Consider a new middleware for the simple security headers.

[blowdart]

Inspired by https://github.com/aspnet/templating/issues/497

• X-Content-Type
• X-Frame-Options
• X-XSS-Protection

But not Content-Security-Policy because that's very app dependent to be on by default, and never ever public-key-pins because that's going away because it sucked.

[mkArtakMSFT]

@muratg, I assume this is going to happen as part of 3.0?

[muratg]

@mkArtakMSFT Yup.

@glennc FYI

[muratg]

@blowdart Would you be OK with a doc instead?

[blowdart]

If it's a middlware then it's not a docs issue @mkArtakMSFT. This is a decision for the MVC team to make on how they want to approach it.