Add Content Security Policy headers for MvpSite and Sugcon2024 (#589)

* Add Content Security Policy headers for MvpSite and Sugcon2024

- Add CSP middleware to MvpSite ASP.NET Core app with allowlisted domains
  for Bootstrap, jQuery, Font Awesome, Google Analytics, Moosend, Sitecore
  Edge, and Content Hub CDNs
- Add CSP headers to Sugcon2024 Next.js config with allowlisted domains
  for Google Analytics, Google Fonts, Font Awesome, YouTube embeds, and
  Sitecore Edge/XM Cloud
- Add supplementary security headers: X-Content-Type-Options, X-Frame-Options,
  Referrer-Policy, and Permissions-Policy for both sites

* Moved to IApplicationBuilder extensions

---------

Co-authored-by: Ivan Lieckens <ivan.lieckens@sitecore.com>

Author: robearlam

.gitignore

@@ -52,4 +52,7 @@ packages/
 xmcloud.plugin.pre-release.json
 
 # developer configs
-appsettings.Development.json
+appsettings.Development.json
+
+# Mac Files
+*DS_Store

headapps/MvpSite/MvpSite.Rendering/Extensions/ApplicationBuilderExtensions.cs

@@ -1,4 +1,6 @@
-using MvpSite.Rendering.Middleware;
+using System.Text;
+using Microsoft.Extensions.Primitives;
+using MvpSite.Rendering.Middleware;
 
 namespace MvpSite.Rendering.Extensions;
 
@@ -21,4 +23,70 @@ public static IApplicationBuilder UseMvpProfileRouting(this IApplicationBuilder
         app.UseMiddleware<MvpProfileRoutingMiddleware>();
         return app;
     }
+
+    public static IApplicationBuilder UseSecurityHeaders(this IApplicationBuilder app)
+    {
+        IApplicationBuilder result = app.Use(static async (context, next) =>
+        {
+            StringBuilder cspBuilder = new();
+            cspBuilder.Append("default-src 'self'; ");
+
+            cspBuilder.Append("script-src 'self' 'unsafe-inline' 'unsafe-eval' ");
+            cspBuilder.Append("https://www.googletagmanager.com ");
+            cspBuilder.Append("https://www.google-analytics.com ");
+            cspBuilder.Append("https://cdn.stat-track.com ");
+            cspBuilder.Append("https://code.jquery.com ");
+            cspBuilder.Append("https://cdn.jsdelivr.net ");
+            cspBuilder.Append("https://stackpath.bootstrapcdn.com ");
+            cspBuilder.Append("https://cdnjs.cloudflare.com ");
+            cspBuilder.Append("https://www.w3.org ");
+            cspBuilder.Append("https://edge.sitecorecloud.io; ");
+
+            cspBuilder.Append("style-src 'self' 'unsafe-inline' ");
+            cspBuilder.Append("https://stackpath.bootstrapcdn.com ");
+            cspBuilder.Append("https://cdnjs.cloudflare.com ");
+            cspBuilder.Append("https://fonts.googleapis.com; ");
+
+            cspBuilder.Append("img-src 'self' data: ");
+            cspBuilder.Append("https://www.googletagmanager.com ");
+            cspBuilder.Append("https://www.google-analytics.com ");
+            cspBuilder.Append("https://*.sitecorecloud.io ");
+            cspBuilder.Append("https://delivery-sitecore.sitecorecontenthub.cloud; ");
+
+            cspBuilder.Append("font-src 'self' ");
+            cspBuilder.Append("https://fonts.gstatic.com ");
+            cspBuilder.Append("https://cdnjs.cloudflare.com; ");
+
+            cspBuilder.Append("connect-src 'self' ");
+            cspBuilder.Append("https://www.google-analytics.com ");
+            cspBuilder.Append("https://www.googletagmanager.com ");
+            cspBuilder.Append("https://cdn.stat-track.com ");
+            cspBuilder.Append("https://edge.sitecorecloud.io ");
+            cspBuilder.Append("https://*.sitecorecloud.io; ");
+
+            cspBuilder.Append("frame-src 'self'; ");
+
+            cspBuilder.Append("frame-ancestors 'self' ");
+            cspBuilder.Append("https://*.sitecorecloud.io; ");
+
+            cspBuilder.Append("base-uri 'self'; ");
+            cspBuilder.Append("form-action 'self'; ");
+            cspBuilder.Append("object-src 'none'");
+
+            context.Response.Headers.ContentSecurityPolicy = new StringValues(cspBuilder.ToString());
+
+            // ReSharper disable once StringLiteralTypo - specific value for X-Content-Type-Options header
+            context.Response.Headers.XContentTypeOptions = new StringValues("nosniff");
+
+            context.Response.Headers.XFrameOptions = new StringValues("SAMEORIGIN");
+
+            context.Response.Headers.Append("Referrer-Policy", "strict-origin-when-cross-origin");
+
+            context.Response.Headers.Append("Permissions-Policy", "camera=(), microphone=(), geolocation=()");
+
+            await next(context);
+        });
+
+        return result;
+    }
 }

headapps/MvpSite/MvpSite.Rendering/Program.cs

@@ -19,7 +19,7 @@
 // Values can originate in appsettings.json, from environment variables, and more.
 // https://learn.microsoft.com/en-us/aspnet/core/fundamentals/configuration/
 MvpSiteSettings? sitecoreSettings = builder.Configuration.GetSection(MvpSiteSettings.Key).Get<MvpSiteSettings>();
-PagesOptions? pagesSettings = builder.Configuration.GetSection(PagesOptions.Key).Get<PagesOptions>() ?? new PagesOptions();
+PagesOptions pagesSettings = builder.Configuration.GetSection(PagesOptions.Key).Get<PagesOptions>() ?? new PagesOptions();
 ArgumentNullException.ThrowIfNull(sitecoreSettings);
 
 if (string.IsNullOrWhiteSpace(sitecoreSettings.EdgeContextId))
@@ -101,17 +101,23 @@
 // Configure the HTTP request pipeline
 // When running behind HTTPS termination, set the request scheme according to forwarded protocol headers.
 // Also set the Request IP, so that it can be passed on to the Sitecore Layout Service for tracking and personalization.
-app.UseForwardedHeaders(new ForwardedHeadersOptions()
+app.UseForwardedHeaders(new ForwardedHeadersOptions
 {
     ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto,
 
+    // ReSharper disable RedundantEmptyObjectOrCollectionInitializer - KnownNetworks and KnownProxies isn't empty by default
     // ReSharper disable once CommentTypo - Actual product name
     // Allow forwarding of headers from Traefik in development & NGINX in k8s
     KnownNetworks = { },
     KnownProxies = { }
+
+    // ReSharper restore RedundantEmptyObjectOrCollectionInitializer - KnownNetworks and KnownProxies isn't empty by default
 });
 app.UseSession();
 
+// Security headers
+app.UseSecurityHeaders();
+
 if (!app.Environment.IsDevelopment())
 {
     app.UseExceptionHandler("/Error");
@@ -172,11 +178,14 @@
     "error",
     new { controller = "Default", action = "Error" });
 
+// ReSharper disable StringLiteralTypo - is a well-known name for a health check endpoint
 app.MapControllerRoute(
     "healthz",
     "healthz",
     new { controller = "Default", action = "Healthz" });
 
+// ReSharper restore StringLiteralTypo - is a well-known name for a health check endpoint
+
 // Map Okta sign-in route.
 app.MapOktaSigninRoute();
 

headapps/MvpSite/XMC-Introduction-MVP.sln.DotSettings

@@ -0,0 +1,3 @@
+<wpf:ResourceDictionary xml:space="preserve" xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml" xmlns:s="clr-namespace:System;assembly=mscorlib" xmlns:ss="urn:shemas-jetbrains-com:settings-storage-xaml" xmlns:wpf="http://schemas.microsoft.com/winfx/2006/xaml/presentation">
+	<s:String x:Key="/Default/CodeStyle/Naming/CSharpNaming/UserRules/=a4f433b8_002Dabcd_002D4e55_002Da08f_002D82e78cef0f0c/@EntryIndexedValue">&lt;Policy&gt;&lt;Descriptor Staticness="Any" AccessRightKinds="Any" Description="Local constants"&gt;&lt;ElementKinds&gt;&lt;Kind Name="LOCAL_CONSTANT" /&gt;&lt;/ElementKinds&gt;&lt;/Descriptor&gt;&lt;Policy Inspect="True" WarnAboutPrefixesAndSuffixes="False" Prefix="" Suffix="" Style="AaBb" /&gt;&lt;/Policy&gt;</s:String>
+	<s:Boolean x:Key="/Default/UserDictionary/Words/=sitecorecloud/@EntryIndexedValue">True</s:Boolean></wpf:ResourceDictionary>

headapps/Sugcon2024/next.config.ts

@@ -12,6 +12,49 @@ const nextConfig: NextConfig = {
   // Disable the X-Powered-By header. Follows security best practices.
   poweredByHeader: false,
 
+  // Security headers including Content Security Policy
+  headers: async () => {
+    return [
+      {
+        source: '/(.*)',
+        headers: [
+          {
+            key: 'Content-Security-Policy',
+            value: [
+              "default-src 'self'",
+              "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.googletagmanager.com https://www.google-analytics.com https://edge.sitecorecloud.io",
+              "style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com",
+              "img-src 'self' data: blob: https://edge.sitecorecloud.io https://*.sitecorecloud.io https://*.sugcon.events https://www.googletagmanager.com https://www.google-analytics.com",
+              "font-src 'self' https://fonts.gstatic.com https://cdnjs.cloudflare.com",
+              "connect-src 'self' https://www.google-analytics.com https://www.googletagmanager.com https://edge.sitecorecloud.io https://edge-platform.sitecorecloud.io https://*.sitecorecloud.io",
+              "frame-src 'self' https://www.youtube.com",
+              "frame-ancestors 'self' https://*.sitecorecloud.io https://pages.sitecorecloud.io",
+              "base-uri 'self'",
+              "form-action 'self'",
+              "object-src 'none'",
+            ].join('; '),
+          },
+          {
+            key: 'X-Content-Type-Options',
+            value: 'nosniff',
+          },
+          {
+            key: 'X-Frame-Options',
+            value: 'SAMEORIGIN',
+          },
+          {
+            key: 'Referrer-Policy',
+            value: 'strict-origin-when-cross-origin',
+          },
+          {
+            key: 'Permissions-Policy',
+            value: 'camera=(), microphone=(), geolocation=()',
+          },
+        ],
+      },
+    ];
+  },
+
   // use this configuration to ensure that only images from the whitelisted domains
   // can be served from the Next.js Image Optimization API
   // see https://nextjs.org/docs/app/api-reference/components/image#remotepatterns
@@ -27,6 +70,7 @@ const nextConfig: NextConfig = {
         hostname: 'xmc-*.**',
         port: '',
       },
+
       {
         protocol: 'https',
         hostname: '**.sugcon.events',