/// <summary> /// Adds default CSP with Restrictive Feature Policy but control over the specifics of CSP /// </summary> /// <param name="app"></param> /// <param name="reportOnly"></param> /// <param name="cspBuilder"></param> /// <returns></returns> public static IApplicationBuilder UseCspWithFeaturePolicy(this IApplicationBuilder app, bool reportOnly, Action <CspBuilder> cspBuilder) { var head = new HeaderPolicyCollection() .AddFrameOptionsSameOrigin() .AddXssProtectionBlock() .AddContentTypeOptionsNoSniff() .AddStrictTransportSecurityMaxAgeIncludeSubDomains() .AddReferrerPolicyStrictOriginWhenCrossOrigin() .AddPermissionsPolicy(fp => fp.AddDefaultPermissionsPolicy()) .AddCustomHeader("X-Permitted-Cross-Domain-Policies", "none") .RemoveServerHeader() .AddContentSecurityPolicy(builder => { builder.AddObjectSrc().None(); builder.AddFormAction().Self(); builder.AddFrameAncestors().None(); }); if (reportOnly) { head.AddContentSecurityPolicyReportOnly(cspBuilder); } else { head.AddContentSecurityPolicy(cspBuilder); } return(app.UseSecurityHeaders(head)); }
private static void AddCspHstsDefinitions(bool isDev, HeaderPolicyCollection policy) { if (!isDev) { policy.AddContentSecurityPolicy(builder => { builder.AddObjectSrc().None(); builder.AddBlockAllMixedContent(); builder.AddImgSrc().None(); builder.AddFormAction().None(); builder.AddFontSrc().None(); builder.AddStyleSrc().None(); builder.AddScriptSrc().None(); builder.AddBaseUri().Self(); builder.AddFrameAncestors().None(); builder.AddCustomDirective("require-trusted-types-for", "'script'"); }); // maxage = one year in seconds policy.AddStrictTransportSecurityMaxAgeIncludeSubDomains(maxAgeInSeconds: 60 * 60 * 24 * 365); } else { // allow swagger UI for dev policy.AddContentSecurityPolicy(builder => { builder.AddObjectSrc().None(); builder.AddBlockAllMixedContent(); builder.AddImgSrc().Self().From("data:"); builder.AddFormAction().Self(); builder.AddFontSrc().Self(); builder.AddStyleSrc().Self().UnsafeInline(); builder.AddScriptSrc().Self().UnsafeInline(); //.WithNonce(); builder.AddBaseUri().Self(); builder.AddFrameAncestors().None(); }); } }
/// <summary> /// Add default headers in accordance with the most secure approach /// </summary> public static HeaderPolicyCollection AddDefaultSecurityHeaders(this HeaderPolicyCollection policies) { policies.AddFrameOptionsDeny(); policies.AddXssProtectionBlock(); policies.AddContentTypeOptionsNoSniff(); policies.AddStrictTransportSecurityMaxAge(); policies.AddReferrerPolicyStrictOriginWhenCrossOrigin(); policies.RemoveServerHeader(); policies.AddContentSecurityPolicy(builder => { builder.AddObjectSrc().None(); builder.AddFormAction().Self(); builder.AddFrameAncestors().None(); }); return(policies); }