Skip to content

Commit e26ea85

Browse files
damienboddamienbod
committed
Updating security headers
1 parent 1d5e867 commit e26ea85

3 files changed

Lines changed: 76 additions & 36 deletions

File tree

content/StsServerIdentity/SecurityHeadersDefinitions.cs

Lines changed: 68 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,68 @@
1+
using Microsoft.AspNetCore.Builder;
2+
3+
namespace StsServerIdentity
4+
{
5+
public static class SecurityHeadersDefinitions
6+
{
7+
public static HeaderPolicyCollection GetHeaderPolicyCollection(bool isDev)
8+
{
9+
var policy = new HeaderPolicyCollection()
10+
.AddFrameOptionsDeny()
11+
.AddXssProtectionBlock()
12+
.AddContentTypeOptionsNoSniff()
13+
.AddReferrerPolicyStrictOriginWhenCrossOrigin()
14+
.RemoveServerHeader()
15+
.AddCrossOriginOpenerPolicy(builder =>
16+
{
17+
builder.SameOrigin();
18+
})
19+
.AddCrossOriginEmbedderPolicy(builder =>
20+
{
21+
builder.RequireCorp();
22+
})
23+
.AddCrossOriginResourcePolicy(builder =>
24+
{
25+
builder.SameOrigin();
26+
})
27+
.AddContentSecurityPolicy(builder =>
28+
{
29+
builder.AddObjectSrc().None();
30+
builder.AddBlockAllMixedContent();
31+
builder.AddImgSrc().Self().From("data:");
32+
builder.AddFormAction().Self();
33+
builder.AddFontSrc().Self();
34+
builder.AddStyleSrc().Self().UnsafeInline();
35+
builder.AddBaseUri().Self();
36+
builder.AddScriptSrc().UnsafeInline(); //.WithNonce();
37+
builder.AddFrameAncestors().Self();
38+
// builder.AddCustomDirective("require-trusted-types-for", "'script'");
39+
})
40+
.RemoveServerHeader()
41+
.AddPermissionsPolicy(builder =>
42+
{
43+
builder.AddAccelerometer().None();
44+
builder.AddAutoplay().None();
45+
builder.AddCamera().None();
46+
builder.AddEncryptedMedia().None();
47+
builder.AddFullscreen().All();
48+
builder.AddGeolocation().None();
49+
builder.AddGyroscope().None();
50+
builder.AddMagnetometer().None();
51+
builder.AddMicrophone().None();
52+
builder.AddMidi().None();
53+
builder.AddPayment().None();
54+
builder.AddPictureInPicture().None();
55+
builder.AddSyncXHR().None();
56+
builder.AddUsb().None();
57+
});
58+
59+
if (!isDev)
60+
{
61+
// maxage = one year in seconds
62+
policy.AddStrictTransportSecurityMaxAgeIncludeSubDomains(maxAgeInSeconds: 60 * 60 * 24 * 365);
63+
}
64+
65+
return policy;
66+
}
67+
}
68+
}

content/StsServerIdentity/Startup.cs

Lines changed: 6 additions & 36 deletions
Original file line numberDiff line numberDiff line change
@@ -143,8 +143,11 @@ public void ConfigureServices(IServiceCollection services)
143143
});
144144
}
145145

146-
public void Configure(IApplicationBuilder app)
146+
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
147147
{
148+
app.UseSecurityHeaders(
149+
SecurityHeadersDefinitions.GetHeaderPolicyCollection(env.IsDevelopment()));
150+
148151
app.UseCookiePolicy();
149152

150153
if (_environment.IsDevelopment())
@@ -157,22 +160,7 @@ public void Configure(IApplicationBuilder app)
157160
app.UseExceptionHandler("/Home/Error");
158161
}
159162

160-
app.UseHsts(hsts => hsts.MaxAge(365).IncludeSubdomains());
161-
app.UseXContentTypeOptions();
162-
app.UseReferrerPolicy(opts => opts.NoReferrer());
163-
app.UseXXssProtection(options => options.EnabledWithBlockMode());
164-
165-
app.UseCsp(opts => opts
166-
.BlockAllMixedContent()
167-
.StyleSources(s => s.Self())
168-
.StyleSources(s => s.UnsafeInline())
169-
.FontSources(s => s.Self())
170-
.FrameAncestors(s => s.Self())
171-
.ImageSources(imageSrc => imageSrc.Self())
172-
.ImageSources(imageSrc => imageSrc.CustomSources("data:"))
173-
.ScriptSources(s => s.Self())
174-
.ScriptSources(s => s.UnsafeInline())
175-
);
163+
176164

177165
var locOptions = app.ApplicationServices.GetService<IOptions<RequestLocalizationOptions>>();
178166
app.UseRequestLocalization(locOptions.Value);
@@ -181,25 +169,7 @@ public void Configure(IApplicationBuilder app)
181169
// https://nblumhardt.com/2019/10/serilog-mvc-logging/
182170
app.UseSerilogRequestLogging();
183171

184-
app.UseStaticFiles(new StaticFileOptions()
185-
{
186-
OnPrepareResponse = context =>
187-
{
188-
if (context.Context.Response.Headers["feature-policy"].Count == 0)
189-
{
190-
var featurePolicy = "accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none'";
191-
192-
context.Context.Response.Headers["feature-policy"] = featurePolicy;
193-
}
194-
195-
if (context.Context.Response.Headers["X-Content-Security-Policy"].Count == 0)
196-
{
197-
var csp = "script-src 'self';style-src 'self';img-src 'self' data:;font-src 'self';form-action 'self';frame-ancestors 'self';block-all-mixed-content";
198-
// IE
199-
context.Context.Response.Headers["X-Content-Security-Policy"] = csp;
200-
}
201-
}
202-
});
172+
app.UseStaticFiles();
203173

204174
app.UseRouting();
205175

content/StsServerIdentity/StsServerIdentity.csproj

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -39,6 +39,8 @@
3939
<PackageReference Include="Serilog.Sinks.File" Version="5.0.0" />
4040
<PackageReference Include="Fido2" Version="2.0.2" />
4141
<PackageReference Include="Microsoft.AspNetCore.Mvc.NewtonsoftJson" Version="3.1.18" />
42+
<PackageReference Include="NetEscapades.AspNetCore.SecurityHeaders" Version="0.16.0" />
43+
<PackageReference Include="NetEscapades.AspNetCore.SecurityHeaders.TagHelpers" Version="0.16.0" />
4244
</ItemGroup>
4345

4446
<ItemGroup>

0 commit comments

Comments
 (0)