public SecurityHeadersMiddleware(SecurityHeadersOptions options, RequestDelegate next) { _options = options; _next = next; foreach (var provider in _options.HeaderPolicyProviders) { provider.InitializePolicy(); } }
public static IApplicationBuilder UseSecurityHeaders(this IApplicationBuilder app, Action <SecurityHeadersOptions> optionsAction) { ArgumentNullException.ThrowIfNull(app, nameof(app)); ArgumentNullException.ThrowIfNull(optionsAction, nameof(optionsAction)); var options = new SecurityHeadersOptions(); optionsAction.Invoke(options); return(app.UseSecurityHeaders(options)); }
public async Task PermissionsPolicyHeaderShouldBeAdded(string[] permissionsPolicies, string expectedValue) { // Arrange var options = new SecurityHeadersOptions { PermissionsPolicy = permissionsPolicies }; var middleware = new SecurityHeadersMiddleware(options, Request); var context = new DefaultHttpContext(); // Act await middleware.Invoke(context); // Assert Assert.True(context.Response.Headers.ContainsKey(SecurityHeaderNames.PermissionsPolicy)); Assert.Equal(expectedValue, context.Response.Headers[SecurityHeaderNames.PermissionsPolicy]); }
public async Task ContentTypeOptionsHeaderShouldBeAdded() { // Arrange var options = new SecurityHeadersOptions { ContentTypeOptions = ContentTypeOptionsValue.NoSniff }; var middleware = new SecurityHeadersMiddleware(options, Request); var context = new DefaultHttpContext(); // Act await middleware.Invoke(context); // Assert Assert.True(context.Response.Headers.ContainsKey(SecurityHeaderNames.XContentTypeOptions)); Assert.Equal(ContentTypeOptionsValue.NoSniff, context.Response.Headers[SecurityHeaderNames.XContentTypeOptions]); }
public void SecurityHeadersShouldAddedAccordingSuppliedOptions() { // Arrange var context = new DefaultHttpContext(); var options = new SecurityHeadersOptions { ContentSecurityPolicy = new [] { $"{ContentSecurityPolicyValue.ChildSource} {ContentSecurityPolicyOriginValue.None}", $"{ContentSecurityPolicyValue.ConnectSource} {ContentSecurityPolicyOriginValue.Self} https://www.domain1.com https://www.domain2.com", $"{ContentSecurityPolicyValue.DefaultSource} {ContentSecurityPolicyOriginValue.Any}", }, ContentTypeOptions = ContentTypeOptionsValue.NoSniff, PermissionsPolicy = new [] { $"{PermissionsPolicyValue.Camera}={PermissionsPolicyOriginValue.Self}", $"{PermissionsPolicyValue.Microphone}={PermissionsPolicyOriginValue.Any}", $"{PermissionsPolicyValue.SpeakerSelection}={PermissionsPolicyOriginValue.Self} https://www.domain1.com https://www.domain2.com" }, ReferrerPolicy = ReferrerPolicyValue.Origin }; var applicationBuilder = CreateApplicationBuilder(); // Act applicationBuilder.UseSecurityHeaders(options); applicationBuilder .Build() .Invoke(context); // Assert Assert.Equal("child-src 'none',connect-src 'self' https://www.domain1.com https://www.domain2.com,default-src *", context.Response.Headers[SecurityHeaderNames.ContentSecurityPolicy]); Assert.Equal(ContentTypeOptionsValue.NoSniff, context.Response.Headers[SecurityHeaderNames.XContentTypeOptions]); Assert.Equal("camera=self,microphone=*,speaker-selection=self https://www.domain1.com https://www.domain2.com", context.Response.Headers[SecurityHeaderNames.PermissionsPolicy]); Assert.Equal(ReferrerPolicyValue.Origin, context.Response.Headers[SecurityHeaderNames.ReferrerPolicy]); }
public static IApplicationBuilder UseSecurityHeaders(this IApplicationBuilder app, SecurityHeadersOptions options) { ArgumentNullException.ThrowIfNull(app, nameof(app)); ArgumentNullException.ThrowIfNull(options, nameof(options)); app.UseMiddleware <SecurityHeadersMiddleware>(options); return(app); }