public static HeaderPolicyCollection GetHeaderPolicyCollection(bool isDev)
{
var policy = new HeaderPolicyCollection()
.AddFrameOptionsDeny()
.AddXssProtectionBlock()
.AddContentTypeOptionsNoSniff()
.AddReferrerPolicyStrictOriginWhenCrossOrigin()
.RemoveServerHeader()
.AddCrossOriginOpenerPolicy(builder =>
{
builder.SameOrigin();
})
.AddCrossOriginEmbedderPolicy(builder =>
{
builder.RequireCorp();
})
.AddCrossOriginResourcePolicy(builder =>
{
builder.SameOrigin();
})
.AddContentSecurityPolicy(builder =>
{
builder.AddObjectSrc().None();
builder.AddBlockAllMixedContent();
builder.AddImgSrc().Self().From("data:");
builder.AddFormAction().Self();
builder.AddFontSrc().Self();
builder.AddStyleSrc().Self(); // .UnsafeInline();
builder.AddBaseUri().Self();
builder.AddScriptSrc().UnsafeInline().WithNonce();
builder.AddFrameAncestors().None();
// builder.AddCustomDirective("require-trusted-types-for", "'script'");
})
.RemoveServerHeader()
.AddPermissionsPolicy(builder =>
{
builder.AddAccelerometer().None();
builder.AddAutoplay().None();
builder.AddCamera().None();
builder.AddEncryptedMedia().None();
builder.AddFullscreen().All();
builder.AddGeolocation().None();
builder.AddGyroscope().None();
builder.AddMagnetometer().None();
builder.AddMicrophone().None();
builder.AddMidi().None();
builder.AddPayment().None();
builder.AddPictureInPicture().None();
builder.AddSyncXHR().None();
builder.AddUsb().None();
});
if (!isDev)
{
// maxage = one year in seconds
policy.AddStrictTransportSecurityMaxAgeIncludeSubDomains(maxAgeInSeconds: 60 * 60 * 24 * 365);
}
return(policy);
}
public static IApplicationBuilder UseStatCanSecurityHeaders(this IApplicationBuilder app)
{
var env = app.ApplicationServices.GetRequiredService <IHostEnvironment>();
var policyCollection = new HeaderPolicyCollection()
.AddFrameOptionsSameOrigin()
.AddXssProtectionEnabled()
.AddContentTypeOptionsNoSniff()
.AddReferrerPolicyStrictOriginWhenCrossOrigin()
.RemoveServerHeader()
.AddContentSecurityPolicy(builder =>
{
builder.AddObjectSrc().Self();
// Domains here for OAuth redirects
builder.AddFormAction().Self().From("github.com").From("account.gccollab.ca").From("login.microsoftonline.com");
builder.AddFrameAncestors().Self();
builder.AddDefaultSrc().Self();
builder.AddImgSrc().Self().Data().From("*.statcan.ca").From("*.statcan.gc.ca")
.From("*.omtrdc.net").From("*.demdex.net").From("cm.everesttech.net"); // adobe analytics
builder.AddFontSrc().Self().Data().From("cdn.jsdelivr.net").From("fonts.googleapis.com").From("fonts.gstatic.com").From("cdn.materialdesignicons.com");
builder.AddStyleSrc().UnsafeInline().Self()
.From("cdn.materialdesignicons.com")
.From("cdn.jsdelivr.net")
.From("fonts.googleapis.com")
.From("code.jquery.com")
.From("unpkg.com")
.From("cdnjs.cloudflare.com")
.From("stackpath.bootstrapcdn.com");
builder.AddConnectSrc().Self().From("cdn.jsdelivr.net").From("dpm.demdex.net").From("canada.sc.omtrdc.net"); // adobe analytics
builder.AddScriptSrc()
.UnsafeEval() // for vue-js in oc admin
.UnsafeInline() // for oc admin
.Self()
.From("cdn.jsdelivr.net")
.From("code.jquery.com")
.From("ajax.googleapis.com")
.From("cdnjs.cloudflare.com")
.From("vuejs.org")
.From("unpkg.com")
.From("stackpath.bootstrapcdn.com")
.From("*.statcan.ca")
.From("*.statcan.gc.ca")
.From("*.2o7.net") // adobe analytics
.From("*.omtrdc.net") // adobe analytics
.From("*.tt.omtrdc.net") // adobe analytics
.From("assets.adobedtm.com") // adobe analytics
.From("*.demdex.net") // adobe analytics
.From("cm.everesttech.net") // adobe analytics
.From("*.adobe.com"); // adobe analytics
builder.AddFrameSource().Self().From("canada.demdex.net"); // adobe analytics
});
if (!env.IsDevelopment())
{
policyCollection.AddStrictTransportSecurityMaxAgeIncludeSubDomains(maxAgeInSeconds: 60 * 60 * 24 * 365); // maxage = one year in seconds
}
return(app.UseSecurityHeaders(policyCollection));
}
public static HeaderPolicyCollection CreateSecurityHeaderCollection(IWebHostEnvironment environment)
{
var policy = new HeaderPolicyCollection()
.AddFrameOptionsDeny()
.AddXssProtectionBlock()
.AddContentTypeOptionsNoSniff()
.AddReferrerPolicyStrictOriginWhenCrossOrigin()
.RemoveServerHeader()
.AddCrossOriginOpenerPolicy(builder =>
{
builder.SameOrigin();
})
.AddCrossOriginEmbedderPolicy(builder =>
{
builder.RequireCorp();
})
.AddCrossOriginResourcePolicy(builder =>
{
builder.SameOrigin();
})
.AddContentSecurityPolicy(builder =>
{
builder.AddObjectSrc().None();
builder.AddBlockAllMixedContent();
builder.AddImgSrc().Self().From("data:");
builder.AddFormAction().Self();
builder.AddFontSrc().Self();
builder.AddStyleSrc().Self().UnsafeInline().From("https://cdn.jsdelivr.net").From("https://kit.fontawesome.com");
builder.AddBaseUri().Self();
builder.AddFrameAncestors().None();
// Blazor Server seems to manage without unsafe inline and unsafe eval.
builder.AddScriptSrc().Self().UnsafeInline(); //.WithHash256(""); //.UnsafeEval();
})
.AddPermissionsPolicy(builder =>
{
builder.AddAccelerometer().None();
builder.AddAutoplay().None();
builder.AddCamera().None();
builder.AddEncryptedMedia().None();
builder.AddFullscreen().All();
builder.AddGeolocation().None();
builder.AddGyroscope().None();
builder.AddMagnetometer().None();
builder.AddMicrophone().None();
builder.AddMidi().None();
builder.AddPayment().None();
builder.AddPictureInPicture().None();
builder.AddSyncXHR().None();
builder.AddUsb().None();
});
if (!environment.IsDevelopment())
{
policy.AddStrictTransportSecurityMaxAgeIncludeSubDomains(maxAgeInSeconds: 60 * 60 * 24 * 365);
}
return(policy);
}
public static HeaderPolicyCollection GetHeaderPolicyCollection(bool isDev, string idpHost)
{
var policy = new HeaderPolicyCollection()
.AddFrameOptionsDeny()
.AddXssProtectionBlock()
.AddContentTypeOptionsNoSniff()
.AddReferrerPolicyStrictOriginWhenCrossOrigin()
.AddCrossOriginOpenerPolicy(builder => builder.SameOrigin())
.AddCrossOriginResourcePolicy(builder => builder.SameOrigin())
.AddCrossOriginEmbedderPolicy(builder => builder.RequireCorp()) // remove for dev if using hot reload
.AddContentSecurityPolicy(builder =>
{
builder.AddObjectSrc().None();
builder.AddBlockAllMixedContent();
builder.AddImgSrc().Self().From("data:");
builder.AddFormAction().Self().From(idpHost);
builder.AddFontSrc().Self();
builder.AddStyleSrc().Self();
builder.AddBaseUri().Self();
builder.AddFrameAncestors().None();
// due to Blazor
builder.AddScriptSrc()
.Self()
.WithHash256("v8v3RKRPmN4odZ1CWM5gw80QKPCCWMcpNeOmimNL2AA=")
.UnsafeEval();
// disable script and style CSP protection if using Blazor hot reload
// if using hot reload, DO NOT deploy with an insecure CSP
})
.RemoveServerHeader()
.AddPermissionsPolicy(builder =>
{
builder.AddAccelerometer().None();
builder.AddAutoplay().None();
builder.AddCamera().None();
builder.AddEncryptedMedia().None();
builder.AddFullscreen().All();
builder.AddGeolocation().None();
builder.AddGyroscope().None();
builder.AddMagnetometer().None();
builder.AddMicrophone().None();
builder.AddMidi().None();
builder.AddPayment().None();
builder.AddPictureInPicture().None();
builder.AddSyncXHR().None();
builder.AddUsb().None();
});
if (!isDev)
{
// maxage = one year in seconds
policy.AddStrictTransportSecurityMaxAgeIncludeSubDomains(maxAgeInSeconds: 60 * 60 * 24 * 365);
}
return(policy);
}
public static IApplicationBuilder UseStatCanSecurityHeaders(this IApplicationBuilder app)
{
var env = app.ApplicationServices.GetRequiredService <IHostEnvironment>();
var policyCollection = new HeaderPolicyCollection()
.AddFrameOptionsSameOrigin()
.AddXssProtectionEnabled()
.AddContentTypeOptionsNoSniff()
.AddReferrerPolicyStrictOriginWhenCrossOrigin()
.RemoveServerHeader()
.AddContentSecurityPolicy(builder =>
{
builder.AddObjectSrc().Self();
builder.AddFormAction().Self();
builder.AddFrameAncestors().Self();
builder.AddDefaultSrc().Self();
builder.AddImgSrc().Self().Data();
builder.AddFontSrc().Self().Data().From("cdn.jsdelivr.net").From("fonts.googleapis.com").From("fonts.gstatic.com");
builder.AddStyleSrc().UnsafeInline().Self()
.From("cdn.jsdelivr.net")
.From("fonts.googleapis.com")
.From("unpkg.com")
.From("cdnjs.cloudflare.com")
.From("stackpath.bootstrapcdn.com")
;
// unsafe-eval needed for vue.js runtime templates
builder.AddScriptSrc().UnsafeEval().UnsafeInline().Self()
.From("cdn.jsdelivr.net")
.From("code.jquery.com")
.From("ajax.googleapis.com")
.From("cdnjs.cloudflare.com")
.From("vuejs.org")
.From("unpkg.com")
.From("stackpath.bootstrapcdn.com")
;
});
if (!env.IsDevelopment())
{
policyCollection.AddStrictTransportSecurityMaxAgeIncludeSubDomains(maxAgeInSeconds: 60 * 60 * 24 * 365); // maxage = one year in seconds
}
return(app.UseSecurityHeaders(policyCollection));
}
private static void AddCspHstsDefinitions(bool isDev, HeaderPolicyCollection policy)
{
if (!isDev)
{
policy.AddContentSecurityPolicy(builder =>
{
builder.AddObjectSrc().None();
builder.AddBlockAllMixedContent();
builder.AddImgSrc().None();
builder.AddFormAction().None();
builder.AddFontSrc().None();
builder.AddStyleSrc().None();
builder.AddScriptSrc().None();
builder.AddBaseUri().Self();
builder.AddFrameAncestors().None();
builder.AddCustomDirective("require-trusted-types-for", "'script'");
});
// maxage = one year in seconds
policy.AddStrictTransportSecurityMaxAgeIncludeSubDomains(maxAgeInSeconds: 60 * 60 * 24 * 365);
}
else
{
// allow swagger UI for dev
policy.AddContentSecurityPolicy(builder =>
{
builder.AddObjectSrc().None();
builder.AddBlockAllMixedContent();
builder.AddImgSrc().Self().From("data:");
builder.AddFormAction().Self();
builder.AddFontSrc().Self();
builder.AddStyleSrc().Self().UnsafeInline();
builder.AddScriptSrc().Self().UnsafeInline(); //.WithNonce();
builder.AddBaseUri().Self();
builder.AddFrameAncestors().None();
});
}
}
