 Changelog
 
 See [CHANGELOG.md](CHANGELOG.md) for release history.
@@ -5,24 +5,4 @@
   <Folder Name="/tests/">
     <Project Path="tests/SafeWebCore.Tests/SafeWebCore.Tests.csproj" />
   </Folder>
-  <Folder Name="/docs/">
-    <File Path="docs/README.md" />
-  </Folder>
-  <Folder Name="/.github/">
-    <Folder Name="/.github/ISSUE_TEMPLATE/">
-      <File Path=".github/ISSUE_TEMPLATE/bug_report.yml" />
-      <File Path=".github/ISSUE_TEMPLATE/feature_request.yml" />
-      <File Path=".github/ISSUE_TEMPLATE/config.yml" />
-    </Folder>
-    <Folder Name="/.github/PULL_REQUEST_TEMPLATE/">
-      <File Path=".github/PULL_REQUEST_TEMPLATE/pull_request_template.md" />
-    </Folder>
-  </Folder>
-  <File Path="README.md" />
-  <File Path="LICENSE" />
-  <File Path="CONTRIBUTING.md" />
-  <File Path="CHANGELOG.md" />
-  <File Path=".gitignore" />
-  <File Path=".editorconfig" />
-  <File Path="Directory.Build.props" />
 </Solution>
@@ -1,19 +1,47 @@
 # SafeWebCore Documentation
 
-## Overview
+Welcome to the SafeWebCore documentation. SafeWebCore is a .NET 10 middleware library that adds security headers to ASP.NET Core applications, targeting an **A+ rating** on [securityheaders.com](https://securityheaders.com) out of the box.
 
-SafeWebCore provides middleware and utilities for building secure ASP.NET Core web applications.
+---
 
-## Modules
+## 📖 Table of Contents
 
-### CSP Middleware
+### Getting Started
 
-Content Security Policy middleware for controlling resource loading policies.
+- **[Getting Started](getting-started.md)** — Installation, minimal setup, and verifying your headers
 
-### Security Headers
+### Guides
 
-Automatic injection of recommended security response headers.
+- **[Security Headers](security-headers.md)** — Every security header explained with values, rationale, and configuration
+- **[CSP Configuration](csp-configuration.md)** — Content Security Policy builder, nonces, directives, and common scenarios
+- **[Presets](presets.md)** — Strict A+ preset details, customization examples, and when-not-to-use guidance
+- **[Advanced Configuration](advanced-configuration.md)** — Custom policies, CSP reporting, middleware ordering, troubleshooting
 
-## API Reference
+### Quick Reference
 
-_API documentation will be generated from XML comments._
+| I want to... | Go to |
+|---------------|-------|
+| Get A+ in one line | [Getting Started](getting-started.md) |
+| Understand what each header does | [Security Headers](security-headers.md) |
+| Configure CSP with nonces | [CSP Configuration](csp-configuration.md) |
+| Customize the strict preset | [Presets](presets.md) |
+| Add custom headers | [Advanced Configuration](advanced-configuration.md) |
+| Set up CSP violation reporting | [Advanced Configuration](advanced-configuration.md#csp-violation-reporting) |
+| Fix blocked resources | [Advanced Configuration](advanced-configuration.md#troubleshooting) |
+
+### API Reference
+
+API documentation is generated from XML comments on all public types. Key classes:
+
+| Class | Purpose |
+|-------|---------|
+| `SecurePresets` | Pre-configured A+ security options |
+| `NetSecureHeadersOptions` | All header configuration options |
+| `CspOptions` | CSP directive configuration (record) |
+| `CspBuilder` | Fluent CSP builder |
+| `INonceService` | Nonce generation interface |
+| `IHeaderPolicy` | Custom header policy interface |
+| `NetSecureHeaders` | Constants (`CspNonceKey`) |
+| `ServiceCollectionExtensions` | `AddNetSecureHeaders`, `AddNetSecureHeadersStrictAPlus` |
+| `ApplicationBuilderExtensions` | `UseNetSecureHeaders`, `UseCspReport` |
+| `CspNonceAttribute` | MVC action filter for nonce injection |