/// <summary>
/// Adds default CSP with Restrictive Feature Policy but control over the specifics of CSP
/// </summary>
/// <param name="app"></param>
/// <param name="reportOnly"></param>
/// <param name="cspBuilder"></param>
/// <returns></returns>
public static IApplicationBuilder UseCspWithFeaturePolicy(this IApplicationBuilder app, bool reportOnly, Action <CspBuilder> cspBuilder)
{
var head = new HeaderPolicyCollection()
.AddFrameOptionsSameOrigin()
.AddXssProtectionBlock()
.AddContentTypeOptionsNoSniff()
.AddStrictTransportSecurityMaxAgeIncludeSubDomains()
.AddReferrerPolicyStrictOriginWhenCrossOrigin()
.AddPermissionsPolicy(fp => fp.AddDefaultPermissionsPolicy())
.AddCustomHeader("X-Permitted-Cross-Domain-Policies", "none")
.RemoveServerHeader()
.AddContentSecurityPolicy(builder =>
{
builder.AddObjectSrc().None();
builder.AddFormAction().Self();
builder.AddFrameAncestors().None();
});
if (reportOnly)
{
head.AddContentSecurityPolicyReportOnly(cspBuilder);
}
else
{
head.AddContentSecurityPolicy(cspBuilder);
}
return(app.UseSecurityHeaders(head));
}