public SecurityHeader( RequestDelegate next, ILoggerFactory loggerFactory, CspSettings settings) { if (loggerFactory == null) { throw new ArgumentNullException(nameof(loggerFactory)); } _next = next ?? throw new ArgumentNullException(nameof(next)); _securityHeaderService = new SecurityHeaderService(); _logger = loggerFactory.CreateLogger <SecurityHeader>(); _settings = settings ?? throw new ArgumentNullException(nameof(settings)); }
internal void ApplyResult(HttpResponse response, CspSettings settings) { var headers = response.Headers; StringBuilder stb = new StringBuilder(); if (!string.IsNullOrWhiteSpace(settings.Default)) { stb.Append($"default-src {settings.Default};"); } if (!string.IsNullOrWhiteSpace(settings.Image)) { stb.Append($"img-src {settings.Image};"); } if (!string.IsNullOrWhiteSpace(settings.Style)) { stb.Append($"style-src {settings.Style};"); } if (!string.IsNullOrWhiteSpace(settings.Font)) { stb.Append($"font-src {settings.Font};"); } if (!string.IsNullOrWhiteSpace(settings.Script)) { stb.Append($"script-src {settings.Script};"); } if (settings.BlockMixedContent) { // block all mixed contents( force to use https ) stb.Append("block-all-mixed-content;"); } if (settings.UseHttps) { // redirect to https stb.Append("upgrade-insecure-requests;"); } headers[CSP_HEADER] = stb.ToString(); foreach (var headerValuePair in SecurityHeader) { headers[headerValuePair.Key] = headerValuePair.Value; } foreach (var header in RemoveHeader) { headers.Remove(header); } }
public static IApplicationBuilder UseSecurityHeader( this IApplicationBuilder app, Action <CspSettings> configure) { if (app == null) { throw new ArgumentNullException(nameof(app)); } if (configure == null) { throw new ArgumentNullException(nameof(configure)); } var settings = new CspSettings(); configure(settings); return(app.UseMiddleware <SecurityHeader>(settings)); }