public SecurityHeadersMiddleware(SecurityHeadersOptions options, RequestDelegate next)
{
_options = options;
_next = next;
foreach (var provider in _options.HeaderPolicyProviders)
{
provider.InitializePolicy();
}
}
public static IApplicationBuilder UseSecurityHeaders(this IApplicationBuilder app, Action <SecurityHeadersOptions> optionsAction)
{
ArgumentNullException.ThrowIfNull(app, nameof(app));
ArgumentNullException.ThrowIfNull(optionsAction, nameof(optionsAction));
var options = new SecurityHeadersOptions();
optionsAction.Invoke(options);
return(app.UseSecurityHeaders(options));
}
public async Task PermissionsPolicyHeaderShouldBeAdded(string[] permissionsPolicies, string expectedValue)
{
// Arrange
var options = new SecurityHeadersOptions
{
PermissionsPolicy = permissionsPolicies
};
var middleware = new SecurityHeadersMiddleware(options, Request);
var context = new DefaultHttpContext();
// Act
await middleware.Invoke(context);
// Assert
Assert.True(context.Response.Headers.ContainsKey(SecurityHeaderNames.PermissionsPolicy));
Assert.Equal(expectedValue, context.Response.Headers[SecurityHeaderNames.PermissionsPolicy]);
}
public async Task ContentTypeOptionsHeaderShouldBeAdded()
{
// Arrange
var options = new SecurityHeadersOptions
{
ContentTypeOptions = ContentTypeOptionsValue.NoSniff
};
var middleware = new SecurityHeadersMiddleware(options, Request);
var context = new DefaultHttpContext();
// Act
await middleware.Invoke(context);
// Assert
Assert.True(context.Response.Headers.ContainsKey(SecurityHeaderNames.XContentTypeOptions));
Assert.Equal(ContentTypeOptionsValue.NoSniff, context.Response.Headers[SecurityHeaderNames.XContentTypeOptions]);
}
public void SecurityHeadersShouldAddedAccordingSuppliedOptions()
{
// Arrange
var context = new DefaultHttpContext();
var options = new SecurityHeadersOptions
{
ContentSecurityPolicy = new []
{
$"{ContentSecurityPolicyValue.ChildSource} {ContentSecurityPolicyOriginValue.None}",
$"{ContentSecurityPolicyValue.ConnectSource} {ContentSecurityPolicyOriginValue.Self} https://www.domain1.com https://www.domain2.com",
$"{ContentSecurityPolicyValue.DefaultSource} {ContentSecurityPolicyOriginValue.Any}",
},
ContentTypeOptions = ContentTypeOptionsValue.NoSniff,
PermissionsPolicy = new []
{
$"{PermissionsPolicyValue.Camera}={PermissionsPolicyOriginValue.Self}",
$"{PermissionsPolicyValue.Microphone}={PermissionsPolicyOriginValue.Any}",
$"{PermissionsPolicyValue.SpeakerSelection}={PermissionsPolicyOriginValue.Self} https://www.domain1.com https://www.domain2.com"
},
ReferrerPolicy = ReferrerPolicyValue.Origin
};
var applicationBuilder = CreateApplicationBuilder();
// Act
applicationBuilder.UseSecurityHeaders(options);
applicationBuilder
.Build()
.Invoke(context);
// Assert
Assert.Equal("child-src 'none',connect-src 'self' https://www.domain1.com https://www.domain2.com,default-src *", context.Response.Headers[SecurityHeaderNames.ContentSecurityPolicy]);
Assert.Equal(ContentTypeOptionsValue.NoSniff, context.Response.Headers[SecurityHeaderNames.XContentTypeOptions]);
Assert.Equal("camera=self,microphone=*,speaker-selection=self https://www.domain1.com https://www.domain2.com", context.Response.Headers[SecurityHeaderNames.PermissionsPolicy]);
Assert.Equal(ReferrerPolicyValue.Origin, context.Response.Headers[SecurityHeaderNames.ReferrerPolicy]);
}
public static IApplicationBuilder UseSecurityHeaders(this IApplicationBuilder app, SecurityHeadersOptions options)
{
ArgumentNullException.ThrowIfNull(app, nameof(app));
ArgumentNullException.ThrowIfNull(options, nameof(options));
app.UseMiddleware <SecurityHeadersMiddleware>(options);
return(app);
}
