Skip to content

Commit 7fc62cc

Browse files
damienboddamienbod
authored
Merge pull request #108 from damienbod/dev-updates
Update headers, nuget packages
2 parents 1ca7475 + af9fd6a commit 7fc62cc

8 files changed

Lines changed: 96 additions & 62 deletions

Changelog.md

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,9 @@
22

33
[Readme](https://github.com/damienbod/IdentityServer4AspNetCoreIdentityTemplate/blob/master/README.md)
44

5+
2021-08-18 5.1.2
6+
- Updated nuget and security headers
7+
58
2021-05-15 5.1.1
69
- Updated nuget and npm packages
710

content/IdentityServer4AspNetCoreIdentityTemplate.nuspec

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22
<package xmlns="http://schemas.microsoft.com/packaging/2012/06/nuspec.xsd">
33
<metadata>
44
<id>IdentityServer4AspNetCoreIdentityTemplate</id>
5-
<version>5.1.1</version>
5+
<version>5.1.2</version>
66
<title>IdentityServer4.Identity.Template</title>
77
<license type="file">LICENSE</license>
88
<description>
@@ -17,7 +17,7 @@
1717
<requireLicenseAcceptance>false</requireLicenseAcceptance>
1818
<copyright>2020 damienbod</copyright>
1919
<summary>This template provides a simle getting started for IdentityServer4 with Identity. Identity is Localized and the UI uses Bootstrap 4, Remove AllowAnonymous from the logout</summary>
20-
<releaseNotes>Updated packages</releaseNotes>
20+
<releaseNotes>Updated packages, updated security headers</releaseNotes>
2121
<repository type="git" url="https://github.com/damienbod/IdentityServer4AspNetCoreIdentityTemplate" />
2222
<packageTypes>
2323
<packageType name="Template" />

content/StsServerIdentity/Filters/SecurityHeadersAttribute.cs

Lines changed: 0 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -13,13 +13,6 @@ public override void OnResultExecuting(ResultExecutingContext context)
1313
var result = context.Result;
1414
if (result is ViewResult)
1515
{
16-
var featurePolicy = "accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none'";
17-
18-
if (!context.HttpContext.Response.Headers.ContainsKey("feature-policy"))
19-
{
20-
context.HttpContext.Response.Headers.Add("feature-policy", featurePolicy);
21-
}
22-
2316
if (!context.HttpContext.Response.Headers.ContainsKey("X-Content-Type-Options"))
2417
{
2518
context.HttpContext.Response.Headers.Add("X-Content-Type-Options", "nosniff");

content/StsServerIdentity/SecurityHeadersDefinitions.cs

Lines changed: 68 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,68 @@
1+
using Microsoft.AspNetCore.Builder;
2+
3+
namespace StsServerIdentity
4+
{
5+
public static class SecurityHeadersDefinitions
6+
{
7+
public static HeaderPolicyCollection GetHeaderPolicyCollection(bool isDev)
8+
{
9+
var policy = new HeaderPolicyCollection()
10+
.AddFrameOptionsDeny()
11+
.AddXssProtectionBlock()
12+
.AddContentTypeOptionsNoSniff()
13+
.AddReferrerPolicyStrictOriginWhenCrossOrigin()
14+
.RemoveServerHeader()
15+
.AddCrossOriginOpenerPolicy(builder =>
16+
{
17+
builder.SameOrigin();
18+
})
19+
.AddCrossOriginEmbedderPolicy(builder =>
20+
{
21+
builder.RequireCorp();
22+
})
23+
.AddCrossOriginResourcePolicy(builder =>
24+
{
25+
builder.SameOrigin();
26+
})
27+
.AddContentSecurityPolicy(builder =>
28+
{
29+
builder.AddObjectSrc().None();
30+
builder.AddBlockAllMixedContent();
31+
builder.AddImgSrc().Self().From("data:");
32+
builder.AddFormAction().Self();
33+
builder.AddFontSrc().Self();
34+
builder.AddStyleSrc().Self().UnsafeInline();
35+
builder.AddBaseUri().Self();
36+
builder.AddScriptSrc().Self().UnsafeInline(); //.WithNonce();
37+
builder.AddFrameAncestors().Self();
38+
// builder.AddCustomDirective("require-trusted-types-for", "'script'");
39+
})
40+
.RemoveServerHeader()
41+
.AddPermissionsPolicy(builder =>
42+
{
43+
builder.AddAccelerometer().None();
44+
builder.AddAutoplay().None();
45+
builder.AddCamera().None();
46+
builder.AddEncryptedMedia().None();
47+
builder.AddFullscreen().All();
48+
builder.AddGeolocation().None();
49+
builder.AddGyroscope().None();
50+
builder.AddMagnetometer().None();
51+
builder.AddMicrophone().None();
52+
builder.AddMidi().None();
53+
builder.AddPayment().None();
54+
builder.AddPictureInPicture().None();
55+
builder.AddSyncXHR().None();
56+
builder.AddUsb().None();
57+
});
58+
59+
if (!isDev)
60+
{
61+
// maxage = one year in seconds
62+
policy.AddStrictTransportSecurityMaxAgeIncludeSubDomains(maxAgeInSeconds: 60 * 60 * 24 * 365);
63+
}
64+
65+
return policy;
66+
}
67+
}
68+
}

content/StsServerIdentity/Startup.cs

Lines changed: 5 additions & 37 deletions
Original file line numberDiff line numberDiff line change
@@ -143,8 +143,11 @@ public void ConfigureServices(IServiceCollection services)
143143
});
144144
}
145145

146-
public void Configure(IApplicationBuilder app)
146+
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
147147
{
148+
app.UseSecurityHeaders(
149+
SecurityHeadersDefinitions.GetHeaderPolicyCollection(env.IsDevelopment()));
150+
148151
app.UseCookiePolicy();
149152

150153
if (_environment.IsDevelopment())
@@ -157,49 +160,14 @@ public void Configure(IApplicationBuilder app)
157160
app.UseExceptionHandler("/Home/Error");
158161
}
159162

160-
app.UseHsts(hsts => hsts.MaxAge(365).IncludeSubdomains());
161-
app.UseXContentTypeOptions();
162-
app.UseReferrerPolicy(opts => opts.NoReferrer());
163-
app.UseXXssProtection(options => options.EnabledWithBlockMode());
164-
165-
app.UseCsp(opts => opts
166-
.BlockAllMixedContent()
167-
.StyleSources(s => s.Self())
168-
.StyleSources(s => s.UnsafeInline())
169-
.FontSources(s => s.Self())
170-
.FrameAncestors(s => s.Self())
171-
.ImageSources(imageSrc => imageSrc.Self())
172-
.ImageSources(imageSrc => imageSrc.CustomSources("data:"))
173-
.ScriptSources(s => s.Self())
174-
.ScriptSources(s => s.UnsafeInline())
175-
);
176-
177163
var locOptions = app.ApplicationServices.GetService<IOptions<RequestLocalizationOptions>>();
178164
app.UseRequestLocalization(locOptions.Value);
179165

180166
// https://nblumhardt.com/2019/10/serilog-in-aspnetcore-3/
181167
// https://nblumhardt.com/2019/10/serilog-mvc-logging/
182168
app.UseSerilogRequestLogging();
183169

184-
app.UseStaticFiles(new StaticFileOptions()
185-
{
186-
OnPrepareResponse = context =>
187-
{
188-
if (context.Context.Response.Headers["feature-policy"].Count == 0)
189-
{
190-
var featurePolicy = "accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none'";
191-
192-
context.Context.Response.Headers["feature-policy"] = featurePolicy;
193-
}
194-
195-
if (context.Context.Response.Headers["X-Content-Security-Policy"].Count == 0)
196-
{
197-
var csp = "script-src 'self';style-src 'self';img-src 'self' data:;font-src 'self';form-action 'self';frame-ancestors 'self';block-all-mixed-content";
198-
// IE
199-
context.Context.Response.Headers["X-Content-Security-Policy"] = csp;
200-
}
201-
}
202-
});
170+
app.UseStaticFiles();
203171

204172
app.UseRouting();
205173

content/StsServerIdentity/StsServerIdentity.csproj

Lines changed: 16 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
<Project Sdk="Microsoft.NET.Sdk.Web">
22
<PropertyGroup>
33
<TargetFramework>netcoreapp3.1</TargetFramework>
4-
<Version>5.1.1</Version>
4+
<Version>5.1.2</Version>
55
<Description>IdentityServer4 template with ASP.NET Core 3.1 and ASP.NET Core Identity</Description>
66
<PackageProjectUrl>https://github.com/damienbod/IdentityServer4AspNetCoreIdentityTemplate</PackageProjectUrl>
77
<PackageIconUrl>http://www.gravatar.com/avatar/61d005637f57b5c3da8ba662cf04a9d6.png</PackageIconUrl>
@@ -11,34 +11,36 @@
1111
<PackageReleaseNotes>Updated nuget packages</PackageReleaseNotes>
1212
</PropertyGroup>
1313
<ItemGroup>
14-
<PackageReference Include="Azure.Extensions.AspNetCore.Configuration.Secrets" Version="1.1.0" />
15-
<PackageReference Include="Azure.Identity" Version="1.4.0" />
16-
<PackageReference Include="Azure.Security.KeyVault.Certificates" Version="4.1.0" />
14+
<PackageReference Include="Azure.Extensions.AspNetCore.Configuration.Secrets" Version="1.2.1" />
15+
<PackageReference Include="Azure.Identity" Version="1.4.1" />
16+
<PackageReference Include="Azure.Security.KeyVault.Certificates" Version="4.2.0" />
1717
<PackageReference Include="Microsoft.Azure.Services.AppAuthentication" Version="1.6.1" />
1818
<PackageReference Include="BuildBundlerMinifier" Version="3.2.449" />
1919
<PackageReference Include="IdentityServer4" Version="4.1.2" />
2020
<PackageReference Include="IdentityServer4.AspNetIdentity" Version="4.1.2" />
21-
<PackageReference Include="Microsoft.AspNetCore.Diagnostics.EntityFrameworkCore" Version="3.1.15" />
22-
<PackageReference Include="Microsoft.AspNetCore.Identity.EntityFrameworkCore" Version="3.1.15" />
23-
<PackageReference Include="Microsoft.EntityFrameworkCore.Sqlite" Version="3.1.15" />
24-
<PackageReference Include="Microsoft.EntityFrameworkCore.Tools" Version="3.1.15">
21+
<PackageReference Include="Microsoft.AspNetCore.Diagnostics.EntityFrameworkCore" Version="3.1.18" />
22+
<PackageReference Include="Microsoft.AspNetCore.Identity.EntityFrameworkCore" Version="3.1.18" />
23+
<PackageReference Include="Microsoft.EntityFrameworkCore.Sqlite" Version="3.1.18" />
24+
<PackageReference Include="Microsoft.EntityFrameworkCore.Tools" Version="3.1.18">
2525
<PrivateAssets>all</PrivateAssets>
2626
<IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
2727
</PackageReference>
28-
<PackageReference Include="Microsoft.Extensions.Logging.Debug" Version="3.1.15" />
28+
<PackageReference Include="Microsoft.Extensions.Logging.Debug" Version="3.1.18" />
2929
<PackageReference Include="Microsoft.VisualStudio.Web.CodeGeneration.Design" Version="3.1.5" />
3030
<PackageReference Include="Newtonsoft.Json" Version="13.0.1" />
3131
<PackageReference Include="Remotion.Linq" Version="2.2.0" />
3232
<PackageReference Include="Microsoft.IdentityModel.Clients.ActiveDirectory" Version="5.2.9" />
3333
<PackageReference Include="NWebsec.AspNetCore.Middleware" Version="3.0.0" />
34-
<PackageReference Include="Sendgrid" Version="9.23.1" />
34+
<PackageReference Include="Sendgrid" Version="9.24.2" />
3535
<PackageReference Include="Serilog" Version="2.10.0" />
3636
<PackageReference Include="Serilog.AspNetCore" Version="4.1.0" />
37-
<PackageReference Include="Serilog.Settings.Configuration" Version="3.1.0" />
38-
<PackageReference Include="Serilog.Sinks.Console" Version="3.1.1" />
39-
<PackageReference Include="Serilog.Sinks.File" Version="4.1.0" />
37+
<PackageReference Include="Serilog.Settings.Configuration" Version="3.2.0" />
38+
<PackageReference Include="Serilog.Sinks.Console" Version="4.0.0" />
39+
<PackageReference Include="Serilog.Sinks.File" Version="5.0.0" />
4040
<PackageReference Include="Fido2" Version="2.0.2" />
41-
<PackageReference Include="Microsoft.AspNetCore.Mvc.NewtonsoftJson" Version="3.1.15" />
41+
<PackageReference Include="Microsoft.AspNetCore.Mvc.NewtonsoftJson" Version="3.1.18" />
42+
<PackageReference Include="NetEscapades.AspNetCore.SecurityHeaders" Version="0.16.0" />
43+
<PackageReference Include="NetEscapades.AspNetCore.SecurityHeaders.TagHelpers" Version="0.16.0" />
4244
</ItemGroup>
4345

4446
<ItemGroup>

content/StsServerIdentity/package-lock.json

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

content/StsServerIdentity/package.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
{
2-
"version": "5.0.5",
2+
"version": "5.1.2",
33
"name": "asp.net",
44
"private": true,
55
"devDependencies": {

0 commit comments

Comments
 (0)