🔐 Hrithik.Security.Headers

Strongly-typed, validated, and standardized handling of security-relevant HTTP headers for .NET applications.

Designed for fintech, banking, microservices, and zero-trust architectures where consistency, traceability, and security are mandatory.

✨ Why this package?

In most ASP.NET Core applications:

HTTP headers are accessed using magic strings

Security-critical headers are not validated consistently

Correlation, idempotency, and tenant context are scattered across controllers

Downstream services receive incomplete or inconsistent metadata

Hrithik.Security.Headers solves this by providing a single, strongly-typed source of truth for all security-relevant headers.

🚀 Key Features

✅ Strongly-typed security headers model

✅ Centralized header extraction & validation

✅ ASP.NET Core middleware integration

✅ Options-driven enforcement (fail-fast)

✅ Fintech & banking friendly

✅ Clean foundation for audit logging, idempotency & signing

📦 Installation dotnet add package Hrithik.Security.Headers

🧠 Supported Headers Header Purpose X-Correlation-Id Distributed request tracing X-Request-Id Unique request identification Idempotency-Key Prevent duplicate processing X-API-Key Client / service authentication X-Tenant-Id Multi-tenant isolation X-Actor-Id User or service identity X-Client-IP Original caller IP X-Signature Request signing / integrity 🧩 Core Concept

This package extracts all security-relevant headers once, validates them, and exposes them as a single immutable model for the entire request lifecycle.

If a request passes the middleware, downstream components can trust the headers.

⚙️ Configuration 1️⃣ Register services builder.Services.AddSecurityHeaders(options => { options.RequireCorrelationId = true; options.GenerateIfMissing = true; options.EnforceIdempotencyKey = false; options.EnforceTenant = false; options.EnforceSignature = false; });

2️⃣ Enable middleware app.UseSecurityHeaders();

Place this early in the pipeline, before authentication, authorization, and logging.

🧪 Usage Example Access headers anywhere in the request var headers = HttpContext.Items["SecurityHeaders"] as SecurityHeaders;

_logger.LogInformation( "Request {RequestId} from actor {ActorId}", headers?.RequestId, headers?.ActorId );

🛡 Validation Behavior

Missing required headers → request is rejected

Validation failures throw SecurityException

Designed for fail-fast security enforcement

Example failures:

Missing X-Correlation-Id

Missing X-Tenant-Id (when enforced)

Missing Idempotency-Key (when enforced)

🏗 Architecture Incoming Request ↓ SecurityHeadersMiddleware ↓ ISecurityHeadersReader ↓ SecurityHeaders (strongly-typed) ↓ ISecurityHeadersValidator ↓ HttpContext.Items["SecurityHeaders"] ↓ Controllers / Services / Logging

🔗 Ecosystem Integration

This package is intentionally lightweight and acts as a foundation for:

Hrithik.Security.AuditLogging

Hrithik.Security.Idempotency

Hrithik.Security.RequestSigning

Hrithik.Security.Correlation

Hrithik.Security.TenantIsolation

🔒 Security Philosophy

No silent defaults for security-critical headers

Explicit configuration over implicit behavior

Fail-fast on invalid or missing data

Separation of concerns (headers ≠ auth ≠ logging)

📜 License

MIT License

Hrithik Kalra

.NET | API Security | Fintech Systems

📧 Email: hrithikkalra11@gmail.com

GitHub: https://github.com/hrithikalra

LinkedIn: https://www.linkedin.com/in/hrithik-kalra-b6836a246/

If you find this package useful, consider supporting its development:

• ☕ Buy Me a Coffee: https://www.buymeacoffee.com/alkylhalid9
• ❤️ GitHub Sponsors: https://github.com/sponsors/hrithikalra

Support is entirely optional and helps sustain ongoing development and maintenance.

This package is part of the Hrithik.Security ecosystem:

• Hrithik.Security.ApiKeyManagement
  API key generation, storage, and scope-based authorization

• Hrithik.Security.RequestSigning
  HMAC-based request signing for tamper-proof APIs

• Hrithik.Security.ReplayProtection
  Short-window replay attack prevention

• Hrithik.Security.RateLimiting
  Flexible, API-key–aware rate limiting for ASP.NET Core APIs

• Hrithik.Security.Idempotency Idempotency-key–based protection for safe retries in financial APIs

• Hrithik.Security.Jose JWT and JWS utilities for secure token handling and message signing

• Hrithik.Security.AuditLogging Compliance-grade, tamper-evident audit logging for .NET APIs

  Together, they form a complete API security framework.

These packages are independent and can be used together or individually.