fix security headers

Author: damienbod

MicrosoftEntraIDMultiApis/TestMultiApis/HostingExtensions.cs

@@ -4,6 +4,7 @@
 using Microsoft.Identity.Web.UI;
 using Microsoft.IdentityModel.JsonWebTokens;
 using Microsoft.IdentityModel.Logging;
+using NetEscapades.AspNetCore.SecurityHeaders.Infrastructure;
 using Serilog;
 
 namespace RazorMicrosoftEntraID;
@@ -35,6 +36,13 @@ public static WebApplication ConfigureServices(this WebApplicationBuilder builde
             options.Filters.Add(new AuthorizeFilter(policy));
         }).AddMicrosoftIdentityUI();
 
+        services.AddSecurityHeaderPolicies()
+           .SetPolicySelector((PolicySelectorContext ctx) =>
+           {
+               return SecurityHeadersDefinitions
+                 .GetHeaderPolicyCollection(builder.Environment.IsDevelopment());
+           });
+
         return builder.Build();
     }
 
@@ -55,8 +63,7 @@ public static WebApplication ConfigurePipeline(this WebApplication app)
             app.UseHsts();
         }
 
-        app.UseSecurityHeaders(SecurityHeadersDefinitions
-            .GetHeaderPolicyCollection(app.Environment.IsDevelopment()));
+        app.UseSecurityHeaders();
 
         app.UseHttpsRedirection();
         app.UseStaticFiles();

MultiIdentityProvider/RazorAuth0Client/HostingExtensions.cs

@@ -6,6 +6,7 @@
 using Microsoft.IdentityModel.JsonWebTokens;
 using Microsoft.IdentityModel.Logging;
 using Microsoft.IdentityModel.Protocols.OpenIdConnect;
+using NetEscapades.AspNetCore.SecurityHeaders.Infrastructure;
 using Serilog;
 
 namespace RazorAuth0Client;
@@ -102,6 +103,13 @@ public static WebApplication ConfigureServices(this WebApplicationBuilder builde
             options.Filters.Add(new AuthorizeFilter(policy));
         });
 
+        services.AddSecurityHeaderPolicies()
+           .SetPolicySelector((PolicySelectorContext ctx) =>
+           {
+               return SecurityHeadersDefinitions
+                 .GetHeaderPolicyCollection(builder.Environment.IsDevelopment());
+           });
+
         return builder.Build();
     }
 
@@ -121,8 +129,7 @@ public static WebApplication ConfigurePipeline(this WebApplication app)
             app.UseExceptionHandler("/Error");
         }
 
-        app.UseSecurityHeaders(
-            SecurityHeadersDefinitions.GetHeaderPolicyCollection(app.Environment.IsDevelopment()));
+        app.UseSecurityHeaders();
 
         app.UseHttpsRedirection();
         app.UseStaticFiles();

MultiIdentityProvider/RazorMicrosoftEntraIDClient/HostingExtensions.cs

@@ -4,6 +4,7 @@
 using Microsoft.Identity.Web.UI;
 using Microsoft.IdentityModel.JsonWebTokens;
 using Microsoft.IdentityModel.Logging;
+using NetEscapades.AspNetCore.SecurityHeaders.Infrastructure;
 using RazorMicrosoftEntraIDClient;
 using Serilog;
 
@@ -35,6 +36,13 @@ public static WebApplication ConfigureServices(this WebApplicationBuilder builde
             options.Filters.Add(new AuthorizeFilter(policy));
         }).AddMicrosoftIdentityUI();
 
+        services.AddSecurityHeaderPolicies()
+           .SetPolicySelector((PolicySelectorContext ctx) =>
+           {
+               return SecurityHeadersDefinitions
+                 .GetHeaderPolicyCollection(builder.Environment.IsDevelopment());
+           });
+
         return builder.Build();
     }
 
@@ -45,8 +53,7 @@ public static WebApplication ConfigurePipeline(this WebApplication app)
 
         app.UseSerilogRequestLogging();
 
-        app.UseSecurityHeaders(SecurityHeadersDefinitions
-            .GetHeaderPolicyCollection(app.Environment.IsDevelopment()));
+        app.UseSecurityHeaders();
 
         app.UseHttpsRedirection();
         app.UseStaticFiles();

README.md

@@ -13,6 +13,7 @@
 
 ## History
 
+- 2025-04-26 Updated packages
 - 2025-02-13 Updated packages
 - 2024-12-31 Updated packages, .NET 9, Bootstrap 5, OpenIddict V6
 - 2024-10-03 Updated packages