-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathProgram.cs
More file actions
80 lines (67 loc) · 2.46 KB
/
Program.cs
File metadata and controls
80 lines (67 loc) · 2.46 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
using SafeWebCore.Builder;
using SafeWebCore.Extensions;
using SafeWebCore.Options;
var builder = WebApplication.CreateBuilder(args);
builder.Services.AddControllersWithViews();
// -----------------------------------------------------------------------
// SafeWebCore: MVC preset with typed builders and path-based policies.
// -----------------------------------------------------------------------
builder.Services.AddNetSecureHeadersMvcPreset(opts =>
{
// Route CSP reports through Reporting API endpoint groups.
opts.Csp = opts.Csp with { ReportTo = "csp-endpoint" };
opts.ReportingEndpoints.Add(new()
{
Group = "csp-endpoint",
Url = "https://localhost:5001/csp-report"
});
// Override the Referrer-Policy using the typed builder
opts.ReferrerPolicyValue = new ReferrerPolicyBuilder()
.StrictOriginWhenCrossOrigin()
.Build();
// Fine-tune the Permissions-Policy with the typed builder
opts.PermissionsPolicyValue = new PermissionsPolicyBuilder()
.Disable(PermissionsFeature.Camera)
.Disable(PermissionsFeature.Microphone)
.Disable(PermissionsFeature.Payment)
.AllowSelf(PermissionsFeature.Geolocation)
.Build();
// Configure Cross-Origin headers with the typed builder
var crossOrigin = new CrossOriginPolicyBuilder()
.CoepRequireCorp()
.CoopSameOrigin()
.CorpSameOrigin()
.Build();
opts.CoepValue = crossOrigin.Coep;
opts.CoopValue = crossOrigin.Coop;
opts.CorpValue = crossOrigin.Corp;
// Path-based policy: the /public area uses a relaxed CSP in report-only mode
// while the rest of the application enforces the strict policy.
opts.PathPolicies.Add(new PathPolicyOptions
{
PathPrefix = "/public",
Options = new NetSecureHeadersOptions
{
EnableCsp = true,
UseCspReportOnly = true,
ReferrerPolicyValue = "strict-origin-when-cross-origin",
Csp = opts.Csp with { ReportTo = "csp-endpoint" },
ReportingEndpoints =
[
new()
{
Group = "csp-endpoint",
Url = "https://localhost:5001/csp-report"
}
]
}
});
});
var app = builder.Build();
app.UseStaticFiles();
app.UseRouting();
// Register security-headers middleware before controllers.
app.UseNetSecureHeaders();
app.UseCspReport();
app.MapDefaultControllerRoute();
app.Run();