/// <summary>
/// Adds default CSP with Restrictive Feature Policy but control over the specifics of CSP
/// </summary>
/// <param name="app"></param>
/// <param name="reportOnly"></param>
/// <param name="cspBuilder"></param>
/// <returns></returns>
public static IApplicationBuilder UseCspWithFeaturePolicy(this IApplicationBuilder app, bool reportOnly, Action <CspBuilder> cspBuilder)
{
var head = new HeaderPolicyCollection()
.AddFrameOptionsSameOrigin()
.AddXssProtectionBlock()
.AddContentTypeOptionsNoSniff()
.AddStrictTransportSecurityMaxAgeIncludeSubDomains()
.AddReferrerPolicyStrictOriginWhenCrossOrigin()
.AddPermissionsPolicy(fp => fp.AddDefaultPermissionsPolicy())
.AddCustomHeader("X-Permitted-Cross-Domain-Policies", "none")
.RemoveServerHeader()
.AddContentSecurityPolicy(builder =>
{
builder.AddObjectSrc().None();
builder.AddFormAction().Self();
builder.AddFrameAncestors().None();
});
if (reportOnly)
{
head.AddContentSecurityPolicyReportOnly(cspBuilder);
}
else
{
head.AddContentSecurityPolicy(cspBuilder);
}
return(app.UseSecurityHeaders(head));
}
private static void AddCspHstsDefinitions(bool isDev, HeaderPolicyCollection policy)
{
if (!isDev)
{
policy.AddContentSecurityPolicy(builder =>
{
builder.AddObjectSrc().None();
builder.AddBlockAllMixedContent();
builder.AddImgSrc().None();
builder.AddFormAction().None();
builder.AddFontSrc().None();
builder.AddStyleSrc().None();
builder.AddScriptSrc().None();
builder.AddBaseUri().Self();
builder.AddFrameAncestors().None();
builder.AddCustomDirective("require-trusted-types-for", "'script'");
});
// maxage = one year in seconds
policy.AddStrictTransportSecurityMaxAgeIncludeSubDomains(maxAgeInSeconds: 60 * 60 * 24 * 365);
}
else
{
// allow swagger UI for dev
policy.AddContentSecurityPolicy(builder =>
{
builder.AddObjectSrc().None();
builder.AddBlockAllMixedContent();
builder.AddImgSrc().Self().From("data:");
builder.AddFormAction().Self();
builder.AddFontSrc().Self();
builder.AddStyleSrc().Self().UnsafeInline();
builder.AddScriptSrc().Self().UnsafeInline(); //.WithNonce();
builder.AddBaseUri().Self();
builder.AddFrameAncestors().None();
});
}
}
/// <summary>
/// Add default headers in accordance with the most secure approach
/// </summary>
public static HeaderPolicyCollection AddDefaultSecurityHeaders(this HeaderPolicyCollection policies)
{
policies.AddFrameOptionsDeny();
policies.AddXssProtectionBlock();
policies.AddContentTypeOptionsNoSniff();
policies.AddStrictTransportSecurityMaxAge();
policies.AddReferrerPolicyStrictOriginWhenCrossOrigin();
policies.RemoveServerHeader();
policies.AddContentSecurityPolicy(builder =>
{
builder.AddObjectSrc().None();
builder.AddFormAction().Self();
builder.AddFrameAncestors().None();
});
return(policies);
}