public static OwaspHeaders.Core.Models.SecureHeadersMiddlewareConfiguration CustomConfiguration()
{
return(SecureHeadersMiddlewareBuilder
.CreateBuilder()
.UseHsts(1200)
.UseXSSProtection(XssMode.oneReport, "http://95.216.12.8:91")
.UseContentDefaultSecurityPolicy()
.UsePermittedCrossDomainPolicies(XPermittedCrossDomainOptionValue.masterOnly)
.UseReferrerPolicy(ReferrerPolicyOptions.sameOrigin)
.RemovePoweredByHeader()
.UseXFrameOptions()
.UseContentSecurityPolicy()
.UseReferrerPolicy()
.Build());
}
public async Task Invoke_XFrameOptionsHeaderName_HeaderIsNotPresent()
{
// arrange
var headerNotPresentConfig = SecureHeadersMiddlewareBuilder.CreateBuilder().Build();
var secureHeadersMiddleware = new SecureHeadersMiddleware(_onNext, headerNotPresentConfig);
// act
await secureHeadersMiddleware.Invoke(_context);
// assert
if (!headerNotPresentConfig.UseXFrameOptions)
{
Assert.False(_context.Response.Headers.ContainsKey(Constants.XFrameOptionsHeaderName));
}
}
public async Task Invoke_StrictTransportSecurityHeaderName_HeaderIsPresent()
{
// arrange
var headerPresentConfig = SecureHeadersMiddlewareBuilder.CreateBuilder().UseHsts().Build();
var secureHeadersMiddleware = new SecureHeadersMiddleware(_onNext, headerPresentConfig);
// act
await secureHeadersMiddleware.Invoke(_context);
// assert
Assert.True(headerPresentConfig.UseHsts);
Assert.True(_context.Response.Headers.ContainsKey(Constants.StrictTransportSecurityHeaderName));
Assert.Equal("max-age=63072000;includeSubDomains",
_context.Response.Headers[Constants.StrictTransportSecurityHeaderName]);
}
public async Task Invoke_XContentSecurityPolicyHeaderName_HeaderIsPresent()
{
// arrange
var headerPresentConfig = SecureHeadersMiddlewareBuilder.CreateBuilder().UseContentSecurityPolicy(useXContentSecurityPolicy: true).Build();
var secureHeadersMiddleware = new SecureHeadersMiddleware(_onNext, headerPresentConfig);
// act
await secureHeadersMiddleware.Invoke(_context);
// assert
Assert.True(headerPresentConfig.UseXContentSecurityPolicy);
Assert.True(_context.Response.Headers.ContainsKey(Constants.XContentSecurityPolicyHeaderName));
Assert.Equal("block-all-mixed-content;upgrade-insecure-requests;",
_context.Response.Headers[Constants.XContentSecurityPolicyHeaderName]);
}
public async Task Invoke_ExpectCtHeaderName_HeaderIsPresent_ReportUri_Optional()
{
// arrange
var headerPresentConfig = SecureHeadersMiddlewareBuilder.CreateBuilder()
.UseExpectCt(string.Empty).Build();
var secureHeadersMiddleware = new SecureHeadersMiddleware(_onNext, headerPresentConfig);
// act
await secureHeadersMiddleware.Invoke(_context);
// assert
Assert.True(headerPresentConfig.UseExpectCt);
Assert.True(_context.Response.Headers.ContainsKey(Constants.ExpectCtHeaderName));
Assert.Equal(headerPresentConfig.ExpectCt.BuildHeaderValue(),
_context.Response.Headers[Constants.ExpectCtHeaderName]);
}
public async Task Invoke_PermittedCrossDomainPoliciesHeaderName_HeaderIsPresent()
{
// arrange
var headerPresentConfig =
SecureHeadersMiddlewareBuilder.CreateBuilder().UsePermittedCrossDomainPolicies().Build();
var secureHeadersMiddleware = new SecureHeadersMiddleware(_onNext, headerPresentConfig);
// act
await secureHeadersMiddleware.Invoke(_context);
// assert
Assert.True(headerPresentConfig.UsePermittedCrossDomainPolicy);
Assert.True(_context.Response.Headers.ContainsKey(Constants.PermittedCrossDomainPoliciesHeaderName));
Assert.Equal("none;",
_context.Response.Headers[Constants.PermittedCrossDomainPoliciesHeaderName]);
}
public async Task Invoke_ContentSecurityPolicyHeaderName_HeaderIsPresent_WithMultipleCspSandboxTypes()
{
// arrange
var headerPresentConfig = SecureHeadersMiddlewareBuilder.CreateBuilder().UseContentSecurityPolicy().Build();
headerPresentConfig.SetCspSandBox(CspSandboxType.allowForms, CspSandboxType.allowScripts, CspSandboxType.allowSameOrigin);
var secureHeadersMiddleware = new SecureHeadersMiddleware(_onNext, headerPresentConfig);
// act
await secureHeadersMiddleware.Invoke(_context);
// assert
Assert.True(_context.Response.Headers.ContainsKey(Constants.ContentSecurityPolicyHeaderName));
Assert.Equal("sandbox allow-forms allow-scripts allow-same-origin; block-all-mixed-content; upgrade-insecure-requests;",
_context.Response.Headers[Constants.ContentSecurityPolicyHeaderName]);
}
public async Task Invoke_ReferrerPolicyHeaderName_HeaderIsPresent()
{
// arrange
var headerPresentConfig = SecureHeadersMiddlewareBuilder.CreateBuilder().UseReferrerPolicy().Build();
var secureHeadersMiddleware = new SecureHeadersMiddleware(_onNext, headerPresentConfig);
// act
await secureHeadersMiddleware.Invoke(_context);
// assert
if (headerPresentConfig.UseReferrerPolicy)
{
Assert.True(_context.Response.Headers.ContainsKey(Constants.ReferrerPolicyHeaderName));
Assert.Equal("no-referrer", _context.Response.Headers[Constants.ReferrerPolicyHeaderName]);
}
}
public async Task Invoke_XPoweredByHeader_DoNotRemoveHeader()
{
// arrange
var headerPresentConfig = SecureHeadersMiddlewareBuilder.CreateBuilder().Build();
var secureHeadersMiddleware = new SecureHeadersMiddleware(_onNext, headerPresentConfig);
// act
await secureHeadersMiddleware.Invoke(_context);
// assert
Assert.False(headerPresentConfig.RemoveXPoweredByHeader);
// Am currently running the 2.1.300 Preview 1 build of the SDK
// and the server doesn't seem to add this header.
// Therefore this assert is commented out, as it will always fail
//Assert.True(_context.Response.Headers.ContainsKey(Constants.PoweredByHeaderName));
}
public async Task Invoke_ExpectCtHeaderName_HeaderIsNotPresent()
{
// arrange
var headerPresentConfig = SecureHeadersMiddlewareBuilder.CreateBuilder()
.UseExpectCt("https://test.com/report").Build();
var secureHeadersMiddleware = new SecureHeadersMiddleware(_onNext, headerPresentConfig);
// act
await secureHeadersMiddleware.Invoke(_context);
// assert
if (!headerPresentConfig.UseExpectCt)
{
Assert.False(_context.Response.Headers.ContainsKey(Constants.ExpectCtHeaderName));
}
}
public async Task Invoke_CacheControl_HeaderIsPresent()
{
// arrange
var headerPresentConfig = SecureHeadersMiddlewareBuilder.CreateBuilder()
.UseCacheControl().Build();
var secureHeadersMiddleware = new SecureHeadersMiddleware(_onNext, headerPresentConfig);
// act
await secureHeadersMiddleware.Invoke(_context);
// assert
Assert.True(headerPresentConfig.UseCacheControl);
Assert.True(_context.Response.Headers.ContainsKey(Constants.CacheControlHeaderName));
Assert.Equal(headerPresentConfig.CacheControl.BuildHeaderValue(),
_context.Response.Headers[Constants.CacheControlHeaderName]);
}
public async Task Invoke_XContentTypeOptionsHeaderName_HeaderIsPresent()
{
// arrange
var headerPresentConfig = SecureHeadersMiddlewareBuilder.CreateBuilder().UseContentTypeOptions().Build();
var secureHeadersMiddleware = new SecureHeadersMiddleware(_onNext, headerPresentConfig);
// act
await secureHeadersMiddleware.Invoke(_context);
// assert
if (headerPresentConfig.UseXContentTypeOptions)
{
Assert.True(_context.Response.Headers.ContainsKey(Constants.XContentTypeOptionsHeaderName));
Assert.Equal("nosniff", _context.Response.Headers[Constants.XContentTypeOptionsHeaderName]);
}
}
public async Task Invoke_XssProtectionHeaderName_HeaderIsPresent()
{
// arrange
var headerPresentConfig = SecureHeadersMiddlewareBuilder.CreateBuilder().UseXSSProtection().Build();
var secureHeadersMiddleware = new SecureHeadersMiddleware(_onNext, headerPresentConfig);
// act
await secureHeadersMiddleware.Invoke(_context);
// assert
if (headerPresentConfig.UseXssProtection)
{
Assert.True(_context.Response.Headers.ContainsKey(Constants.XssProtectionHeaderName));
Assert.Equal("1; mode=block", _context.Response.Headers[Constants.XssProtectionHeaderName]);
}
}
public async Task Invoke_CacheControl_HeaderIsNotPresent()
{
// arrange
var headerNotPresentConfig = SecureHeadersMiddlewareBuilder.CreateBuilder();
headerNotPresentConfig.UseCacheControl = false;
headerNotPresentConfig.Build();
var secureHeadersMiddleware = new SecureHeadersMiddleware(_onNext, headerNotPresentConfig);
// act
await secureHeadersMiddleware.Invoke(_context);
// assert
Assert.False(headerNotPresentConfig.UseCacheControl);
Assert.False(_context.Response.Headers.ContainsKey(Constants.CacheControlHeaderName));
}
public async Task Invoke_ContentSecurityPolicyReportOnly_HeaderIsPresent_WithMultipleCspSandboxTypes()
{
const string reportUri = "https://localhost:5001/report-uri";
// arrange
var headerPresentConfig = SecureHeadersMiddlewareBuilder.CreateBuilder().UseContentSecurityPolicyReportOnly(reportUri).Build();
headerPresentConfig.SetCspSandBox(CspSandboxType.allowForms, CspSandboxType.allowScripts, CspSandboxType.allowSameOrigin);
var secureHeadersMiddleware = new SecureHeadersMiddleware(_onNext, headerPresentConfig);
// act
await secureHeadersMiddleware.Invoke(_context);
// assert
Assert.True(_context.Response.Headers.ContainsKey(Constants.ContentSecurityPolicyReportOnlyHeaderName));
Assert.Equal($"block-all-mixed-content;upgrade-insecure-requests;report-uri {reportUri};",
_context.Response.Headers[Constants.ContentSecurityPolicyReportOnlyHeaderName]);
}
public async Task Invoke_CacheControl_NoStore_HeaderIsPresent()
{
// arrange
var headerPresentConfig = SecureHeadersMiddlewareBuilder.CreateBuilder()
.UseCacheControl(noStore: true).Build();
var secureHeadersMiddleware = new SecureHeadersMiddleware(_onNext, headerPresentConfig);
// act
await secureHeadersMiddleware.Invoke(_context);
// assert
Assert.True(headerPresentConfig.UseCacheControl);
Assert.True(_context.Response.Headers.ContainsKey(Constants.CacheControlHeaderName));
_context.Response.Headers.TryGetValue(Constants.CacheControlHeaderName, out var headerValues);
Assert.True(headerValues.Any());
Assert.Contains("no-store", headerValues.First());
Assert.DoesNotContain("private", headerValues.First());
Assert.DoesNotContain("must-revalidate", headerValues.First());
}
private void ConfigureOwasp()
{
var config = SecureHeadersMiddlewareBuilder.CreateBuilder()
.UseXFrameOptions()
.UseXSSProtection()
.UseContentTypeOptions()
.UsePermittedCrossDomainPolicies()
.UseReferrerPolicy()
.RemovePoweredByHeader();
if (Configuration["Web:Https"] == "True")
{
config = config
.UseHsts()
.UseContentDefaultSecurityPolicy()
.UseExpectCt("https://vambooru.herokuapp.com/api/security/report", 86400, true);
}
_secureHeadersMiddlewareConfiguration = config.Build();
}
/// <summary>
/// Used to include the <see cref="SecureHeadersMiddleware"/> middleware and set up the
/// <see cref="SecureHeadersMiddlewareConfiguration"/> for it.
/// </summary>
/// <param name="applicationBuilder">
/// The <see cref="IApplicationBuilder"/> which is used in the Http Pipeline
/// </param>
/// <param name="blockAndUpgradeInsecure">
/// OPTIONAL: Used to enable/disable blocking and upgrading odf all requests
/// when not in developement
/// </param>
public static void UseSecureHeaders(this IApplicationBuilder applicationBuilder,
string apiUrl,
bool blockAndUpgradeInsecure = true)
{
var config = SecureHeadersMiddlewareBuilder
.CreateBuilder()
.UseHsts()
.UseXFrameOptions()
.UseXSSProtection()
.UseContentTypeOptions()
.UseContentSecurityPolicy(blockAllMixedContent: blockAndUpgradeInsecure, upgradeInsecureRequests: blockAndUpgradeInsecure)
.UsePermittedCrossDomainPolicies()
.UseReferrerPolicy()
.Build();
config.ContentSecurityPolicyConfiguration.ScriptSrc = new List <ContenSecurityPolicyElement>()
{
new ContenSecurityPolicyElement
{
CommandType = CspCommandType.Directive,
DirectiveOrUri = "self"
},
new ContenSecurityPolicyElement
{
CommandType = CspCommandType.Uri,
DirectiveOrUri = "https://cdnjs.cloudflare.com"
},
new ContenSecurityPolicyElement
{
CommandType = CspCommandType.Uri,
DirectiveOrUri = apiUrl
},
new ContenSecurityPolicyElement
{
CommandType = CspCommandType.Directive,
DirectiveOrUri = "sha256-e3w2Kj2e9dyg5Y6D+IcCncnl56F1dHbDjE0kjQw6zbg="
}
};
applicationBuilder.UseSecureHeadersMiddleware(config);
}
public async Task Invoke_ContentSecurityPolicyHeaderName_HeaderIsPresent()
{
// arrange
var headerPresentConfig = SecureHeadersMiddlewareBuilder.CreateBuilder().UseContentDefaultSecurityPolicy().Build();
var secureHeadersMiddleware = new SecureHeadersMiddleware(_onNext, headerPresentConfig);
// act
await secureHeadersMiddleware.Invoke(_context);
// assert
if (headerPresentConfig.UseContentSecurityPolicy)
{
Assert.True(_context.Response.Headers.ContainsKey(Constants.ContentSecurityPolicyHeaderName));
Assert.Equal("script-src 'self';object-src 'self';block-all-mixed-content; upgrade-insecure-requests;",
_context.Response.Headers[Constants.ContentSecurityPolicyHeaderName]);
}
else
{
Assert.False(_context.Response.Headers.ContainsKey(Constants.ContentSecurityPolicyHeaderName));
}
}
/// <summary>
/// Used to include the <see cref="SecureHeadersMiddleware"/> middleware and set up the
/// <see cref="SecureHeadersMiddlewareConfiguration"/> for it.
/// </summary>
/// <param name="applicationBuilder">
/// The <see cref="IApplicationBuilder"/> which is used in the Http Pipeline
/// </param>
/// <param name="blockAndUpgradeInsecure">
/// OPTIONAL: Used to enable/disable blocking and upgrading odf all requests
/// when not in developement
/// </param>
public static void UseSecureHeaders(this IApplicationBuilder applicationBuilder, bool blockAndUpgradeInsecure = true)
{
var config = SecureHeadersMiddlewareBuilder
.CreateBuilder()
.UseHsts()
.UseXFrameOptions()
.UseXSSProtection()
.UseContentTypeOptions()
.UseContentSecurityPolicy(blockAllMixedContent: blockAndUpgradeInsecure, upgradeInsecureRequests: blockAndUpgradeInsecure)
.UsePermittedCrossDomainPolicies()
.UseReferrerPolicy()
.Build();
config.ContentSecurityPolicyConfiguration.ScriptSrc = new List <ContentSecurityPolicyElement>()
{
new ContentSecurityPolicyElement
{
CommandType = CspCommandType.Directive,
DirectiveOrUri = "self"
},
new ContentSecurityPolicyElement
{
CommandType = CspCommandType.Directive,
DirectiveOrUri = "sha256-gw/4FeYphgTzu5mo/iOEEHUjrRJsQ/F6lgqdtSc23GU="
},
new ContentSecurityPolicyElement
{
CommandType = CspCommandType.Directive,
DirectiveOrUri = "sha256-7I8kfi1IZHgnTNHryKWWH/oZV9dIkctQ77ABbgrpy6w="
},
new ContentSecurityPolicyElement
{
CommandType = CspCommandType.Directive,
DirectiveOrUri = "sha256-3kf2chgLlsbYoTHVrm7JlIF6/529E3h6TGATiBxN4kU="
}
};
applicationBuilder.UseSecureHeadersMiddleware(config);
}
