Skip to content

Commit

Permalink
Update security headers
Browse files Browse the repository at this point in the history
  • Loading branch information
@damienbod
damienbod committed Oct 26, 2024
1 parent a79356f commit 146a3a8
Show file tree
Hide file tree
Showing 3 changed files with 17 additions and 23 deletions.
11 changes: 9 additions & 2 deletions MyApi/Program.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@
using Microsoft.IdentityModel.JsonWebTokens;
using Microsoft.OpenApi.Models;
using MyApi;
using NetEscapades.AspNetCore.SecurityHeaders.Infrastructure;
using System;
using System.IO;
using System.Reflection;
Expand All @@ -17,6 +18,13 @@
var services = builder.Services;
var configuration = builder.Configuration;

services.AddSecurityHeaderPolicies()
.SetPolicySelector((PolicySelectorContext ctx) =>
{
return SecurityHeadersDefinitions.GetHeaderPolicyCollection(
builder.Environment.IsDevelopment());
});

// only needed for browser clients
//services.AddCors(options =>
//{
Expand Down Expand Up @@ -120,8 +128,7 @@

JsonWebTokenHandler.DefaultInboundClaimTypeMap.Clear();

app.UseSecurityHeaders(
SecurityHeadersDefinitions.GetHeaderPolicyCollection(app.Environment.IsDevelopment()));
app.UseSecurityHeaders();

app.UseSwagger();
app.UseSwaggerUI(c =>
Expand Down
28 changes: 8 additions & 20 deletions MyApi/SecurityHeadersDefinitions.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,38 +4,26 @@ namespace MyApi;

public static class SecurityHeadersDefinitions
{
private static HeaderPolicyCollection? policy;

public static HeaderPolicyCollection GetHeaderPolicyCollection(bool isDev)
{
var policy = new HeaderPolicyCollection()
// Avoid building a new HeaderPolicyCollection on every request for performance reasons.
// Where possible, cache and reuse HeaderPolicyCollection instances.
if (policy != null) return policy;

policy = new HeaderPolicyCollection()
.AddFrameOptionsDeny()
.AddContentTypeOptionsNoSniff()
.AddReferrerPolicyStrictOriginWhenCrossOrigin()
.AddCrossOriginOpenerPolicy(builder => builder.SameOrigin())
.AddCrossOriginEmbedderPolicy(builder => builder.RequireCorp())
.AddCrossOriginResourcePolicy(builder => builder.SameOrigin())
.RemoveServerHeader()
.AddPermissionsPolicy(builder =>
{
builder.AddAccelerometer().None();
builder.AddAutoplay().None();
builder.AddCamera().None();
builder.AddEncryptedMedia().None();
builder.AddFullscreen().All();
builder.AddGeolocation().None();
builder.AddGyroscope().None();
builder.AddMagnetometer().None();
builder.AddMicrophone().None();
builder.AddMidi().None();
builder.AddPayment().None();
builder.AddPictureInPicture().None();
builder.AddSyncXHR().None();
builder.AddUsb().None();
});
.AddPermissionsPolicyWithDefaultSecureDirectives();

AddCspHstsDefinitions(isDev, policy);

policy.ApplyDocumentHeadersToAllResponses();

return policy;
}

Expand Down
1 change: 0 additions & 1 deletion RazorMicrosoftEntraID/Program.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,6 @@
builder.Environment.IsDevelopment());
});


services.AddTransient<MyApiOneService>();
services.AddHttpClient();

Expand Down

0 comments on commit 146a3a8

Please sign in to comment.