public static HeaderPolicyCollection GetHeaderPolicyCollection(bool isDev) { var policy = new HeaderPolicyCollection() .AddFrameOptionsDeny() .AddXssProtectionBlock() .AddContentTypeOptionsNoSniff() .AddReferrerPolicyStrictOriginWhenCrossOrigin() .RemoveServerHeader() .AddCrossOriginOpenerPolicy(builder => { builder.SameOrigin(); }) .AddCrossOriginEmbedderPolicy(builder => { builder.RequireCorp(); }) .AddCrossOriginResourcePolicy(builder => { builder.SameOrigin(); }) .AddContentSecurityPolicy(builder => { builder.AddObjectSrc().None(); builder.AddBlockAllMixedContent(); builder.AddImgSrc().Self().From("data:"); builder.AddFormAction().Self(); builder.AddFontSrc().Self(); builder.AddStyleSrc().Self(); // .UnsafeInline(); builder.AddBaseUri().Self(); builder.AddScriptSrc().UnsafeInline().WithNonce(); builder.AddFrameAncestors().None(); // builder.AddCustomDirective("require-trusted-types-for", "'script'"); }) .RemoveServerHeader() .AddPermissionsPolicy(builder => { builder.AddAccelerometer().None(); builder.AddAutoplay().None(); builder.AddCamera().None(); builder.AddEncryptedMedia().None(); builder.AddFullscreen().All(); builder.AddGeolocation().None(); builder.AddGyroscope().None(); builder.AddMagnetometer().None(); builder.AddMicrophone().None(); builder.AddMidi().None(); builder.AddPayment().None(); builder.AddPictureInPicture().None(); builder.AddSyncXHR().None(); builder.AddUsb().None(); }); if (!isDev) { // maxage = one year in seconds policy.AddStrictTransportSecurityMaxAgeIncludeSubDomains(maxAgeInSeconds: 60 * 60 * 24 * 365); } return(policy); }
public static IApplicationBuilder UseStatCanSecurityHeaders(this IApplicationBuilder app) { var env = app.ApplicationServices.GetRequiredService <IHostEnvironment>(); var policyCollection = new HeaderPolicyCollection() .AddFrameOptionsSameOrigin() .AddXssProtectionEnabled() .AddContentTypeOptionsNoSniff() .AddReferrerPolicyStrictOriginWhenCrossOrigin() .RemoveServerHeader() .AddContentSecurityPolicy(builder => { builder.AddObjectSrc().Self(); // Domains here for OAuth redirects builder.AddFormAction().Self().From("github.com").From("account.gccollab.ca").From("login.microsoftonline.com"); builder.AddFrameAncestors().Self(); builder.AddDefaultSrc().Self(); builder.AddImgSrc().Self().Data().From("*.statcan.ca").From("*.statcan.gc.ca") .From("*.omtrdc.net").From("*.demdex.net").From("cm.everesttech.net"); // adobe analytics builder.AddFontSrc().Self().Data().From("cdn.jsdelivr.net").From("fonts.googleapis.com").From("fonts.gstatic.com").From("cdn.materialdesignicons.com"); builder.AddStyleSrc().UnsafeInline().Self() .From("cdn.materialdesignicons.com") .From("cdn.jsdelivr.net") .From("fonts.googleapis.com") .From("code.jquery.com") .From("unpkg.com") .From("cdnjs.cloudflare.com") .From("stackpath.bootstrapcdn.com"); builder.AddConnectSrc().Self().From("cdn.jsdelivr.net").From("dpm.demdex.net").From("canada.sc.omtrdc.net"); // adobe analytics builder.AddScriptSrc() .UnsafeEval() // for vue-js in oc admin .UnsafeInline() // for oc admin .Self() .From("cdn.jsdelivr.net") .From("code.jquery.com") .From("ajax.googleapis.com") .From("cdnjs.cloudflare.com") .From("vuejs.org") .From("unpkg.com") .From("stackpath.bootstrapcdn.com") .From("*.statcan.ca") .From("*.statcan.gc.ca") .From("*.2o7.net") // adobe analytics .From("*.omtrdc.net") // adobe analytics .From("*.tt.omtrdc.net") // adobe analytics .From("assets.adobedtm.com") // adobe analytics .From("*.demdex.net") // adobe analytics .From("cm.everesttech.net") // adobe analytics .From("*.adobe.com"); // adobe analytics builder.AddFrameSource().Self().From("canada.demdex.net"); // adobe analytics }); if (!env.IsDevelopment()) { policyCollection.AddStrictTransportSecurityMaxAgeIncludeSubDomains(maxAgeInSeconds: 60 * 60 * 24 * 365); // maxage = one year in seconds } return(app.UseSecurityHeaders(policyCollection)); }
public static HeaderPolicyCollection CreateSecurityHeaderCollection(IWebHostEnvironment environment) { var policy = new HeaderPolicyCollection() .AddFrameOptionsDeny() .AddXssProtectionBlock() .AddContentTypeOptionsNoSniff() .AddReferrerPolicyStrictOriginWhenCrossOrigin() .RemoveServerHeader() .AddCrossOriginOpenerPolicy(builder => { builder.SameOrigin(); }) .AddCrossOriginEmbedderPolicy(builder => { builder.RequireCorp(); }) .AddCrossOriginResourcePolicy(builder => { builder.SameOrigin(); }) .AddContentSecurityPolicy(builder => { builder.AddObjectSrc().None(); builder.AddBlockAllMixedContent(); builder.AddImgSrc().Self().From("data:"); builder.AddFormAction().Self(); builder.AddFontSrc().Self(); builder.AddStyleSrc().Self().UnsafeInline().From("https://cdn.jsdelivr.net").From("https://kit.fontawesome.com"); builder.AddBaseUri().Self(); builder.AddFrameAncestors().None(); // Blazor Server seems to manage without unsafe inline and unsafe eval. builder.AddScriptSrc().Self().UnsafeInline(); //.WithHash256(""); //.UnsafeEval(); }) .AddPermissionsPolicy(builder => { builder.AddAccelerometer().None(); builder.AddAutoplay().None(); builder.AddCamera().None(); builder.AddEncryptedMedia().None(); builder.AddFullscreen().All(); builder.AddGeolocation().None(); builder.AddGyroscope().None(); builder.AddMagnetometer().None(); builder.AddMicrophone().None(); builder.AddMidi().None(); builder.AddPayment().None(); builder.AddPictureInPicture().None(); builder.AddSyncXHR().None(); builder.AddUsb().None(); }); if (!environment.IsDevelopment()) { policy.AddStrictTransportSecurityMaxAgeIncludeSubDomains(maxAgeInSeconds: 60 * 60 * 24 * 365); } return(policy); }
public static HeaderPolicyCollection GetHeaderPolicyCollection(bool isDev, string idpHost) { var policy = new HeaderPolicyCollection() .AddFrameOptionsDeny() .AddXssProtectionBlock() .AddContentTypeOptionsNoSniff() .AddReferrerPolicyStrictOriginWhenCrossOrigin() .AddCrossOriginOpenerPolicy(builder => builder.SameOrigin()) .AddCrossOriginResourcePolicy(builder => builder.SameOrigin()) .AddCrossOriginEmbedderPolicy(builder => builder.RequireCorp()) // remove for dev if using hot reload .AddContentSecurityPolicy(builder => { builder.AddObjectSrc().None(); builder.AddBlockAllMixedContent(); builder.AddImgSrc().Self().From("data:"); builder.AddFormAction().Self().From(idpHost); builder.AddFontSrc().Self(); builder.AddStyleSrc().Self(); builder.AddBaseUri().Self(); builder.AddFrameAncestors().None(); // due to Blazor builder.AddScriptSrc() .Self() .WithHash256("v8v3RKRPmN4odZ1CWM5gw80QKPCCWMcpNeOmimNL2AA=") .UnsafeEval(); // disable script and style CSP protection if using Blazor hot reload // if using hot reload, DO NOT deploy with an insecure CSP }) .RemoveServerHeader() .AddPermissionsPolicy(builder => { builder.AddAccelerometer().None(); builder.AddAutoplay().None(); builder.AddCamera().None(); builder.AddEncryptedMedia().None(); builder.AddFullscreen().All(); builder.AddGeolocation().None(); builder.AddGyroscope().None(); builder.AddMagnetometer().None(); builder.AddMicrophone().None(); builder.AddMidi().None(); builder.AddPayment().None(); builder.AddPictureInPicture().None(); builder.AddSyncXHR().None(); builder.AddUsb().None(); }); if (!isDev) { // maxage = one year in seconds policy.AddStrictTransportSecurityMaxAgeIncludeSubDomains(maxAgeInSeconds: 60 * 60 * 24 * 365); } return(policy); }
public static IApplicationBuilder UseStatCanSecurityHeaders(this IApplicationBuilder app) { var env = app.ApplicationServices.GetRequiredService <IHostEnvironment>(); var policyCollection = new HeaderPolicyCollection() .AddFrameOptionsSameOrigin() .AddXssProtectionEnabled() .AddContentTypeOptionsNoSniff() .AddReferrerPolicyStrictOriginWhenCrossOrigin() .RemoveServerHeader() .AddContentSecurityPolicy(builder => { builder.AddObjectSrc().Self(); builder.AddFormAction().Self(); builder.AddFrameAncestors().Self(); builder.AddDefaultSrc().Self(); builder.AddImgSrc().Self().Data(); builder.AddFontSrc().Self().Data().From("cdn.jsdelivr.net").From("fonts.googleapis.com").From("fonts.gstatic.com"); builder.AddStyleSrc().UnsafeInline().Self() .From("cdn.jsdelivr.net") .From("fonts.googleapis.com") .From("unpkg.com") .From("cdnjs.cloudflare.com") .From("stackpath.bootstrapcdn.com") ; // unsafe-eval needed for vue.js runtime templates builder.AddScriptSrc().UnsafeEval().UnsafeInline().Self() .From("cdn.jsdelivr.net") .From("code.jquery.com") .From("ajax.googleapis.com") .From("cdnjs.cloudflare.com") .From("vuejs.org") .From("unpkg.com") .From("stackpath.bootstrapcdn.com") ; }); if (!env.IsDevelopment()) { policyCollection.AddStrictTransportSecurityMaxAgeIncludeSubDomains(maxAgeInSeconds: 60 * 60 * 24 * 365); // maxage = one year in seconds } return(app.UseSecurityHeaders(policyCollection)); }
private static void AddCspHstsDefinitions(bool isDev, HeaderPolicyCollection policy) { if (!isDev) { policy.AddContentSecurityPolicy(builder => { builder.AddObjectSrc().None(); builder.AddBlockAllMixedContent(); builder.AddImgSrc().None(); builder.AddFormAction().None(); builder.AddFontSrc().None(); builder.AddStyleSrc().None(); builder.AddScriptSrc().None(); builder.AddBaseUri().Self(); builder.AddFrameAncestors().None(); builder.AddCustomDirective("require-trusted-types-for", "'script'"); }); // maxage = one year in seconds policy.AddStrictTransportSecurityMaxAgeIncludeSubDomains(maxAgeInSeconds: 60 * 60 * 24 * 365); } else { // allow swagger UI for dev policy.AddContentSecurityPolicy(builder => { builder.AddObjectSrc().None(); builder.AddBlockAllMixedContent(); builder.AddImgSrc().Self().From("data:"); builder.AddFormAction().Self(); builder.AddFontSrc().Self(); builder.AddStyleSrc().Self().UnsafeInline(); builder.AddScriptSrc().Self().UnsafeInline(); //.WithNonce(); builder.AddBaseUri().Self(); builder.AddFrameAncestors().None(); }); } }