From 64710761042e4f70e01b52409d4d61af689e10af Mon Sep 17 00:00:00 2001
From: Andrew Lock <andrewlock.net@gmail.com>
Date: Sat, 31 Aug 2024 15:22:01 +0100
Subject: [PATCH] Allow specifying different properties for endpoints (#172)

* nit: Remove dead code

* Remove unused package references

* Remove ICustomHeaderService and make header service static

* Add support for adding multiple named policies, and referencing them in the middleware

* Add support for specifying a different header policy for a given endpoint

* Allow configuring the default policy in the services

* Add ReadMe

* Add support for MVC attributes with named policies
---
 README.md                                     | 101 +++++++++-
 .../EndpointConventionBuilderExtensions.cs    |  30 +++
 .../Infrastructure/CustomHeaderOptions.cs     |  19 +-
 .../Infrastructure/CustomHeaderService.cs     |   8 +-
 .../Infrastructure/CustomHeadersResult.cs     |   2 +-
 .../Infrastructure/ICustomHeaderService.cs    |  26 ---
 .../ISecurityHeadersPolicyMetadata.cs         |  12 ++
 .../SecurityHeaderPolicyBuilder.cs            |  73 +++++++
 .../SecurityHeadersPolicyMetadata.cs          |  11 ++
 ...scapades.AspNetCore.SecurityHeaders.csproj |   8 +-
 .../SecurityHeadersMiddleware.cs              |  90 +++++----
 .../SecurityHeadersMiddlewareExtensions.cs    |  58 +++++-
 .../SecurityHeadersPolicyAttribute.cs         |  13 ++
 .../ServiceCollectionExtensions.cs            |  28 +++
 .../HeaderAssertionHelpers.cs                 |  44 +++++
 ...ecurityHeadersMiddlewareFunctionalTests.cs |  48 +++--
 ...ecurityHeadersMiddlewareFunctionalTests.cs |  46 +++--
 .../SecurityHeadersMiddlewareTests.cs         | 171 ++++++++++++----
 test/RazorWebSite/Startup.cs                  |  17 +-
 .../EchoMiddleware.cs                         |  34 ----
 .../HomeController.cs                         |  16 ++
 .../Project_Readme.html                       | 187 ------------------
 .../Startup.cs                                |  28 ++-
 23 files changed, 676 insertions(+), 394 deletions(-)
 create mode 100644 src/NetEscapades.AspNetCore.SecurityHeaders/EndpointConventionBuilderExtensions.cs
 delete mode 100644 src/NetEscapades.AspNetCore.SecurityHeaders/Infrastructure/ICustomHeaderService.cs
 create mode 100644 src/NetEscapades.AspNetCore.SecurityHeaders/Infrastructure/ISecurityHeadersPolicyMetadata.cs
 create mode 100644 src/NetEscapades.AspNetCore.SecurityHeaders/Infrastructure/SecurityHeaderPolicyBuilder.cs
 create mode 100644 src/NetEscapades.AspNetCore.SecurityHeaders/Infrastructure/SecurityHeadersPolicyMetadata.cs
 create mode 100644 src/NetEscapades.AspNetCore.SecurityHeaders/SecurityHeadersPolicyAttribute.cs
 create mode 100644 src/NetEscapades.AspNetCore.SecurityHeaders/ServiceCollectionExtensions.cs
 create mode 100644 test/NetEscapades.AspNetCore.SecurityHeaders.Test/HeaderAssertionHelpers.cs
 delete mode 100644 test/SecurityHeadersMiddlewareWebSite/EchoMiddleware.cs
 create mode 100644 test/SecurityHeadersMiddlewareWebSite/HomeController.cs
 delete mode 100644 test/SecurityHeadersMiddlewareWebSite/Project_Readme.html

diff --git a/README.md b/README.md
index e50501d..0ad42a4 100644
--- a/README.md
+++ b/README.md
@@ -39,7 +39,9 @@ When you install the package, it should be added to your `.csproj`. Alternativel
 </Project>
 ```
 
-Simply add the middleware to your ASP.NET Core application by configuring it as part of your normal `Startup` pipeline. Note that the order of middleware matters, so to apply the headers to all requests it should be configured first in your pipeline.
+There are various ways to configure the headers for your application. 
+
+In the simplest scenario, add the middleware to your ASP.NET Core application by configuring it as part of your normal `Startup` pipeline (or `WebApplication` in .NET 6+). Note that the order of middleware matters, so to apply the headers to all requests it should be configured first in your pipeline.
 
 To use the default security headers for your application, add the middleware using:
 
@@ -152,6 +154,103 @@ public void Configure(IApplicationBuilder app)
 }
 ```
 
+## Applying different headers to different endpoints
+
+In some situations, you may need to apply different security headers to different endpoints. For example, you may want to have a very restrictive Content-Security-Policy by default, but then have a more relaxed on specific endpoints that require it. This is supported, but requires more configuration.
+
+### 1. Configure your policies using `AddSecurityHeaderPolicies()`
+
+You can configure named and default policies by calling `AddSecurityHeaderPolicies()` on `IServiceCollection`. You can configure the default policy to use, as well as any named policies. For example, the following configures the default policy (used when `UseSecurityHeaders()` is called without any arguments), and a named policy:
+
+```csharp
+var builder = WebApplication.CreateBuilder();
+
+// 👇 Call AddSecurityHeaderPolicies()
+builder.Services.AddSecurityHeaderPolicies()
+    .SetDefaultPolicy(policy => policy.AddDefaultSecurityHeaders()) // 👈 Configure the default policy
+    .AddPolicy("CustomPolicy", policy => policy.AddCustomHeader("X-Custom", "SomeValue")); // 👈 Configure named policies
+
+```
+
+### 2. Add the default middleware early to the pipeline
+
+The security headers middleware can only add headers to _all_ requests if it is early in the middleware pipeline, so it's important to add the headders middleware at the start of your middleware pipeline. However, if you want to have endpoint-specific policies, then you _also_ need to place the middleware after the call to `UseRouting()`, as that is the point at which the endpoint that will be executed is selected.
+
+```csharp
+var builder = WebApplication.CreateBuilder();
+
+// 👇 Configure policies as shown previously
+builder.Services.AddSecurityHeaderPolicies()
+    .SetDefaultPolicy(policy => policy.AddDefaultSecurityHeaders())
+    .AddPolicy("CustomPolicy", policy => policy.AddCustomHeader("X-Custom", "SomeValue"));
+
+var app = builder.Build();
+
+// Set the default headers for requests that
+// 👇 don't make it to the routing middleware
+app.UseSecurityHeaders();
+
+app.UseStaticFiles(); // other middleware
+app.UseAuthentication();
+app.UseRouting(); 
+
+app.UseSecurityHeaders(); // 👈 Add after the routing middleware 
+app.UseAuthorization();
+
+app.MapGet("/", () => "Hello world");
+app.Run();
+```
+
+Note that if you pass a policy to any call to `UseSecurityHeaders()` it will override the "default" policy used at that point.
+
+### 3. Apply custom policies to endpoints
+
+To apply a non-default policy to an endpoint, use the `WithSecurityHeadersPolicy(policy)` endpoint extension method, and pass in the name of the policy to apply:
+
+```csharp
+var builder = WebApplication.CreateBuilder();
+
+builder.Services.AddSecurityHeaderPolicies()
+    .SetDefaultPolicy(policy => policy.AddDefaultSecurityHeaders())
+    .AddPolicy("CustomPolicy", policy => policy.AddCustomHeader("X-Custom", "SomeValue"));
+
+var app = builder.Build();
+
+app.UseSecurityHeaders();
+
+app.UseStaticFiles();
+app.UseAuthentication();
+app.UseRouting(); 
+
+app.UseSecurityHeaders(); 
+app.UseAuthorization();
+
+app.MapGet("/", () => "Hello world")
+    .WithSecurityHeadersPolicy("CustomPolicy"); // 👈 Apply a named policy to the endpoint 
+app.Run();
+```
+
+If you're using MVC controllers or Razor Pages, you can apply the `[SecurityHeadersPolicy(policyName)]` attribute to your endpoints:
+
+```csharp
+public class HomeController : ControllerBase
+{
+    [SecurityHeadersPolicy("CustomHeader")] // 👈 Apply a custom header to the endpoint
+    public IActionResult Index()
+    {
+        return View();
+    }
+}
+```
+
+Each call to `UseSecurityHeaders()` will re-evaluate the applicable policies; the headers are applied just before the response is sent. The policy to apply is determined as follows, with the first applicable policy selected.
+
+1. If an endpoint has been selected, and a named policy is applied, use that.
+2. If a named or policy instance is passed to the `SecurityHeadersMiddleware`, use that.
+3. If the default policy has been set using `SetDefaultPolicy()`, use that.
+4. Otherwise, apply the default headers (those added by `AddDefaultSecurityHeaders()`)
+
+
 ## RemoveServerHeader
 
 One point to be aware of is that the `RemoveServerHeader` method will rarely (ever?) be sufficient to remove the `Server` header from your output. If any subsequent middleware in your application pipeline add the header, then this will be able to remove it. However Kestrel will generally add the `Server` header too late in the pipeline to be able to modify it.
diff --git a/src/NetEscapades.AspNetCore.SecurityHeaders/EndpointConventionBuilderExtensions.cs b/src/NetEscapades.AspNetCore.SecurityHeaders/EndpointConventionBuilderExtensions.cs
new file mode 100644
index 0000000..6c28848
--- /dev/null
+++ b/src/NetEscapades.AspNetCore.SecurityHeaders/EndpointConventionBuilderExtensions.cs
@@ -0,0 +1,30 @@
+using System;
+using NetEscapades.AspNetCore.SecurityHeaders;
+
+// ReSharper disable once CheckNamespace
+namespace Microsoft.AspNetCore.Builder;
+
+/// <summary>
+/// Header extension methods for <see cref="IEndpointConventionBuilder"/>.
+/// </summary>
+public static class EndpointConventionBuilderExtensions
+{
+    /// <summary>
+    /// Adds a security headers policy with the provided policy name to the endpoint(s).
+    /// </summary>
+    /// <param name="builder">The endpoint convention builder.</param>
+    /// <param name="policyName">The security headers policy to use.</param>
+    /// <returns>The original convention builder parameter.</returns>
+    /// <typeparam name="TBuilder">The type of the endpoint convention builder</typeparam>
+    public static TBuilder WithSecurityHeadersPolicy<TBuilder>(this TBuilder builder, string policyName)
+        where TBuilder : IEndpointConventionBuilder
+    {
+        if (builder is null)
+        {
+            throw new ArgumentNullException(nameof(builder));
+        }
+
+        builder.Add(endpointBuilder => { endpointBuilder.Metadata.Add(new SecurityHeadersPolicyMetadata(policyName)); });
+        return builder;
+    }
+}
\ No newline at end of file
diff --git a/src/NetEscapades.AspNetCore.SecurityHeaders/Infrastructure/CustomHeaderOptions.cs b/src/NetEscapades.AspNetCore.SecurityHeaders/Infrastructure/CustomHeaderOptions.cs
index 957d1a8..7b46203 100644
--- a/src/NetEscapades.AspNetCore.SecurityHeaders/Infrastructure/CustomHeaderOptions.cs
+++ b/src/NetEscapades.AspNetCore.SecurityHeaders/Infrastructure/CustomHeaderOptions.cs
@@ -7,27 +7,18 @@ namespace NetEscapades.AspNetCore.SecurityHeaders.Infrastructure;
 /// <summary>
 /// Provides programmatic configuration for Security Headers.
 /// </summary>
-[Obsolete("This class is unused since v0.5.0, and will be removed in a future version of the package")]
-public class CustomHeaderOptions
+internal class CustomHeaderOptions
 {
-    private string _defaultPolicyName = "__DefaultSecurityHeadersPolicy";
-
     /// <summary>
     /// The collections of policies to apply
     /// </summary>
     /// <returns>The collection of policies, indexed by header name</returns>
-    public Dictionary<string, HeaderPolicyCollection> PolicyCollections { get; } =
-        new Dictionary<string, HeaderPolicyCollection>();
+    public Dictionary<string, HeaderPolicyCollection> NamedPolicyCollections { get; } = new();
 
     /// <summary>
-    /// Gets or sets the name of the default policy
+    /// The default policy to apply
     /// </summary>
-    /// <returns>The name of the default policy</returns>
-    public string DefaultPolicyName
-    {
-        get => _defaultPolicyName;
-        set => _defaultPolicyName = value ?? throw new ArgumentNullException(nameof(value));
-    }
+    public HeaderPolicyCollection? DefaultPolicy { get; set; }
 
     /// <summary>
     /// Gets the policy based on the <paramref name="name"/>
@@ -41,6 +32,6 @@ public string DefaultPolicyName
             throw new ArgumentNullException(nameof(name));
         }
 
-        return PolicyCollections.ContainsKey(name) ? PolicyCollections[name] : null;
+        return NamedPolicyCollections.GetValueOrDefault(name);
     }
 }
\ No newline at end of file
diff --git a/src/NetEscapades.AspNetCore.SecurityHeaders/Infrastructure/CustomHeaderService.cs b/src/NetEscapades.AspNetCore.SecurityHeaders/Infrastructure/CustomHeaderService.cs
index cd30c56..045104e 100644
--- a/src/NetEscapades.AspNetCore.SecurityHeaders/Infrastructure/CustomHeaderService.cs
+++ b/src/NetEscapades.AspNetCore.SecurityHeaders/Infrastructure/CustomHeaderService.cs
@@ -6,9 +6,9 @@
 namespace NetEscapades.AspNetCore.SecurityHeaders.Infrastructure;
 
 /// <summary>
-/// Default implementation of <see cref="ICustomHeaderService"/>.
+/// Handles processing of headers
 /// </summary>
-public class CustomHeaderService : ICustomHeaderService
+internal static class CustomHeaderService
 {
     /// <summary>
     /// Evaluates the given <paramref name="policies"/> using the passed in <paramref name="context"/>.
@@ -17,7 +17,7 @@ public class CustomHeaderService : ICustomHeaderService
     /// <param name="policies">The <see cref="HeaderPolicyCollection"/> containing policies to be evaluated.</param>
     /// <returns>A <see cref="CustomHeadersResult"/> which contains the result of policy evaluation and can be
     /// used by the caller to set appropriate response headers.</returns>
-    public virtual CustomHeadersResult EvaluatePolicy(HttpContext context, HeaderPolicyCollection policies)
+    public static CustomHeadersResult EvaluatePolicy(HttpContext context, HeaderPolicyCollection policies)
     {
         if (context == null)
         {
@@ -50,7 +50,7 @@ public virtual CustomHeadersResult EvaluatePolicy(HttpContext context, HeaderPol
     /// </summary>
     /// <param name="response">The <see cref="HttpResponse"/> associated with the current call.</param>
     /// <param name="result">The <see cref="CustomHeadersResult"/> used to read the allowed values.</param>
-    public virtual void ApplyResult(HttpResponse response, CustomHeadersResult result)
+    public static void ApplyResult(HttpResponse response, CustomHeadersResult result)
     {
         if (response == null)
         {
diff --git a/src/NetEscapades.AspNetCore.SecurityHeaders/Infrastructure/CustomHeadersResult.cs b/src/NetEscapades.AspNetCore.SecurityHeaders/Infrastructure/CustomHeadersResult.cs
index 99235f2..fd065ab 100644
--- a/src/NetEscapades.AspNetCore.SecurityHeaders/Infrastructure/CustomHeadersResult.cs
+++ b/src/NetEscapades.AspNetCore.SecurityHeaders/Infrastructure/CustomHeadersResult.cs
@@ -3,7 +3,7 @@
 namespace NetEscapades.AspNetCore.SecurityHeaders.Infrastructure;
 
 /// <summary>
-/// Results returned by <see cref="ICustomHeaderService"/>
+/// Results returned by <see cref="CustomHeaderService"/>
 /// </summary>
 public class CustomHeadersResult
 {
diff --git a/src/NetEscapades.AspNetCore.SecurityHeaders/Infrastructure/ICustomHeaderService.cs b/src/NetEscapades.AspNetCore.SecurityHeaders/Infrastructure/ICustomHeaderService.cs
deleted file mode 100644
index e2595f5..0000000
--- a/src/NetEscapades.AspNetCore.SecurityHeaders/Infrastructure/ICustomHeaderService.cs
+++ /dev/null
@@ -1,26 +0,0 @@
-using Microsoft.AspNetCore.Builder;
-using Microsoft.AspNetCore.Http;
-
-namespace NetEscapades.AspNetCore.SecurityHeaders.Infrastructure;
-
-/// <summary>
-/// A type which can evaluate a policy for a particular <see cref="HttpContext"/>.
-/// </summary>
-public interface ICustomHeaderService
-{
-    /// <summary>
-    /// Evaluates the given <paramref name="policies"/> using the passed in <paramref name="context"/>.
-    /// </summary>
-    /// <param name="context">The <see cref="HttpContext"/> associated with the call.</param>
-    /// <param name="policies">The <see cref="HeaderPolicyCollection"/> containing policies to be evaluated.</param>
-    /// <returns>A <see cref="CustomHeadersResult"/> which contains the result of policy evaluation and can be
-    /// used by the caller to set appropriate response headers.</returns>
-    CustomHeadersResult EvaluatePolicy(HttpContext context, HeaderPolicyCollection policies);
-
-    /// <summary>
-    /// Adds and removes the required headers to the given <paramref name="response"/>.
-    /// </summary>
-    /// <param name="response">The <see cref="HttpResponse"/> associated with the current call.</param>
-    /// <param name="result">The <see cref="CustomHeadersResult"/> used to read the allowed values.</param>
-    void ApplyResult(HttpResponse response, CustomHeadersResult result);
-}
\ No newline at end of file
diff --git a/src/NetEscapades.AspNetCore.SecurityHeaders/Infrastructure/ISecurityHeadersPolicyMetadata.cs b/src/NetEscapades.AspNetCore.SecurityHeaders/Infrastructure/ISecurityHeadersPolicyMetadata.cs
new file mode 100644
index 0000000..25d1162
--- /dev/null
+++ b/src/NetEscapades.AspNetCore.SecurityHeaders/Infrastructure/ISecurityHeadersPolicyMetadata.cs
@@ -0,0 +1,12 @@
+namespace NetEscapades.AspNetCore.SecurityHeaders;
+
+/// <summary>
+/// Metadata about which policy to apply to and endpoint
+/// </summary>
+internal interface ISecurityHeadersPolicyMetadata
+{
+    /// <summary>
+    /// The name of the policy to apply
+    /// </summary>
+    public string PolicyName { get; }
+}
\ No newline at end of file
diff --git a/src/NetEscapades.AspNetCore.SecurityHeaders/Infrastructure/SecurityHeaderPolicyBuilder.cs b/src/NetEscapades.AspNetCore.SecurityHeaders/Infrastructure/SecurityHeaderPolicyBuilder.cs
new file mode 100644
index 0000000..93b6a7d
--- /dev/null
+++ b/src/NetEscapades.AspNetCore.SecurityHeaders/Infrastructure/SecurityHeaderPolicyBuilder.cs
@@ -0,0 +1,73 @@
+using System;
+using Microsoft.AspNetCore.Builder;
+
+namespace NetEscapades.AspNetCore.SecurityHeaders.Infrastructure;
+
+/// <summary>
+/// Used to configure <see cref="HeaderPolicyCollection"/> for security headers
+/// </summary>
+public class SecurityHeaderPolicyBuilder
+{
+    private readonly CustomHeaderOptions _options;
+
+    /// <summary>
+    /// Initializes a new instance of the <see cref="SecurityHeaderPolicyBuilder"/> class.
+    /// </summary>
+    /// <param name="options">The options where the configuration is stored</param>
+    internal SecurityHeaderPolicyBuilder(CustomHeaderOptions options)
+    {
+        _options = options;
+    }
+
+    /// <summary>
+    /// Adds a security header policy to the application with the given name.
+    /// This name can be used to refer to the policy in endpoints
+    /// </summary>
+    /// <param name="name">The name of the policy </param>
+    /// <param name="configurePolicy">An <see cref="Action{T}"/>to configure the security headers for the policy</param>
+    /// <returns>The <see cref="SecurityHeaderPolicyBuilder"/> for chaining</returns>
+    public SecurityHeaderPolicyBuilder AddPolicy(string name, Action<HeaderPolicyCollection> configurePolicy)
+    {
+        var policyCollection = new HeaderPolicyCollection();
+        configurePolicy(policyCollection);
+        return AddPolicy(name, policyCollection);
+    }
+
+    /// <summary>
+    /// Adds a security header policy to the application with the given name.
+    /// This name can be used to refer to the policy in endpoints
+    /// </summary>
+    /// <param name="name">The name of the policy </param>
+    /// <param name="policyCollection">The security headers for the policy</param>
+    /// <returns>The <see cref="SecurityHeaderPolicyBuilder"/> for chaining</returns>
+    public SecurityHeaderPolicyBuilder AddPolicy(string name, HeaderPolicyCollection policyCollection)
+    {
+        _options.NamedPolicyCollections[name] = policyCollection;
+        return this;
+    }
+
+    /// <summary>
+    /// Sets the default security header policy to use when no other named policy is provided
+    /// This policy is used wherever a named policy does not apply
+    /// </summary>
+    /// <param name="configurePolicy">An <see cref="Action{T}"/>to configure the security headers for the policy</param>
+    /// <returns>The <see cref="SecurityHeaderPolicyBuilder"/> for chaining</returns>
+    public SecurityHeaderPolicyBuilder SetDefaultPolicy(Action<HeaderPolicyCollection> configurePolicy)
+    {
+        var policyCollection = new HeaderPolicyCollection();
+        configurePolicy(policyCollection);
+        return SetDefaultPolicy(policyCollection);
+    }
+
+    /// <summary>
+    /// Adds the default security header policy to the application.
+    /// This policy is used wherever a named policy does not apply
+    /// </summary>
+    /// <param name="policyCollection">The security headers for the policy</param>
+    /// <returns>The <see cref="SecurityHeaderPolicyBuilder"/> for chaining</returns>
+    public SecurityHeaderPolicyBuilder SetDefaultPolicy(HeaderPolicyCollection policyCollection)
+    {
+        _options.DefaultPolicy = policyCollection;
+        return this;
+    }
+}
\ No newline at end of file
diff --git a/src/NetEscapades.AspNetCore.SecurityHeaders/Infrastructure/SecurityHeadersPolicyMetadata.cs b/src/NetEscapades.AspNetCore.SecurityHeaders/Infrastructure/SecurityHeadersPolicyMetadata.cs
new file mode 100644
index 0000000..22b3bcc
--- /dev/null
+++ b/src/NetEscapades.AspNetCore.SecurityHeaders/Infrastructure/SecurityHeadersPolicyMetadata.cs
@@ -0,0 +1,11 @@
+namespace NetEscapades.AspNetCore.SecurityHeaders;
+
+/// <summary>
+/// Creates a new instance of <see cref="SecurityHeadersPolicyMetadata"/> with the specified <paramref name="policyName"/>
+/// </summary>
+/// <param name="policyName">The name of the policy to apply</param>
+internal class SecurityHeadersPolicyMetadata(string policyName) : ISecurityHeadersPolicyMetadata
+{
+    /// <inheritdoc/>
+    public string PolicyName { get; } = policyName;
+}
\ No newline at end of file
diff --git a/src/NetEscapades.AspNetCore.SecurityHeaders/NetEscapades.AspNetCore.SecurityHeaders.csproj b/src/NetEscapades.AspNetCore.SecurityHeaders/NetEscapades.AspNetCore.SecurityHeaders.csproj
index d33f76a..3f208e3 100644
--- a/src/NetEscapades.AspNetCore.SecurityHeaders/NetEscapades.AspNetCore.SecurityHeaders.csproj
+++ b/src/NetEscapades.AspNetCore.SecurityHeaders/NetEscapades.AspNetCore.SecurityHeaders.csproj
@@ -28,13 +28,7 @@
     </PackageReference>
   </ItemGroup>
 
-  <ItemGroup Condition="'$(TargetFramework)' != 'netcoreapp3.0'">
-    <PackageReference Include="Microsoft.Extensions.Options" Version="2.1.0" />
-    <PackageReference Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="2.1.0" />
-    <PackageReference Include="Microsoft.AspNetCore.Http.Abstractions" Version="2.1.0" />
-  </ItemGroup>
-
-  <ItemGroup Condition="'$(TargetFramework)' == 'netcoreapp3.0'">
+  <ItemGroup>
     <FrameworkReference Include="Microsoft.AspNetCore.App" />
   </ItemGroup>
 
diff --git a/src/NetEscapades.AspNetCore.SecurityHeaders/SecurityHeadersMiddleware.cs b/src/NetEscapades.AspNetCore.SecurityHeaders/SecurityHeadersMiddleware.cs
index 98cc076..331f12a 100644
--- a/src/NetEscapades.AspNetCore.SecurityHeaders/SecurityHeadersMiddleware.cs
+++ b/src/NetEscapades.AspNetCore.SecurityHeaders/SecurityHeadersMiddleware.cs
@@ -3,6 +3,7 @@
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.Http;
+using Microsoft.Extensions.Logging;
 using NetEscapades.AspNetCore.SecurityHeaders.Headers;
 using NetEscapades.AspNetCore.SecurityHeaders.Infrastructure;
 
@@ -11,42 +12,31 @@ namespace NetEscapades.AspNetCore.SecurityHeaders;
 /// <summary>
 /// An ASP.NET Core middleware for adding security headers.
 /// </summary>
-public class SecurityHeadersMiddleware
+internal class SecurityHeadersMiddleware
 {
+    private const string HttpContextKey = "__NetEscapades.AspNetCore.SecurityHeaders";
     private readonly RequestDelegate _next;
-    private readonly HeaderPolicyCollection _policy;
-    private readonly NonceGenerator _nonceGenerator;
-    private readonly bool _mustGenerateNonce;
+    private readonly ILogger<SecurityHeadersMiddleware> _logger;
+    private readonly CustomHeaderOptions? _options;
+    private readonly HeaderPolicyCollection _defaultPolicy;
+    private readonly NonceGenerator? _nonceGenerator;
 
     /// <summary>
     /// Initializes a new instance of the <see cref="SecurityHeadersMiddleware"/> class.
     /// </summary>
     /// <param name="next">The next middleware in the pipeline.</param>
-    /// <param name="service">An instance of <see cref="ICustomHeaderService"/>.</param>
-    /// <param name="policies">A <see cref="HeaderPolicyCollection"/> containing the policies to be applied.</param>
-    public SecurityHeadersMiddleware(RequestDelegate next, ICustomHeaderService service, HeaderPolicyCollection policies)
-        : this(next, service, policies, new NonceGenerator())
-    {
-        _mustGenerateNonce = MustGenerateNonce(_policy);
-    }
-
-    /// <summary>
-    /// Initializes a new instance of the <see cref="SecurityHeadersMiddleware"/> class.
-    /// </summary>
-    /// <param name="next">The next middleware in the pipeline.</param>
-    /// <param name="service">An instance of <see cref="ICustomHeaderService"/>.</param>
-    /// <param name="policies">A <see cref="HeaderPolicyCollection"/> containing the policies to be applied.</param>
-    /// <param name="nonceGenerator">Used to generate nonce (number used once) values for headers</param>
-    internal SecurityHeadersMiddleware(RequestDelegate next, ICustomHeaderService service, HeaderPolicyCollection policies, NonceGenerator nonceGenerator)
+    /// <param name="logger">A logger for recording errors.</param>
+    /// <param name="options">Options on how to control the settings that are applied</param>
+    /// <param name="defaultPolicy">A <see cref="HeaderPolicyCollection"/> containing the policies to be applied.</param>
+    public SecurityHeadersMiddleware(RequestDelegate next, ILogger<SecurityHeadersMiddleware> logger, CustomHeaderOptions? options, HeaderPolicyCollection defaultPolicy)
     {
         _next = next ?? throw new ArgumentNullException(nameof(next));
-        CustomHeaderService = service ?? throw new ArgumentNullException(nameof(service));
-        _policy = policies ?? throw new ArgumentNullException(nameof(policies));
-        _nonceGenerator = nonceGenerator ?? throw new ArgumentException(nameof(nonceGenerator));
+        _logger = logger;
+        _options = options;
+        _defaultPolicy = defaultPolicy ?? throw new ArgumentNullException(nameof(defaultPolicy));
+        _nonceGenerator = MustGenerateNonce(_defaultPolicy) ? new() : null;
     }
 
-    private ICustomHeaderService CustomHeaderService { get; }
-
     /// <summary>
     /// Invoke the middleware
     /// </summary>
@@ -54,32 +44,58 @@ internal SecurityHeadersMiddleware(RequestDelegate next, ICustomHeaderService se
     /// <returns>A <see cref="Task"/> representing the asynchronous operation.</returns>
     public async Task Invoke(HttpContext context)
     {
-        if (context == null)
+        // Policy resolution rules:
+        //
+        // 1. If there is an endpoint with a named policy, then fetch that policy
+        // 2. Use the provided default policy
+        var endpoint = context.GetEndpoint();
+        var metadata = endpoint?.Metadata.GetMetadata<ISecurityHeadersPolicyMetadata>();
+
+        HeaderPolicyCollection policy = _defaultPolicy;
+
+        if (!string.IsNullOrEmpty(metadata?.PolicyName))
         {
-            throw new ArgumentNullException(nameof(context));
+            if (_options?.GetPolicy(metadata.PolicyName) is { } namedPolicy)
+            {
+                policy = namedPolicy;
+            }
+            else
+            {
+                // log that we couldn't find the policy
+                _logger.LogWarning(
+                    "Error configuring security headers middleware: policy '{PolicyName}' could not be found. "
+                    + "Configure the policies for your application by calling AddSecurityHeaderPolicies() on IServiceCollection "
+                    + "and adding a policy with the required name. Using default policy for request",
+                    metadata.PolicyName);
+            }
         }
 
-        if (_mustGenerateNonce)
+        if (context.Items[HttpContextKey] is null)
         {
-            context.SetNonce(_nonceGenerator.GetNonce(Constants.DefaultBytesInNonce));
+            context.Response.OnStarting(OnResponseStarting, context);
+            if (_nonceGenerator is not null)
+            {
+                context.SetNonce(_nonceGenerator.GetNonce(Constants.DefaultBytesInNonce));
+            }
         }
 
-        context.Response.OnStarting(OnResponseStarting, Tuple.Create(this, context, _policy));
+        // Write into the context, so that subsequent requests can "overwrite" it
+        context.Items[HttpContextKey] = policy;
+
         await _next(context);
     }
 
     private static Task OnResponseStarting(object state)
     {
-        var (middleware, context, policy) = (Tuple<SecurityHeadersMiddleware, HttpContext, HeaderPolicyCollection>)state;
+        var context = (HttpContext)state;
 
-        var result = middleware.CustomHeaderService.EvaluatePolicy(context, policy);
-        middleware.CustomHeaderService.ApplyResult(context.Response, result);
+        if (context.Items[HttpContextKey] is HeaderPolicyCollection policy)
+        {
+            var result = CustomHeaderService.EvaluatePolicy(context, policy);
+            CustomHeaderService.ApplyResult(context.Response, result);
+        }
 
-#if NET451
-            return Task.FromResult(true);
-#else
         return Task.CompletedTask;
-#endif
     }
 
     private static bool MustGenerateNonce(HeaderPolicyCollection policy)
diff --git a/src/NetEscapades.AspNetCore.SecurityHeaders/SecurityHeadersMiddlewareExtensions.cs b/src/NetEscapades.AspNetCore.SecurityHeaders/SecurityHeadersMiddlewareExtensions.cs
index 4184cbd..527c949 100644
--- a/src/NetEscapades.AspNetCore.SecurityHeaders/SecurityHeadersMiddlewareExtensions.cs
+++ b/src/NetEscapades.AspNetCore.SecurityHeaders/SecurityHeadersMiddlewareExtensions.cs
@@ -1,4 +1,6 @@
 using System;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Logging;
 using NetEscapades.AspNetCore.SecurityHeaders;
 using NetEscapades.AspNetCore.SecurityHeaders.Infrastructure;
 
@@ -14,7 +16,7 @@ public static class SecurityHeadersMiddlewareExtensions
     /// Adds middleware to your web application pipeline to automatically add security headers to requests
     /// </summary>
     /// <param name="app">The IApplicationBuilder passed to your Configure method.</param>
-    /// <param name="policies">A configured policy collection.</param>
+    /// <param name="policies">A configured policy collection to use by default.</param>
     /// <returns>The original app parameter</returns>
     public static IApplicationBuilder UseSecurityHeaders(this IApplicationBuilder app, HeaderPolicyCollection policies)
     {
@@ -28,9 +30,8 @@ public static IApplicationBuilder UseSecurityHeaders(this IApplicationBuilder ap
             throw new ArgumentNullException(nameof(policies));
         }
 
-        var service = app.ApplicationServices.GetService(typeof(ICustomHeaderService)) ?? new CustomHeaderService();
-
-        return app.UseMiddleware<SecurityHeadersMiddleware>(service, policies);
+        var options = (CustomHeaderOptions)app.ApplicationServices.GetService(typeof(CustomHeaderOptions));
+        return app.UseSecurityHeaders(options, policies);
     }
 
     /// <summary>
@@ -61,6 +62,53 @@ public static IApplicationBuilder UseSecurityHeaders(this IApplicationBuilder ap
     /// <returns>The original app parameter</returns>
     public static IApplicationBuilder UseSecurityHeaders(this IApplicationBuilder app)
     {
-        return app.UseSecurityHeaders(policies => policies.AddDefaultSecurityHeaders());
+        if (app == null)
+        {
+            throw new ArgumentNullException(nameof(app));
+        }
+
+        var options = app.ApplicationServices.GetService(typeof(CustomHeaderOptions)) as CustomHeaderOptions;
+        var policy = options?.DefaultPolicy ?? new HeaderPolicyCollection().AddDefaultSecurityHeaders();
+
+        return app.UseSecurityHeaders(options, policy);
+    }
+
+    /// <summary>
+    /// Adds middleware to your web application pipeline using the specified policy by default.
+    /// </summary>
+    /// <param name="app">The IApplicationBuilder passed to your Configure method.</param>
+    /// <param name="policyName">The name of the policy to apply</param>
+    /// <returns>The original app parameter</returns>
+    public static IApplicationBuilder UseSecurityHeaders(this IApplicationBuilder app, string policyName)
+    {
+        if (app == null)
+        {
+            throw new ArgumentNullException(nameof(app));
+        }
+
+        if (string.IsNullOrEmpty(policyName))
+        {
+            throw new ArgumentNullException(nameof(policyName));
+        }
+
+        var options = app.ApplicationServices.GetService(typeof(CustomHeaderOptions)) as CustomHeaderOptions;
+        var policy = options?.GetPolicy(policyName);
+        if (policy is null)
+        {
+            var log = ((ILoggerFactory)app.ApplicationServices.GetRequiredService(typeof(ILoggerFactory))).CreateLogger(typeof(SecurityHeadersMiddlewareExtensions));
+            log.LogWarning(
+                "Error configuring security headers middleware: policy '{PolicyName}' could not be found. "
+                + "Configure the policies for your application by calling AddSecurityHeaderPolicies() on IServiceCollection "
+                + "and adding a policy with the required name.",
+                policyName);
+            return app;
+        }
+
+        return app.UseSecurityHeaders(options, policy);
+    }
+
+    private static IApplicationBuilder UseSecurityHeaders(this IApplicationBuilder app, CustomHeaderOptions? options, HeaderPolicyCollection policies)
+    {
+        return app.UseMiddleware<SecurityHeadersMiddleware>(options ?? new CustomHeaderOptions(), policies);
     }
 }
\ No newline at end of file
diff --git a/src/NetEscapades.AspNetCore.SecurityHeaders/SecurityHeadersPolicyAttribute.cs b/src/NetEscapades.AspNetCore.SecurityHeaders/SecurityHeadersPolicyAttribute.cs
new file mode 100644
index 0000000..f1b5566
--- /dev/null
+++ b/src/NetEscapades.AspNetCore.SecurityHeaders/SecurityHeadersPolicyAttribute.cs
@@ -0,0 +1,13 @@
+using System;
+
+namespace NetEscapades.AspNetCore.SecurityHeaders;
+
+/// <summary>
+/// Adds a security headers policy with the provided policy name to the endpoint(s).
+/// </summary>
+/// <param name="policyName">The security headers policy to use.</param>
+public class SecurityHeadersPolicyAttribute(string policyName) : Attribute, ISecurityHeadersPolicyMetadata
+{
+    /// <inheritdoc/>
+    public string PolicyName { get; } = policyName;
+}
\ No newline at end of file
diff --git a/src/NetEscapades.AspNetCore.SecurityHeaders/ServiceCollectionExtensions.cs b/src/NetEscapades.AspNetCore.SecurityHeaders/ServiceCollectionExtensions.cs
new file mode 100644
index 0000000..e8e0eef
--- /dev/null
+++ b/src/NetEscapades.AspNetCore.SecurityHeaders/ServiceCollectionExtensions.cs
@@ -0,0 +1,28 @@
+using System;
+using NetEscapades.AspNetCore.SecurityHeaders.Infrastructure;
+
+// ReSharper disable once CheckNamespace
+namespace Microsoft.Extensions.DependencyInjection;
+
+/// <summary>
+/// Extension methods for setting up security header services in an <see cref="IServiceCollection" />.
+/// </summary>
+public static class ServiceCollectionExtensions
+{
+    /// <summary>
+    /// Creates a builder for configuring security header policies.
+    /// </summary>
+    /// <param name="services">The <see cref="IServiceCollection" /> to add services to.</param>
+    /// <returns>The <see cref="IServiceCollection"/> so that additional calls can be chained.</returns>
+    public static SecurityHeaderPolicyBuilder AddSecurityHeaderPolicies(this IServiceCollection services)
+    {
+        if (services == null)
+        {
+            throw new ArgumentNullException(nameof(services));
+        }
+
+        var options = new CustomHeaderOptions();
+        services.AddSingleton(options);
+        return new SecurityHeaderPolicyBuilder(options);
+    }
+}
\ No newline at end of file
diff --git a/test/NetEscapades.AspNetCore.SecurityHeaders.Test/HeaderAssertionHelpers.cs b/test/NetEscapades.AspNetCore.SecurityHeaders.Test/HeaderAssertionHelpers.cs
new file mode 100644
index 0000000..1eab150
--- /dev/null
+++ b/test/NetEscapades.AspNetCore.SecurityHeaders.Test/HeaderAssertionHelpers.cs
@@ -0,0 +1,44 @@
+using System.Linq;
+using System.Net.Http.Headers;
+using FluentAssertions;
+using NetEscapades.AspNetCore.SecurityHeaders.Headers;
+using Xunit;
+
+namespace NetEscapades.AspNetCore.SecurityHeaders.Test;
+
+public static class HeaderAssertionHelpers
+{
+    public static void AssertHttpRequestDefaultSecurityHeaders(this HttpResponseHeaders headers)
+    {
+        string header = headers.GetValues("X-Content-Type-Options").FirstOrDefault()!;
+        header.Should().Be("nosniff");
+        header = headers.GetValues("X-Frame-Options").FirstOrDefault()!;
+        header.Should().Be("DENY");
+        header = headers.GetValues("Referrer-Policy").FirstOrDefault()!;
+        header.Should().Be("strict-origin-when-cross-origin");
+        header = headers.GetValues("Content-Security-Policy").FirstOrDefault()!;
+        header.Should().Be("object-src 'none'; form-action 'self'; frame-ancestors 'none'");
+
+        Assert.False(headers.Contains("Server"),
+            "Should not contain server header");
+        Assert.False(headers.Contains("Strict-Transport-Security"),
+            "Should not contain Strict-Transport-Security header over http");
+    }
+
+    public static void AssertSecureRequestDefaultSecurityHeaders(this HttpResponseHeaders headers)
+    {
+        string header = headers.GetValues("X-Content-Type-Options").FirstOrDefault()!;
+        header.Should().Be("nosniff");
+        header = headers.GetValues("X-Frame-Options").FirstOrDefault()!;
+        header.Should().Be("DENY");
+        header = headers.GetValues("Strict-Transport-Security").FirstOrDefault()!;
+        header.Should().Be($"max-age={StrictTransportSecurityHeader.OneYearInSeconds}");
+        header = headers.GetValues("Referrer-Policy").FirstOrDefault()!;
+        header.Should().Be("strict-origin-when-cross-origin");
+        header = headers.GetValues("Content-Security-Policy").FirstOrDefault()!;
+        header.Should().Be("object-src 'none'; form-action 'self'; frame-ancestors 'none'");
+
+        Assert.False(headers.Contains("Server"),
+            "Should not contain server header");
+    }
+}
\ No newline at end of file
diff --git a/test/NetEscapades.AspNetCore.SecurityHeaders.Test/HttpSecurityHeadersMiddlewareFunctionalTests.cs b/test/NetEscapades.AspNetCore.SecurityHeaders.Test/HttpSecurityHeadersMiddlewareFunctionalTests.cs
index c49da14..6b7f6b9 100644
--- a/test/NetEscapades.AspNetCore.SecurityHeaders.Test/HttpSecurityHeadersMiddlewareFunctionalTests.cs
+++ b/test/NetEscapades.AspNetCore.SecurityHeaders.Test/HttpSecurityHeadersMiddlewareFunctionalTests.cs
@@ -3,12 +3,14 @@
 using System.Net.Http;
 using System.Threading.Tasks;
 using FluentAssertions;
+using NetEscapades.AspNetCore.SecurityHeaders.Test;
 using Xunit;
 
 namespace NetEscapades.AspNetCore.SecurityHeaders.Infrastructure;
 
 public class HttpSecurityHeadersMiddlewareFunctionalTests : IClassFixture<HttpSecurityHeadersTestFixture<SecurityHeadersMiddlewareWebSite.Startup>>
 {
+    private const string EchoPath = "/SecurityHeadersMiddleware/EC6AA70D-BA3E-4B71-A87F-18625ADDB2BD";
     public HttpSecurityHeadersMiddlewareFunctionalTests(HttpSecurityHeadersTestFixture<SecurityHeadersMiddlewareWebSite.Startup> fixture)
     {
         Client = fixture.Client;
@@ -17,14 +19,14 @@ public HttpSecurityHeadersMiddlewareFunctionalTests(HttpSecurityHeadersTestFixtu
     public HttpClient Client { get; }
 
     [Theory]
-    [InlineData("GET")]
-    [InlineData("HEAD")]
-    [InlineData("POST")]
-    [InlineData("PUT")]
-    public async Task AllMethods_AddSecurityHeaders_ExceptStrict(string method)
+    [InlineData("GET", EchoPath)]
+    [InlineData("HEAD", EchoPath)]
+    [InlineData("POST", EchoPath)]
+    [InlineData("PUT", EchoPath)]
+    [InlineData("GET", "/api/index")]
+    public async Task AllMethods_AddSecurityHeaders_ExceptStrict(string method, string path)
     {
         // Arrange
-        var path = "/SecurityHeadersMiddleware/EC6AA70D-BA3E-4B71-A87F-18625ADDB2BD";
         var request = new HttpRequestMessage(new HttpMethod(method), path);
 
         // Act
@@ -34,18 +36,30 @@ public async Task AllMethods_AddSecurityHeaders_ExceptStrict(string method)
         response.StatusCode.Should().Be(HttpStatusCode.OK);
         var content = await response.Content.ReadAsStringAsync();
         content.Should().Be(path);
-        var responseHeaders = response.Headers;
-        var header = response.Headers.GetValues("X-Content-Type-Options").FirstOrDefault();
-        header.Should().Be("nosniff");
-        header = response.Headers.GetValues("X-Frame-Options").FirstOrDefault();
-        header.Should().Be("DENY");
-        header = response.Headers.GetValues("Referrer-Policy").FirstOrDefault();
-        header.Should().Be("strict-origin-when-cross-origin");
-        header = response.Headers.GetValues("Content-Security-Policy").FirstOrDefault();
-        header.Should().Be("object-src 'none'; form-action 'self'; frame-ancestors 'none'");
+        response.Headers.AssertHttpRequestDefaultSecurityHeaders();
 
         //http so no Strict transport
-        responseHeaders.Should().NotContain(x => x.Key == "Strict-Transport-Security");
-        responseHeaders.Should().NotContain(x => x.Key == "Server");
+        response.Headers.Should().NotContain(x => x.Key == "Strict-Transport-Security");
+        response.Headers.Should().NotContain(x => x.Key == "Server");
+    }
+
+    [Theory]
+    [InlineData("/custom", "Hello World!")]
+    [InlineData("/api/custom", "Hello Controller!")]
+    public async Task WhenUsingEndpoint_Overrides_Default(string path, string expected)
+    {
+        // Arrange
+        // Act
+        var response = await Client.GetAsync(path);
+
+        // Assert
+        response.StatusCode.Should().Be(HttpStatusCode.OK);
+        var content = await response.Content.ReadAsStringAsync();
+        content.Should().Be(expected);
+
+        // no security headers
+        response.Headers.Should().NotContain("X-Frame-Options");
+        response.Headers.TryGetValues("Custom-Header", out var customHeader).Should().BeTrue();
+        customHeader.Should().ContainSingle("MyValue");
     }
 }
\ No newline at end of file
diff --git a/test/NetEscapades.AspNetCore.SecurityHeaders.Test/HttpsSecurityHeadersMiddlewareFunctionalTests.cs b/test/NetEscapades.AspNetCore.SecurityHeaders.Test/HttpsSecurityHeadersMiddlewareFunctionalTests.cs
index 15cad76..fb89769 100644
--- a/test/NetEscapades.AspNetCore.SecurityHeaders.Test/HttpsSecurityHeadersMiddlewareFunctionalTests.cs
+++ b/test/NetEscapades.AspNetCore.SecurityHeaders.Test/HttpsSecurityHeadersMiddlewareFunctionalTests.cs
@@ -4,6 +4,7 @@
 using System.Threading.Tasks;
 using FluentAssertions;
 using NetEscapades.AspNetCore.SecurityHeaders.Headers;
+using NetEscapades.AspNetCore.SecurityHeaders.Test;
 using Xunit;
 
 
@@ -11,6 +12,7 @@ namespace NetEscapades.AspNetCore.SecurityHeaders.Infrastructure;
 
 public class HttpsSecurityHeadersMiddlewareFunctionalTests : IClassFixture<HttpsSecurityHeadersTestFixture<SecurityHeadersMiddlewareWebSite.Startup>>
 {
+    private const string EchoPath = "/SecurityHeadersMiddleware/BG36A632-C4D2-4B71-B2BD-18625ADDA87F";
     public HttpsSecurityHeadersMiddlewareFunctionalTests(HttpsSecurityHeadersTestFixture<SecurityHeadersMiddlewareWebSite.Startup> fixture)
     {
         Client = fixture.Client;
@@ -19,14 +21,14 @@ public HttpsSecurityHeadersMiddlewareFunctionalTests(HttpsSecurityHeadersTestFix
     public HttpClient Client { get; }
 
     [Theory]
-    [InlineData("GET")]
-    [InlineData("HEAD")]
-    [InlineData("POST")]
-    [InlineData("PUT")]
-    public async Task AllMethods_AddSecurityHeaders_IncludingStrict(string method)
+    [InlineData("GET", EchoPath)]
+    [InlineData("HEAD", EchoPath)]
+    [InlineData("POST", EchoPath)]
+    [InlineData("PUT", EchoPath)]
+    [InlineData("GET", "/api/index")]
+    public async Task AllMethods_AddSecurityHeaders_IncludingStrict(string method, string path)
     {
         // Arrange
-        var path = "/SecurityHeadersMiddleware/BG36A632-C4D2-4B71-B2BD-18625ADDA87F";
         var request = new HttpRequestMessage(new HttpMethod(method), path);
 
         // Act
@@ -38,17 +40,27 @@ public async Task AllMethods_AddSecurityHeaders_IncludingStrict(string method)
         Assert.Equal(path, content);
         var responseHeaders = response.Headers;
 
-        var header = response.Headers.GetValues("X-Content-Type-Options").FirstOrDefault();
-        header.Should().Be("nosniff");
-        header = response.Headers.GetValues("X-Frame-Options").FirstOrDefault();
-        header.Should().Be("DENY");
-        header = response.Headers.GetValues("Referrer-Policy").FirstOrDefault();
-        header.Should().Be("strict-origin-when-cross-origin");
-        header = response.Headers.GetValues("Strict-Transport-Security").FirstOrDefault();
-        header.Should().Be($"max-age={StrictTransportSecurityHeader.OneYearInSeconds}");
-        header = response.Headers.GetValues("Content-Security-Policy").FirstOrDefault();
-        header.Should().Be("object-src 'none'; form-action 'self'; frame-ancestors 'none'");
-
+        responseHeaders.AssertSecureRequestDefaultSecurityHeaders();
         responseHeaders.Should().NotContain(x => x.Key == "Server");
     }
+
+    [Theory]
+    [InlineData("/custom", "Hello World!")]
+    [InlineData("/api/custom", "Hello Controller!")]
+    public async Task WhenUsingEndpoint_Overrides_Default(string path, string expected)
+    {
+        // Arrange
+        // Act
+        var response = await Client.GetAsync(path);
+
+        // Assert
+        response.StatusCode.Should().Be(HttpStatusCode.OK);
+        var content = await response.Content.ReadAsStringAsync();
+        content.Should().Be(expected);
+
+        // no security headers
+        response.Headers.Should().NotContain("X-Frame-Options");
+        response.Headers.TryGetValues("Custom-Header", out var customHeader).Should().BeTrue();
+        customHeader.Should().ContainSingle("MyValue");
+    }
 }
\ No newline at end of file
diff --git a/test/NetEscapades.AspNetCore.SecurityHeaders.Test/SecurityHeadersMiddlewareTests.cs b/test/NetEscapades.AspNetCore.SecurityHeaders.Test/SecurityHeadersMiddlewareTests.cs
index 361d9ce..06d65b0 100644
--- a/test/NetEscapades.AspNetCore.SecurityHeaders.Test/SecurityHeadersMiddlewareTests.cs
+++ b/test/NetEscapades.AspNetCore.SecurityHeaders.Test/SecurityHeadersMiddlewareTests.cs
@@ -1,13 +1,12 @@
 using System;
 using System.Linq;
-using System.Net.Http.Headers;
 using System.Threading.Tasks;
 using FluentAssertions;
 using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.Hosting;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.TestHost;
-using NetEscapades.AspNetCore.SecurityHeaders.Headers;
+using Microsoft.Extensions.DependencyInjection;
 using Xunit;
 
 namespace NetEscapades.AspNetCore.SecurityHeaders.Test;
@@ -42,7 +41,7 @@ public async Task HttpRequest_WithDefaultSecurityHeaders_SetsSecurityHeaders()
             response.EnsureSuccessStatusCode();
 
             (await response.Content.ReadAsStringAsync()).Should().Be("Test response");
-            AssertHttpRequestDefaultSecurityHeaders(response.Headers);
+            response.Headers.AssertHttpRequestDefaultSecurityHeaders();
         }
     }
 
@@ -72,7 +71,135 @@ public async Task HttpRequest_WithDefaultSecurityHeadersUsingConfigureAction_Set
             response.EnsureSuccessStatusCode();
 
             (await response.Content.ReadAsStringAsync()).Should().Be("Test response");
-            AssertHttpRequestDefaultSecurityHeaders(response.Headers);
+            response.Headers.AssertHttpRequestDefaultSecurityHeaders();
+        }
+    }
+
+    [Fact]
+    public async Task HttpRequest_WithDefaultSecurityHeaders_WithNoExtraConfiguration_SetsSecurityHeaders()
+    {
+        // Arrange
+        var hostBuilder = new WebHostBuilder()
+            .Configure(app =>
+            {
+                app.UseSecurityHeaders();
+                app.Run(async context =>
+                {
+                    context.Response.ContentType = "text/html";
+                    await context.Response.WriteAsync("Test response");
+                });
+            });
+
+        using (var server = new TestServer(hostBuilder))
+        {
+            // Act
+            // Actual request.
+            var response = await server.CreateRequest("/")
+                .SendAsync("PUT");
+
+            // Assert
+            response.EnsureSuccessStatusCode();
+
+            (await response.Content.ReadAsStringAsync()).Should().Be("Test response");
+            response.Headers.AssertHttpRequestDefaultSecurityHeaders();
+        }
+    }
+    
+    [Fact]
+    public async Task HttpRequest_WithDefaultSecurityHeaders_WithNamedPolicy_SetsSecurityHeaders()
+    {
+        var policyName = "default";
+
+        // Arrange
+        var hostBuilder = new WebHostBuilder()
+            .ConfigureServices(s => s.AddSecurityHeaderPolicies()
+                .AddPolicy(policyName, p => p.AddDefaultSecurityHeaders()))
+            .Configure(app =>
+            {
+                app.UseSecurityHeaders(policyName);
+                app.Run(async context =>
+                {
+                    context.Response.ContentType = "text/html";
+                    await context.Response.WriteAsync("Test response");
+                });
+            });
+
+        using (var server = new TestServer(hostBuilder))
+        {
+            // Act
+            // Actual request.
+            var response = await server.CreateRequest("/")
+                .SendAsync("PUT");
+
+            // Assert
+            response.EnsureSuccessStatusCode();
+
+            (await response.Content.ReadAsStringAsync()).Should().Be("Test response");
+            response.Headers.AssertHttpRequestDefaultSecurityHeaders();
+        }
+    }
+    
+    [Fact]
+    public async Task HttpRequest_WithDefaultSecurityHeaders_WithUnknownNamedPolicy_DoesNotSetHeaders()
+    {
+        // Arrange
+        var hostBuilder = new WebHostBuilder()
+            .Configure(app =>
+            {
+                app.UseSecurityHeaders("Unknown name");
+                app.Run(async context =>
+                {
+                    context.Response.ContentType = "text/html";
+                    await context.Response.WriteAsync("Test response");
+                });
+            });
+
+        using (var server = new TestServer(hostBuilder))
+        {
+            // Act
+            // Actual request.
+            var response = await server.CreateRequest("/")
+                .SendAsync("PUT");
+
+            // Assert
+            response.EnsureSuccessStatusCode();
+
+            (await response.Content.ReadAsStringAsync()).Should().Be("Test response");
+            response.Headers.TryGetValues("X-Frame-Options", out _).Should().BeFalse();
+        }
+    }
+    
+    [Fact]
+    public async Task HttpRequest_WithDefaultSecurityHeaders_WithConfiguredDefaultPolicy_SetsCustomHeaders()
+    {
+        // Arrange
+        var hostBuilder = new WebHostBuilder()
+            .ConfigureServices(s => s.AddSecurityHeaderPolicies()
+                .SetDefaultPolicy(p => p.AddCustomHeader("Custom-Value", "MyValue")))
+            .Configure(app =>
+            {
+                app.UseSecurityHeaders();
+                app.Run(async context =>
+                {
+                    context.Response.ContentType = "text/html";
+                    await context.Response.WriteAsync("Test response");
+                });
+            });
+
+        using (var server = new TestServer(hostBuilder))
+        {
+            // Act
+            // Actual request.
+            var response = await server.CreateRequest("/")
+                .SendAsync("PUT");
+
+            // Assert
+            response.EnsureSuccessStatusCode();
+
+            (await response.Content.ReadAsStringAsync()).Should().Be("Test response");
+            response.Headers.TryGetValues("X-Frame-Options", out _).Should().BeFalse();
+            response.Headers.TryGetValues("Custom-Value", out var h).Should().BeTrue();
+            h.Should().ContainSingle("MyValue");
         }
     }
 
@@ -106,7 +233,7 @@ public async Task SecureRequest_WithDefaultSecurityHeaders_WhenNotOnLocalhost_Se
             response.EnsureSuccessStatusCode();
 
             (await response.Content.ReadAsStringAsync()).Should().Be("Test response");
-            AssertSecureRequestDefaultSecurityHeaders(response.Headers);
+            response.Headers.AssertSecureRequestDefaultSecurityHeaders();
         }
     }
 
@@ -1835,38 +1962,4 @@ public async Task HttpRequest_WithReportingEndpoints_SetsHeader()
             header.Should().Be("default=\"https://localhost:5000/default\", endpoint-1=\"http://localhost/endpoint-1\"");
         }
     }
-
-    private static void AssertHttpRequestDefaultSecurityHeaders(HttpResponseHeaders headers)
-    {
-        string header = headers.GetValues("X-Content-Type-Options").FirstOrDefault()!;
-        header.Should().Be("nosniff");
-        header = headers.GetValues("X-Frame-Options").FirstOrDefault()!;
-        header.Should().Be("DENY");
-        header = headers.GetValues("Referrer-Policy").FirstOrDefault()!;
-        header.Should().Be("strict-origin-when-cross-origin");
-        header = headers.GetValues("Content-Security-Policy").FirstOrDefault()!;
-        header.Should().Be("object-src 'none'; form-action 'self'; frame-ancestors 'none'");
-
-        Assert.False(headers.Contains("Server"),
-            "Should not contain server header");
-        Assert.False(headers.Contains("Strict-Transport-Security"),
-            "Should not contain Strict-Transport-Security header over http");
-    }
-
-    private static void AssertSecureRequestDefaultSecurityHeaders(HttpResponseHeaders headers)
-    {
-        string header = headers.GetValues("X-Content-Type-Options").FirstOrDefault()!;
-        header.Should().Be("nosniff");
-        header = headers.GetValues("X-Frame-Options").FirstOrDefault()!;
-        header.Should().Be("DENY");
-        header = headers.GetValues("Strict-Transport-Security").FirstOrDefault()!;
-        header.Should().Be($"max-age={StrictTransportSecurityHeader.OneYearInSeconds}");
-        header = headers.GetValues("Referrer-Policy").FirstOrDefault()!;
-        header.Should().Be("strict-origin-when-cross-origin");
-        header = headers.GetValues("Content-Security-Policy").FirstOrDefault()!;
-        header.Should().Be("object-src 'none'; form-action 'self'; frame-ancestors 'none'");
-
-        Assert.False(headers.Contains("Server"),
-            "Should not contain server header");
-    }
 }
\ No newline at end of file
diff --git a/test/RazorWebSite/Startup.cs b/test/RazorWebSite/Startup.cs
index 8b3fdbf..721e4b9 100644
--- a/test/RazorWebSite/Startup.cs
+++ b/test/RazorWebSite/Startup.cs
@@ -1,7 +1,9 @@
 using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.Hosting;
+using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.Extensions.DependencyInjection;
+using NetEscapades.AspNetCore.SecurityHeaders;
 
 namespace RazorWebSite;
 
@@ -11,6 +13,11 @@ public class Startup
     public void ConfigureServices(IServiceCollection services)
     {
         services.AddMvc();
+        services.AddSecurityHeaderPolicies()
+            .AddPolicy("CustomHeader", policy =>
+            {
+                policy.AddCustomHeader("Custom-Header", "MyValue");
+            });
     }
 
     // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
@@ -45,12 +52,16 @@ public void Configure(IApplicationBuilder app, IHostingEnvironment env)
                 builder.AddStyleSrc().From("*").WithHashTagHelper().UnsafeHashes();
             })
             .RemoveServerHeader();
-
-
         app.UseSecurityHeaders(policyCollection);
 
         app.UseStaticFiles();
         app.UseRouting();
-        app.UseEndpoints(endpoints => { endpoints.MapRazorPages(); });
+        app.UseSecurityHeaders(policyCollection);
+        app.UseEndpoints(endpoints =>
+        {
+            endpoints.MapRazorPages();
+            endpoints.MapGet("/api", context => context.Response.WriteAsync("ping-pong"))
+                .WithSecurityHeadersPolicy("CustomHeader");
+        });
     }
 }
\ No newline at end of file
diff --git a/test/SecurityHeadersMiddlewareWebSite/EchoMiddleware.cs b/test/SecurityHeadersMiddlewareWebSite/EchoMiddleware.cs
deleted file mode 100644
index 31c97dc..0000000
--- a/test/SecurityHeadersMiddlewareWebSite/EchoMiddleware.cs
+++ /dev/null
@@ -1,34 +0,0 @@
-using System;
-using System.Text;
-using System.Threading.Tasks;
-using Microsoft.AspNetCore.Http;
-
-namespace SecurityHeadersMiddlewareWebSite;
-
-public class EchoMiddleware
-{
-    /// <summary>
-    /// Instantiates a new <see cref="EchoMiddleware"/>.
-    /// </summary>
-    /// <param name="next">The next middleware in the pipeline.</param>
-    public EchoMiddleware(RequestDelegate next)
-    {
-    }
-
-    /// <summary>
-    /// Echo the request's path in the response. Does not invoke later middleware in the pipeline.
-    /// </summary>
-    /// <param name="context">The <see cref="HttpContext"/> of the current request.</param>
-    /// <returns>A <see cref="Task"/> that completes when writing to the response is done.</returns>
-    public Task Invoke(HttpContext context)
-    {
-        if (context == null)
-        {
-            throw new ArgumentNullException(nameof(context));
-        }
-
-        context.Response.ContentType = "text/html; charset=utf-8";
-        var path = context.Request.PathBase + context.Request.Path + context.Request.QueryString;
-        return context.Response.WriteAsync(path, Encoding.UTF8);
-    }
-}
\ No newline at end of file
diff --git a/test/SecurityHeadersMiddlewareWebSite/HomeController.cs b/test/SecurityHeadersMiddlewareWebSite/HomeController.cs
new file mode 100644
index 0000000..10f9d19
--- /dev/null
+++ b/test/SecurityHeadersMiddlewareWebSite/HomeController.cs
@@ -0,0 +1,16 @@
+using Microsoft.AspNetCore.Mvc;
+using NetEscapades.AspNetCore.SecurityHeaders;
+
+namespace SecurityHeadersMiddlewareWebSite;
+
+public class HomeController : ControllerBase
+{
+    [HttpGet("/api/index")]
+    public IActionResult Index()
+    {
+        return Content("/api/index", "text/html");
+    }
+
+    [HttpGet("/api/custom"), SecurityHeadersPolicy("CustomHeader")]
+    public string Custom() => "Hello Controller!";
+}
\ No newline at end of file
diff --git a/test/SecurityHeadersMiddlewareWebSite/Project_Readme.html b/test/SecurityHeadersMiddlewareWebSite/Project_Readme.html
deleted file mode 100644
index bddf864..0000000
--- a/test/SecurityHeadersMiddlewareWebSite/Project_Readme.html
+++ /dev/null
@@ -1,187 +0,0 @@
-<!DOCTYPE html>
-<html lang="en">
-<head>
-    <meta charset="utf-8" />
-    <title>Welcome to ASP.NET Core</title>
-    <style>
-        html {
-            background: #f1f1f1;
-            height: 100%;
-        }
-
-        body {
-            background: #fff;
-            color: #505050;
-            font: 14px 'Segoe UI', tahoma, arial, helvetica, sans-serif;
-            margin: 1%;
-            min-height: 95.5%;
-            border: 1px solid silver;
-            position: relative;
-        }
-
-        #header {
-            padding: 0;
-        }
-
-            #header h1 {
-                font-size: 44px;
-                font-weight: normal;
-                margin: 0;
-                padding: 10px 30px 10px 30px;
-            }
-
-            #header span {
-                margin: 0;
-                padding: 0 30px;
-                display: block;
-            }
-
-            #header p {
-                font-size: 20px;
-                color: #fff;
-                background: #007acc;
-                padding: 0 30px;
-                line-height: 50px;
-                margin-top: 25px;
-
-            }
-
-                #header p a {
-                    color: #fff;
-                    text-decoration: underline;
-                    font-weight: bold;
-                    padding-right: 35px;
-                    background: no-repeat right bottom url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABcAAAAWCAMAAAAcqPc3AAAANlBMVEUAAAAAeswfitI9mthXp91us+KCvuaTx+mjz+2x1u+83PLH4vTR5/ba7Pjj8Pns9fv1+v3////wy3dWAAAAAXRSTlMAQObYZgAAAHxJREFUeNp9kVcSwCAIRMHUYoH7XzaxOxJ9P8oyQ1uIqNPwh3s2aLmIM2YtqrLcQIeQEylhuCeUOlhgve5yoBCfWmlnlgkN4H8ykbpaE7gR03AbUHiwoOxUH9Xp+ubd41p1HF3mBPrfC87BHeTdaB3ceeKL9HGpcvX9zu6+DdMWT9KQPvYAAAAASUVORK5CYII=);
-                }
-
-        #main {
-            padding: 5px 30px;
-            clear: both;
-        }
-
-        .section {
-            width: 21.7%;
-            float: left;
-            margin: 0 0 0 4%;
-        }
-
-            .section h2 {
-                font-size: 13px;
-                text-transform: uppercase;
-                margin: 0;
-                border-bottom: 1px solid silver;
-                padding-bottom: 12px;
-                margin-bottom: 8px;
-            }
-
-            .section.first {
-                margin-left: 0;
-            }
-
-                .section.first h2 {
-                    font-size: 24px;
-                    text-transform: none;
-                    margin-bottom: 25px;
-                    border: none;
-                }
-
-                .section.first li {
-                    border-top: 1px solid silver;
-                    padding: 8px 0;
-                }
-
-            .section.last {
-                margin-right: 0;
-            }
-
-        ul {
-            list-style: none;
-            padding: 0;
-            margin: 0;
-            line-height: 20px;
-        }
-
-        li {
-            padding: 4px 0;
-        }
-
-        a {
-            color: #267cb2;
-            text-decoration: none;
-        }
-
-            a:hover {
-                text-decoration: underline;
-            }
-
-        #footer {
-            clear: both;
-            padding-top: 50px;
-        }
-
-            #footer p {
-                position: absolute;
-                bottom: 10px;
-            }
-    </style>
-</head>
-<body>
-
-    <div id="header">
-        <h1>Welcome to ASP.NET Core</h1>
-        <span>
-            We've made some big updates in this release, so it’s <b>important</b> that you spend
-            a few minutes to learn what’s new.
-        </span>
-        <p>You've created a new ASP.NET Core project. <a href="http://go.microsoft.com/fwlink/?LinkId=518016">Learn what's new</a></p>
-    </div>
-
-    <div id="main">
-        <div class="section first">
-            <h2>This application consists of:</h2>
-            <ul>
-                <li>Sample pages using ASP.NET Core MVC</li>
-                <li><a href="http://go.microsoft.com/fwlink/?LinkId=518007">Gulp</a> and <a href="http://go.microsoft.com/fwlink/?LinkId=518004">Bower</a> for managing client-side libraries</li>
-                <li>Theming using <a href="http://go.microsoft.com/fwlink/?LinkID=398939">Bootstrap</a></li>
-            </ul>
-        </div>
-        <div class="section">
-            <h2>How to</h2>
-            <ul>
-                <li><a href="http://go.microsoft.com/fwlink/?LinkID=398600">Add a Controller and View</a></li>
-                <li><a href="http://go.microsoft.com/fwlink/?LinkID=699562">Add an appsetting in config and access it in app.</a></li>
-                <li><a href="http://go.microsoft.com/fwlink/?LinkId=699315">Manage User Secrets using Secret Manager.</a></li>
-                <li><a href="http://go.microsoft.com/fwlink/?LinkId=699316">Use logging to log a message.</a></li>
-                <li><a href="http://go.microsoft.com/fwlink/?LinkId=699317">Add packages using NuGet.</a></li>
-                <li><a href="http://go.microsoft.com/fwlink/?LinkId=699318">Add client packages using Bower.</a></li>
-                <li><a href="http://go.microsoft.com/fwlink/?LinkId=699319">Target development, staging or production environment.</a></li>
-            </ul>
-        </div>
-        <div class="section">
-            <h2>Overview</h2>
-            <ul>
-                <li><a href="http://go.microsoft.com/fwlink/?LinkId=518008">Conceptual overview of what is ASP.NET Core</a></li>
-                <li><a href="http://go.microsoft.com/fwlink/?LinkId=699320">Fundamentals of ASP.NET Core such as Startup and middleware.</a></li>
-                <li><a href="http://go.microsoft.com/fwlink/?LinkId=398602">Working with Data</a></li>
-                <li><a href="http://go.microsoft.com/fwlink/?LinkId=398603">Security</a></li>
-                <li><a href="http://go.microsoft.com/fwlink/?LinkID=699321">Client side development</a></li>
-                <li><a href="http://go.microsoft.com/fwlink/?LinkID=699322">Develop on different platforms</a></li>
-                <li><a href="http://go.microsoft.com/fwlink/?LinkID=699323">Read more on the documentation site</a></li>
-            </ul>
-        </div>
-        <div class="section last">
-            <h2>Run & Deploy</h2>
-            <ul>
-                <li><a href="http://go.microsoft.com/fwlink/?LinkID=517851">Run your app</a></li>
-                <li><a href="http://go.microsoft.com/fwlink/?LinkID=517853">Run tools such as EF migrations and more</a></li>
-                <li><a href="http://go.microsoft.com/fwlink/?LinkID=398609">Publish to Microsoft Azure Web Apps</a></li>
-            </ul>
-        </div>
-
-        <div id="footer">
-            <p>We would love to hear your <a href="http://go.microsoft.com/fwlink/?LinkId=518015">feedback</a></p>
-        </div>
-    </div>
-
-</body>
-</html>
diff --git a/test/SecurityHeadersMiddlewareWebSite/Startup.cs b/test/SecurityHeadersMiddlewareWebSite/Startup.cs
index 4e56221..6312e21 100644
--- a/test/SecurityHeadersMiddlewareWebSite/Startup.cs
+++ b/test/SecurityHeadersMiddlewareWebSite/Startup.cs
@@ -1,6 +1,9 @@
-using Microsoft.AspNetCore.Builder;
+using System.Text;
+using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.Hosting;
+using Microsoft.AspNetCore.Http;
 using Microsoft.Extensions.DependencyInjection;
+using NetEscapades.AspNetCore.SecurityHeaders;
 
 namespace SecurityHeadersMiddlewareWebSite;
 
@@ -8,12 +11,33 @@ public class Startup
 {
     public void ConfigureServices(IServiceCollection services)
     {
+        services.AddControllers();
+        services.AddSecurityHeaderPolicies()
+            .AddPolicy("CustomHeader", policy =>
+            {
+                policy.AddCustomHeader("Custom-Header", "MyValue");
+            });
     }
 
     public void Configure(IApplicationBuilder app)
     {
         app.UseSecurityHeaders();
-        app.UseMiddleware<EchoMiddleware>();
+        app.UseRouting();
+        app.UseSecurityHeaders();
+        app.UseEndpoints(endpoints =>
+        {
+            endpoints.MapGet("/custom", context => context.Response.WriteAsync("Hello World!"))
+                .WithSecurityHeadersPolicy("CustomHeader");
+
+            endpoints.MapFallback(context =>
+            {
+                context.Response.ContentType = "text/html; charset=utf-8";
+                var path = context.Request.PathBase + context.Request.Path + context.Request.QueryString;
+                return context.Response.WriteAsync(path, Encoding.UTF8);
+            });
+
+            endpoints.MapControllers();
+        });
     }
 
     public static void Main(string[] args)