public static OwaspHeaders.Core.Models.SecureHeadersMiddlewareConfiguration CustomConfiguration() { return(SecureHeadersMiddlewareBuilder .CreateBuilder() .UseHsts(1200) .UseXSSProtection(XssMode.oneReport, "http://95.216.12.8:91") .UseContentDefaultSecurityPolicy() .UsePermittedCrossDomainPolicies(XPermittedCrossDomainOptionValue.masterOnly) .UseReferrerPolicy(ReferrerPolicyOptions.sameOrigin) .RemovePoweredByHeader() .UseXFrameOptions() .UseContentSecurityPolicy() .UseReferrerPolicy() .Build()); }
public async Task Invoke_XFrameOptionsHeaderName_HeaderIsNotPresent() { // arrange var headerNotPresentConfig = SecureHeadersMiddlewareBuilder.CreateBuilder().Build(); var secureHeadersMiddleware = new SecureHeadersMiddleware(_onNext, headerNotPresentConfig); // act await secureHeadersMiddleware.Invoke(_context); // assert if (!headerNotPresentConfig.UseXFrameOptions) { Assert.False(_context.Response.Headers.ContainsKey(Constants.XFrameOptionsHeaderName)); } }
public async Task Invoke_StrictTransportSecurityHeaderName_HeaderIsPresent() { // arrange var headerPresentConfig = SecureHeadersMiddlewareBuilder.CreateBuilder().UseHsts().Build(); var secureHeadersMiddleware = new SecureHeadersMiddleware(_onNext, headerPresentConfig); // act await secureHeadersMiddleware.Invoke(_context); // assert Assert.True(headerPresentConfig.UseHsts); Assert.True(_context.Response.Headers.ContainsKey(Constants.StrictTransportSecurityHeaderName)); Assert.Equal("max-age=63072000;includeSubDomains", _context.Response.Headers[Constants.StrictTransportSecurityHeaderName]); }
public async Task Invoke_XContentSecurityPolicyHeaderName_HeaderIsPresent() { // arrange var headerPresentConfig = SecureHeadersMiddlewareBuilder.CreateBuilder().UseContentSecurityPolicy(useXContentSecurityPolicy: true).Build(); var secureHeadersMiddleware = new SecureHeadersMiddleware(_onNext, headerPresentConfig); // act await secureHeadersMiddleware.Invoke(_context); // assert Assert.True(headerPresentConfig.UseXContentSecurityPolicy); Assert.True(_context.Response.Headers.ContainsKey(Constants.XContentSecurityPolicyHeaderName)); Assert.Equal("block-all-mixed-content;upgrade-insecure-requests;", _context.Response.Headers[Constants.XContentSecurityPolicyHeaderName]); }
public async Task Invoke_ExpectCtHeaderName_HeaderIsPresent_ReportUri_Optional() { // arrange var headerPresentConfig = SecureHeadersMiddlewareBuilder.CreateBuilder() .UseExpectCt(string.Empty).Build(); var secureHeadersMiddleware = new SecureHeadersMiddleware(_onNext, headerPresentConfig); // act await secureHeadersMiddleware.Invoke(_context); // assert Assert.True(headerPresentConfig.UseExpectCt); Assert.True(_context.Response.Headers.ContainsKey(Constants.ExpectCtHeaderName)); Assert.Equal(headerPresentConfig.ExpectCt.BuildHeaderValue(), _context.Response.Headers[Constants.ExpectCtHeaderName]); }
public async Task Invoke_PermittedCrossDomainPoliciesHeaderName_HeaderIsPresent() { // arrange var headerPresentConfig = SecureHeadersMiddlewareBuilder.CreateBuilder().UsePermittedCrossDomainPolicies().Build(); var secureHeadersMiddleware = new SecureHeadersMiddleware(_onNext, headerPresentConfig); // act await secureHeadersMiddleware.Invoke(_context); // assert Assert.True(headerPresentConfig.UsePermittedCrossDomainPolicy); Assert.True(_context.Response.Headers.ContainsKey(Constants.PermittedCrossDomainPoliciesHeaderName)); Assert.Equal("none;", _context.Response.Headers[Constants.PermittedCrossDomainPoliciesHeaderName]); }
public async Task Invoke_ContentSecurityPolicyHeaderName_HeaderIsPresent_WithMultipleCspSandboxTypes() { // arrange var headerPresentConfig = SecureHeadersMiddlewareBuilder.CreateBuilder().UseContentSecurityPolicy().Build(); headerPresentConfig.SetCspSandBox(CspSandboxType.allowForms, CspSandboxType.allowScripts, CspSandboxType.allowSameOrigin); var secureHeadersMiddleware = new SecureHeadersMiddleware(_onNext, headerPresentConfig); // act await secureHeadersMiddleware.Invoke(_context); // assert Assert.True(_context.Response.Headers.ContainsKey(Constants.ContentSecurityPolicyHeaderName)); Assert.Equal("sandbox allow-forms allow-scripts allow-same-origin; block-all-mixed-content; upgrade-insecure-requests;", _context.Response.Headers[Constants.ContentSecurityPolicyHeaderName]); }
public async Task Invoke_ReferrerPolicyHeaderName_HeaderIsPresent() { // arrange var headerPresentConfig = SecureHeadersMiddlewareBuilder.CreateBuilder().UseReferrerPolicy().Build(); var secureHeadersMiddleware = new SecureHeadersMiddleware(_onNext, headerPresentConfig); // act await secureHeadersMiddleware.Invoke(_context); // assert if (headerPresentConfig.UseReferrerPolicy) { Assert.True(_context.Response.Headers.ContainsKey(Constants.ReferrerPolicyHeaderName)); Assert.Equal("no-referrer", _context.Response.Headers[Constants.ReferrerPolicyHeaderName]); } }
public async Task Invoke_XPoweredByHeader_DoNotRemoveHeader() { // arrange var headerPresentConfig = SecureHeadersMiddlewareBuilder.CreateBuilder().Build(); var secureHeadersMiddleware = new SecureHeadersMiddleware(_onNext, headerPresentConfig); // act await secureHeadersMiddleware.Invoke(_context); // assert Assert.False(headerPresentConfig.RemoveXPoweredByHeader); // Am currently running the 2.1.300 Preview 1 build of the SDK // and the server doesn't seem to add this header. // Therefore this assert is commented out, as it will always fail //Assert.True(_context.Response.Headers.ContainsKey(Constants.PoweredByHeaderName)); }
public async Task Invoke_ExpectCtHeaderName_HeaderIsNotPresent() { // arrange var headerPresentConfig = SecureHeadersMiddlewareBuilder.CreateBuilder() .UseExpectCt("https://test.com/report").Build(); var secureHeadersMiddleware = new SecureHeadersMiddleware(_onNext, headerPresentConfig); // act await secureHeadersMiddleware.Invoke(_context); // assert if (!headerPresentConfig.UseExpectCt) { Assert.False(_context.Response.Headers.ContainsKey(Constants.ExpectCtHeaderName)); } }
public async Task Invoke_CacheControl_HeaderIsPresent() { // arrange var headerPresentConfig = SecureHeadersMiddlewareBuilder.CreateBuilder() .UseCacheControl().Build(); var secureHeadersMiddleware = new SecureHeadersMiddleware(_onNext, headerPresentConfig); // act await secureHeadersMiddleware.Invoke(_context); // assert Assert.True(headerPresentConfig.UseCacheControl); Assert.True(_context.Response.Headers.ContainsKey(Constants.CacheControlHeaderName)); Assert.Equal(headerPresentConfig.CacheControl.BuildHeaderValue(), _context.Response.Headers[Constants.CacheControlHeaderName]); }
public async Task Invoke_XContentTypeOptionsHeaderName_HeaderIsPresent() { // arrange var headerPresentConfig = SecureHeadersMiddlewareBuilder.CreateBuilder().UseContentTypeOptions().Build(); var secureHeadersMiddleware = new SecureHeadersMiddleware(_onNext, headerPresentConfig); // act await secureHeadersMiddleware.Invoke(_context); // assert if (headerPresentConfig.UseXContentTypeOptions) { Assert.True(_context.Response.Headers.ContainsKey(Constants.XContentTypeOptionsHeaderName)); Assert.Equal("nosniff", _context.Response.Headers[Constants.XContentTypeOptionsHeaderName]); } }
public async Task Invoke_XssProtectionHeaderName_HeaderIsPresent() { // arrange var headerPresentConfig = SecureHeadersMiddlewareBuilder.CreateBuilder().UseXSSProtection().Build(); var secureHeadersMiddleware = new SecureHeadersMiddleware(_onNext, headerPresentConfig); // act await secureHeadersMiddleware.Invoke(_context); // assert if (headerPresentConfig.UseXssProtection) { Assert.True(_context.Response.Headers.ContainsKey(Constants.XssProtectionHeaderName)); Assert.Equal("1; mode=block", _context.Response.Headers[Constants.XssProtectionHeaderName]); } }
public async Task Invoke_CacheControl_HeaderIsNotPresent() { // arrange var headerNotPresentConfig = SecureHeadersMiddlewareBuilder.CreateBuilder(); headerNotPresentConfig.UseCacheControl = false; headerNotPresentConfig.Build(); var secureHeadersMiddleware = new SecureHeadersMiddleware(_onNext, headerNotPresentConfig); // act await secureHeadersMiddleware.Invoke(_context); // assert Assert.False(headerNotPresentConfig.UseCacheControl); Assert.False(_context.Response.Headers.ContainsKey(Constants.CacheControlHeaderName)); }
public async Task Invoke_ContentSecurityPolicyReportOnly_HeaderIsPresent_WithMultipleCspSandboxTypes() { const string reportUri = "https://localhost:5001/report-uri"; // arrange var headerPresentConfig = SecureHeadersMiddlewareBuilder.CreateBuilder().UseContentSecurityPolicyReportOnly(reportUri).Build(); headerPresentConfig.SetCspSandBox(CspSandboxType.allowForms, CspSandboxType.allowScripts, CspSandboxType.allowSameOrigin); var secureHeadersMiddleware = new SecureHeadersMiddleware(_onNext, headerPresentConfig); // act await secureHeadersMiddleware.Invoke(_context); // assert Assert.True(_context.Response.Headers.ContainsKey(Constants.ContentSecurityPolicyReportOnlyHeaderName)); Assert.Equal($"block-all-mixed-content;upgrade-insecure-requests;report-uri {reportUri};", _context.Response.Headers[Constants.ContentSecurityPolicyReportOnlyHeaderName]); }
public async Task Invoke_CacheControl_NoStore_HeaderIsPresent() { // arrange var headerPresentConfig = SecureHeadersMiddlewareBuilder.CreateBuilder() .UseCacheControl(noStore: true).Build(); var secureHeadersMiddleware = new SecureHeadersMiddleware(_onNext, headerPresentConfig); // act await secureHeadersMiddleware.Invoke(_context); // assert Assert.True(headerPresentConfig.UseCacheControl); Assert.True(_context.Response.Headers.ContainsKey(Constants.CacheControlHeaderName)); _context.Response.Headers.TryGetValue(Constants.CacheControlHeaderName, out var headerValues); Assert.True(headerValues.Any()); Assert.Contains("no-store", headerValues.First()); Assert.DoesNotContain("private", headerValues.First()); Assert.DoesNotContain("must-revalidate", headerValues.First()); }
private void ConfigureOwasp() { var config = SecureHeadersMiddlewareBuilder.CreateBuilder() .UseXFrameOptions() .UseXSSProtection() .UseContentTypeOptions() .UsePermittedCrossDomainPolicies() .UseReferrerPolicy() .RemovePoweredByHeader(); if (Configuration["Web:Https"] == "True") { config = config .UseHsts() .UseContentDefaultSecurityPolicy() .UseExpectCt("https://vambooru.herokuapp.com/api/security/report", 86400, true); } _secureHeadersMiddlewareConfiguration = config.Build(); }
/// <summary> /// Used to include the <see cref="SecureHeadersMiddleware"/> middleware and set up the /// <see cref="SecureHeadersMiddlewareConfiguration"/> for it. /// </summary> /// <param name="applicationBuilder"> /// The <see cref="IApplicationBuilder"/> which is used in the Http Pipeline /// </param> /// <param name="blockAndUpgradeInsecure"> /// OPTIONAL: Used to enable/disable blocking and upgrading odf all requests /// when not in developement /// </param> public static void UseSecureHeaders(this IApplicationBuilder applicationBuilder, string apiUrl, bool blockAndUpgradeInsecure = true) { var config = SecureHeadersMiddlewareBuilder .CreateBuilder() .UseHsts() .UseXFrameOptions() .UseXSSProtection() .UseContentTypeOptions() .UseContentSecurityPolicy(blockAllMixedContent: blockAndUpgradeInsecure, upgradeInsecureRequests: blockAndUpgradeInsecure) .UsePermittedCrossDomainPolicies() .UseReferrerPolicy() .Build(); config.ContentSecurityPolicyConfiguration.ScriptSrc = new List <ContenSecurityPolicyElement>() { new ContenSecurityPolicyElement { CommandType = CspCommandType.Directive, DirectiveOrUri = "self" }, new ContenSecurityPolicyElement { CommandType = CspCommandType.Uri, DirectiveOrUri = "https://cdnjs.cloudflare.com" }, new ContenSecurityPolicyElement { CommandType = CspCommandType.Uri, DirectiveOrUri = apiUrl }, new ContenSecurityPolicyElement { CommandType = CspCommandType.Directive, DirectiveOrUri = "sha256-e3w2Kj2e9dyg5Y6D+IcCncnl56F1dHbDjE0kjQw6zbg=" } }; applicationBuilder.UseSecureHeadersMiddleware(config); }
public async Task Invoke_ContentSecurityPolicyHeaderName_HeaderIsPresent() { // arrange var headerPresentConfig = SecureHeadersMiddlewareBuilder.CreateBuilder().UseContentDefaultSecurityPolicy().Build(); var secureHeadersMiddleware = new SecureHeadersMiddleware(_onNext, headerPresentConfig); // act await secureHeadersMiddleware.Invoke(_context); // assert if (headerPresentConfig.UseContentSecurityPolicy) { Assert.True(_context.Response.Headers.ContainsKey(Constants.ContentSecurityPolicyHeaderName)); Assert.Equal("script-src 'self';object-src 'self';block-all-mixed-content; upgrade-insecure-requests;", _context.Response.Headers[Constants.ContentSecurityPolicyHeaderName]); } else { Assert.False(_context.Response.Headers.ContainsKey(Constants.ContentSecurityPolicyHeaderName)); } }
/// <summary> /// Used to include the <see cref="SecureHeadersMiddleware"/> middleware and set up the /// <see cref="SecureHeadersMiddlewareConfiguration"/> for it. /// </summary> /// <param name="applicationBuilder"> /// The <see cref="IApplicationBuilder"/> which is used in the Http Pipeline /// </param> /// <param name="blockAndUpgradeInsecure"> /// OPTIONAL: Used to enable/disable blocking and upgrading odf all requests /// when not in developement /// </param> public static void UseSecureHeaders(this IApplicationBuilder applicationBuilder, bool blockAndUpgradeInsecure = true) { var config = SecureHeadersMiddlewareBuilder .CreateBuilder() .UseHsts() .UseXFrameOptions() .UseXSSProtection() .UseContentTypeOptions() .UseContentSecurityPolicy(blockAllMixedContent: blockAndUpgradeInsecure, upgradeInsecureRequests: blockAndUpgradeInsecure) .UsePermittedCrossDomainPolicies() .UseReferrerPolicy() .Build(); config.ContentSecurityPolicyConfiguration.ScriptSrc = new List <ContentSecurityPolicyElement>() { new ContentSecurityPolicyElement { CommandType = CspCommandType.Directive, DirectiveOrUri = "self" }, new ContentSecurityPolicyElement { CommandType = CspCommandType.Directive, DirectiveOrUri = "sha256-gw/4FeYphgTzu5mo/iOEEHUjrRJsQ/F6lgqdtSc23GU=" }, new ContentSecurityPolicyElement { CommandType = CspCommandType.Directive, DirectiveOrUri = "sha256-7I8kfi1IZHgnTNHryKWWH/oZV9dIkctQ77ABbgrpy6w=" }, new ContentSecurityPolicyElement { CommandType = CspCommandType.Directive, DirectiveOrUri = "sha256-3kf2chgLlsbYoTHVrm7JlIF6/529E3h6TGATiBxN4kU=" } }; applicationBuilder.UseSecureHeadersMiddleware(config); }