Exemplo n.º 1
0
        public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
        {
            app.UseIpRateLimiting();

            app.IntializeDatabase();

            app.UseCustomExceptionHandler();

            app.UseHsts(env);

            //app.UseElmah();

            app.UseSecureHeadersMiddleware(SecureHeadersMiddlewareConfiguration.CustomConfiguration());

            app.UseCors(x => x.AllowAnyOrigin().AllowAnyMethod().AllowAnyHeader());

            app.UseHttpsRedirection();

            app.UseStaticFiles();

            app.UseSwaggerAndUi();

            app.UseRouting();

            app.UseAuthentication();

            app.UseAuthorization();

            app.UseEndpoints(endpoints =>
            {
                endpoints.MapControllers();
            });
        }
Exemplo n.º 2
0
        /// <summary>
        /// Thanks to Stack Overflow userrawb for this description:
        /// This is a common non-standard HTTP response header. It's often included by default in responses constructed via a particular scripting technology.
        /// Source: https://stackoverflow.com/a/33580769/1143474
        /// </summary>
        /// <remarks>
        /// A lot of web security experts recommend removing this header as it exposes the version
        /// of the server software. Malicious actors can target your application with attacks relevant
        /// to the version of the server software you are using.
        /// </remarks>
        public static SecureHeadersMiddlewareConfiguration RemovePoweredByHeader
            (this SecureHeadersMiddlewareConfiguration config)
        {
            config.RemoveXPoweredByHeader = true;

            return(config);
        }
Exemplo n.º 3
0
        /// <summary>
        /// Setting this header will prevent the browser from interpreting files as something
        /// else than declared by the content type in the HTTP headers
        /// </summary>
        /// <remarks>
        /// There is no value to pass in here, OWASP recommends that if you use this header
        /// (X-ContentType-Options), then the value of "nosniff" be used. "nosniff" is the default
        /// value for this header when using this middleware class.
        /// </remarks>
        public static SecureHeadersMiddlewareConfiguration UseContentTypeOptions
            (this SecureHeadersMiddlewareConfiguration config)
        {
            config.UseXContentTypeOptions = true;

            return(config);
        }
Exemplo n.º 4
0
 /// <summary>
 /// Governs whether the site can opt-into reporting or enforcement of certificate
 /// transparency requirements, which prevents the use of misissued certificates
 /// for that site from going unnoticed
 /// </summary>
 /// <param name="reportUri">
 /// [REQUIRED]
 /// Specifies the URI to which the user agent should report Expect-CT failures.
 /// </param>
 /// <param name="maxAge">
 /// [REQUIRED, HAS DEFAULT]
 /// Specifies the number of seconds after reception of the Expect-CT header field
 /// during which the user agent should regard the host from whom the message was
 /// received as a known Expect-CT host
 /// </param>
 /// <param name="enforce">
 /// [OPTIONAL]
 /// Signals to the user agent that compliance with the Certificate Transparency
 /// policy should be enforced (rather than only reporting compliance) and that the
 /// user agent should refuse future connections that violate its Certificate
 /// Transparency policy.
 /// </param>
 /// <exception cref="ArgumentException">
 /// An ArgumentException is thrown when no Report URI is supplied
 /// </exception>
 public static SecureHeadersMiddlewareConfiguration UseExpectCt
     (this SecureHeadersMiddlewareConfiguration config,
     string reportUri = null, int maxAge = 86400, bool enforce = false)
 {
     config.UseExpectCt = true;
     config.ExpectCt    = new ExpectCt(reportUri, maxAge, enforce);
     return(config);
 }
 /// <summary>
 /// The server did not return or returned an invalid 'Cache-Control' header which means page
 /// containing sensitive information (password, credit card, personal data, social security
 /// number, etc) could be stored on client side disk and then be exposed to unauthorised persons.
 /// This URL is flagged as a specific example.
 /// </summary>
 /// <param name="private">
 /// [OPTIONAL]
 /// Whether all or part of the HTTP response message is intended for a single user and must
 /// not be cached by a shared cache.
 /// </param>
 /// <param name="maxAge">
 /// [OPTIONAL]
 /// The maximum age, specified in seconds, that the HTTP client is willing to accept a response.
 /// </param>
 /// <exception cref="ArgumentException">
 /// An ArgumentException is thrown when no Report URI is supplied
 /// </exception>
 public static SecureHeadersMiddlewareConfiguration UseCacheControl
     (this SecureHeadersMiddlewareConfiguration config,
     bool @private       = true, int maxAge = 31536000, bool noCache = false, bool noStore = false,
     bool mustRevalidate = false)
 {
     config.UseCacheControl = true;
     config.CacheControl    = new CacheControl(@private, maxAge, noCache, noStore, mustRevalidate);
     return(config);
 }
Exemplo n.º 6
0
 /// <summary>
 /// Enables the Cross Site Scripting protection filter in the client browser.
 /// </summary>
 /// <param name="xssMode">
 /// The XSS Filter mode to use. Acceptable values are: zero, one, oneBlock, oneReport
 /// </param>
 /// <param name="reportUri">
 /// An option uri to report any XSS filter voilation to. This parameter is optional
 /// and will only be used if the value of <param name="xssMode"/> is set to oneReport
 /// </param>
 /// If no value for <param name="xssMode"/> is supplied, then the default one will
 /// be used. This default is based on the OWASP best practises for XSS Protection
 /// <remarks></remarks>
 public static SecureHeadersMiddlewareConfiguration UseXSSProtection
     (this SecureHeadersMiddlewareConfiguration config,
     XssMode xssMode  = XssMode.oneBlock,
     string reportUri = null)
 {
     config.UseXssProtection = true;
     config.XssConfiguration = new XssConfiguration(xssMode, reportUri);
     return(config);
 }
Exemplo n.º 7
0
        /// <summary>
        /// Includes the HTTP Strict Transport Security header in all responses
        /// generated by the application which consumes this middleware
        /// </summary>
        /// <param name="maxAge">
        /// The The time, in seconds, that the browser should remember that this
        /// site is only to be accessed using HTTPS
        /// </param>
        /// <param name="includeSubDomains">
        /// If this optional parameter is specified, this rule applies to all of
        /// the site's subdomains as well
        /// </param>
        /// <remarks>
        /// If no values for <param name="maxAge"/> or <param name="includeSubDomains"/>
        /// are provided, then default ones will be used. These default values will be
        /// based on the OWASP best practises values for HSTS.
        /// </remarks>
        public static SecureHeadersMiddlewareConfiguration UseHsts
            (this SecureHeadersMiddlewareConfiguration config,
            int maxAge = 63072000, bool includeSubDomains = true)
        {
            config.UseHsts           = true;
            config.HstsConfiguration = new HstsConfiguration(maxAge, includeSubDomains);

            return(config);
        }
Exemplo n.º 8
0
        /// <summary>
        /// Declares a policy communicated from a host to the client browser on whether
        /// the browser must not display the transmitted content in frames of other web pages
        /// </summary>
        /// <param name="xFrameOption">
        /// Whether or not we should allow rendering this site within a frame.
        /// Applicable values are: deny; sameorigin; and allowfrom
        /// </param>
        /// <param name="domain">
        /// If allowfrom is supplied, this optional parameter describes the domain in which
        /// our site is permitted to be loaded within a frame
        /// </param>
        /// <remarks>
        /// If no value for <param name="xFrameOption"/> is rovided, then default one will be
        /// used. This default value is based on the OWASP best practises value for X-Frame-Options.
        /// </remarks>
        public static SecureHeadersMiddlewareConfiguration UseXFrameOptions
            (this SecureHeadersMiddlewareConfiguration config,
            XFrameOptions xFrameOption = XFrameOptions.Deny,
            string domain = null)
        {
            config.UseXFrameOptions           = true;
            config.XFrameOptionsConfiguration = new XFrameOptionsConfiguration(xFrameOption, domain);

            return(config);
        }
        /// <summary>
        /// Used to set up the Content Security Policy Sandbox for a given or multiple <see cref="CspSandboxType"/>s
        /// </summary>
        public static SecureHeadersMiddlewareConfiguration SetCspSandBox
            (this SecureHeadersMiddlewareConfiguration config, params CspSandboxType[] sandboxType)
        {
            if (config.UseContentSecurityPolicy)
            {
                config.ContentSecurityPolicyConfiguration?.SetSandbox(sandboxType);
            }

            return(config);
        }
 public SecureHeadersInjectedTest()
 {
     _onNext = _ =>
     {
         Interlocked.Increment(ref _onNextCalledTimes);
         return(_onNextResult);
     };
     _context          = new DefaultHttpContext();
     _middlewareConfig = new SecureHeadersMiddlewareConfiguration();
 }
Exemplo n.º 11
0
        /// <summary>
        /// Governs which referrer information, sent in the Referer header, should be included with requests made
        /// </summary>
        /// <remarks>
        /// If a <see cref="ReferrerPolicyOptions"/> value is not supplied, then the default value of "no-referrer"
        /// will be used.
        /// </remarks>
        public static SecureHeadersMiddlewareConfiguration UseReferrerPolicy
            (this SecureHeadersMiddlewareConfiguration config,
            ReferrerPolicyOptions referrerPolicyOption =
            ReferrerPolicyOptions.noReferrer)
        {
            config.UseReferrerPolicy = true;

            config.ReferrerPolicy = new ReferrerPolicy(referrerPolicyOption);
            return(config);
        }
        /// <summary>
        /// Used to set the Content Security Policy URIs for a given <see cref="CspUriType"/>
        /// </summary>
        public static SecureHeadersMiddlewareConfiguration SetCspUris
            (this SecureHeadersMiddlewareConfiguration config, List <ContentSecurityPolicyElement> baseUri,
            CspUriType cspUriType)
        {
            if (config.UseContentSecurityPolicy)
            {
                config.ContentSecurityPolicyConfiguration?.SetCspUri(baseUri, cspUriType);
            }

            return(config);
        }
Exemplo n.º 13
0
        /// <summary>
        /// A cross-domain policy grants a web client permission to handle data across domains
        /// </summary>
        /// <remarks>
        /// If a <see cref="XPermittedCrossDomainOptionValue"/> is not supplied, then the default value of "none" will
        /// be used
        /// </remarks>
        public static SecureHeadersMiddlewareConfiguration UsePermittedCrossDomainPolicies
            (this SecureHeadersMiddlewareConfiguration config,
            XPermittedCrossDomainOptionValue xPermittedCrossDomainOptionValue =
            XPermittedCrossDomainOptionValue.none)
        {
            config.UsePermittedCrossDomainPolicy = true;

            config.PermittedCrossDomainPolicyConfiguration =
                new PermittedCrossDomainPolicyConfiguration(xPermittedCrossDomainOptionValue);

            return(config);
        }
Exemplo n.º 14
0
        /// <summary>
        /// CSP prevents a wide range of attacks, including Cross-site scripting and other
        /// cross-site injections.
        /// </summary>
        /// <param name="pluginTypes">
        /// The set of plugins that can be invoked by the protected resource by limiting the
        /// types of resources that can be embedded
        /// </param>
        /// <param name="blockAllMixedContent">
        /// Prevent user agent from loading mixed content.
        /// </param>
        /// <param name="upgradeInsecureRequests">
        /// Instructs user agent to download insecure resources using HTTPS.
        /// </param>
        /// <param name="reportUri">
        /// Specifies a URI to which the user agent sends reports about policy violation.
        /// </param>
        /// <remarks>
        /// Requires consumer to set up their own Content Security Policy Rules via calls to
        /// SetCspUris, which is an extension method on the <see cref="SecureHeadersMiddlewareConfiguration"/> object
        /// </remarks>
        public static SecureHeadersMiddlewareConfiguration UseContentSecurityPolicy
            (this SecureHeadersMiddlewareConfiguration config,
            string pluginTypes           = null, bool blockAllMixedContent = true,
            bool upgradeInsecureRequests = true, string referrer           = null,
            string reportUri             = null)
        {
            config.UseContentSecurityPolicy = true;

            config.ContentSecurityPolicyConfiguration = new ContentSecurityPolicyConfiguration
                                                            (pluginTypes, blockAllMixedContent, upgradeInsecureRequests, referrer, reportUri);

            return(config);
        }
Exemplo n.º 15
0
        /// <summary>
        /// Governs whether the site can opt-into reporting or enforcement of certificate
        /// transparency requirements, which prevents the use of misissued certificates
        /// for that site from going unnoticed
        /// </summary>
        /// <param name="reportUri">
        /// [REQUIRED]
        /// Specifies the URI to which the user agent should report Expect-CT failures.
        /// </param>
        /// <param name="maxAge">
        /// [REQUIRED, HAS DEFAULT]
        /// Specifies the number of seconds after reception of the Expect-CT header field
        /// during which the user agent should regard the host from whom the message was
        /// received as a known Expect-CT host
        /// </param>
        /// <param name="enforce">
        /// [OPTIONAL]
        /// Signals to the user agent that compliance with the Certificate Transparency
        /// policy should be enforced (rather than only reporting compliance) and that the
        /// user agent should refuse future connections that violate its Certificate
        /// Transparency policy.
        /// </param>
        /// <exception cref="ArgumentException">
        /// An ArgumentException is thrown when no Report URI is supplied
        /// </exception>
        public static SecureHeadersMiddlewareConfiguration UseExpectCt
            (this SecureHeadersMiddlewareConfiguration config,
            string reportUri, int maxAge = 86400, bool enforce = false)
        {
            config.UseExpectCt = true;

            if (string.IsNullOrWhiteSpace(reportUri))
            {
                throw new ArgumentException($"Must supply value of {nameof(reportUri)} in {nameof(SecureHeadersMiddleware)}");
            }

            config.ExpectCt = new ExpectCt(reportUri, maxAge, enforce);
            return(config);
        }
        public static SecureHeadersMiddlewareConfiguration UseContentSecurityPolicyReportOnly
            (this SecureHeadersMiddlewareConfiguration config, string reportUri,
            string pluginTypes           = null, bool blockAllMixedContent = true,
            bool upgradeInsecureRequests = true, string referrer           = null, bool useXContentSecurityPolicy = false)
        {
            // Check whether the URI is valid before continuing
            if (!reportUri.IsValidHttpsUri())
            {
                ArgumentExceptionHelper.RaiseException(nameof(reportUri));
            }

            config.UseContentSecurityPolicyReportOnly = true;
            config.UseXContentSecurityPolicy          = useXContentSecurityPolicy;

            config.ContentSecurityPolicyReportOnlyConfiguration = new ContentSecurityPolicyReportOnlyConfiguration
                                                                      (pluginTypes, blockAllMixedContent, upgradeInsecureRequests, referrer, reportUri);

            return(config);
        }
Exemplo n.º 17
0
        private void ConfigureOwasp()
        {
            var config = SecureHeadersMiddlewareBuilder.CreateBuilder()
                         .UseXFrameOptions()
                         .UseXSSProtection()
                         .UseContentTypeOptions()
                         .UsePermittedCrossDomainPolicies()
                         .UseReferrerPolicy()
                         .RemovePoweredByHeader();

            if (Configuration["Web:Https"] == "True")
            {
                config = config
                         .UseHsts()
                         .UseContentDefaultSecurityPolicy()
                         .UseExpectCt("https://vambooru.herokuapp.com/api/security/report", 86400, true);
            }

            _secureHeadersMiddlewareConfiguration = config.Build();
        }
Exemplo n.º 18
0
        /// <summary>
        /// CSP prevents a wide range of attacks, including Cross-site scripting and other
        /// cross-site injections.
        /// </summary>
        /// <remarks>
        /// This method sets up a CSP header with:
        ///  - all mixed content blocked
        ///  - all insecure
        ///  - requests upgraded to HTTPS
        ///  - a ScriptSrc of "self"
        ///  - an ObjectSrc of "self"
        /// </remarks>
        public static SecureHeadersMiddlewareConfiguration UseContentDefaultSecurityPolicy
            (this SecureHeadersMiddlewareConfiguration config)
        {
            config.UseContentSecurityPolicy = true;

            config.ContentSecurityPolicyConfiguration = new ContentSecurityPolicyConfiguration
                                                            (null, true, true, null, null);

            config.SetCspUris(
                new List <ContenSecurityPolicyElement> {
                ContentSecurityPolicyHelpers.CreateSelfDirective()
            },
                CspUriType.Script);

            config.SetCspUris(
                new List <ContenSecurityPolicyElement> {
                ContentSecurityPolicyHelpers.CreateSelfDirective()
            },
                CspUriType.Object);

            return(config);
        }
Exemplo n.º 19
0
 /// <summary>
 /// Return the completed <see cref="SecureHeadersMiddlewareConfiguration"/> ready for consumption by the
 /// <see cref="SecureHeadersMiddleware"/> class
 /// </summary>
 public static SecureHeadersMiddlewareConfiguration Build
     (this SecureHeadersMiddlewareConfiguration config)
 {
     return(config);
 }
Exemplo n.º 20
0
 public SecureHeadersMiddleware(RequestDelegate next, SecureHeadersMiddlewareConfiguration config)
 {
     _next   = next;
     _config = config;
 }
Exemplo n.º 21
0
 /// <summary>
 /// Extention method to include the <see cref="SecureHeadersMiddleware" /> in
 /// an instance of an <see cref="IApplicationBuilder" />.
 /// This works in the same way was the MVC, Static files, etc. middleware
 /// </summary>
 /// <param name="builder">The instance of the <see cref="IApplicationBuilder" /> to use</param>
 /// <param name="config">An instance of the <see cref="SecureHeadersMiddlewareConfiguration" /> containing all of the config for each request </param>
 /// <returns>The <see cref="IApplicationBuilder"/> with the <see cref="SecureHeadersMiddleware" /> added</returns>
 public static IApplicationBuilder UseSecureHeadersMiddleware(this IApplicationBuilder builder, SecureHeadersMiddlewareConfiguration config)
 {
     return(builder.UseMiddleware <SecureHeadersMiddleware>(config));
 }