Skip to content

Instantly share code, notes, and snippets.

@adammendoza

adammendoza/SecurityHeader.cs

Forked from martea/SecurityHeader.cs
Created May 16, 2019 05:55
Show Gist options
  • Save adammendoza/5fbd30e09dd443536746ecc023c6a10f to your computer and use it in GitHub Desktop.
Save adammendoza/5fbd30e09dd443536746ecc023c6a10f to your computer and use it in GitHub Desktop.
Download ZIP
Skoruba Identityserver, shared securityheader
Raw
SecurityHeader.cs
using System.Collections.Generic;
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.HttpOverrides;
using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Mvc.Filters;
public static class SecurityHeader {
public static void UseSecurityHeaders (this IApplicationBuilder app) {
app.UseForwardedHeaders (new ForwardedHeadersOptions {
ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto
});
app.UseHsts (options => options.MaxAge (365));
app.UseXXssProtection (options => options.EnabledWithBlockMode ());
app.UseXContentTypeOptions ();
app.UseReferrerPolicy (options => options.NoReferrer ());
var allowCspUrls = new List<string> {
"*.googleapis.com/",
"*.gstatic.com/",
};
app.UseCsp (options => {
options.FontSources (configuration => {
configuration.Enabled = true;
configuration.SelfSrc = true;
configuration.CustomSources = allowCspUrls;
});
//TODO: consider remove unsafe sources - currently using for toastr inline scripts in Notification.cshtml
options.ScriptSources (configuration => {
configuration.SelfSrc = true;
configuration.UnsafeInlineSrc = true;
configuration.UnsafeEvalSrc = true;
});
options.StyleSources (configuration => {
configuration.SelfSrc = true;
configuration.CustomSources = allowCspUrls;
configuration.UnsafeInlineSrc = true;
});
});
}
}
public class SecurityHeadersAttribute : ActionFilterAttribute {
public override void OnResultExecuting (ResultExecutingContext context) {
var result = context.Result;
if (result is ViewResult) {
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
context.HttpContext.Response.Headers.Remove ("X-Content-Type-Options");
context.HttpContext.Response.Headers.Add ("X-Content-Type-Options", "nosniff");
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
var csp = "default-src 'self'; img-src *; media-src *; script-src 'self';frame-src 'self'";
// also consider adding upgrade-insecure-requests once you have HTTPS in place for production
csp += "upgrade-insecure-requests;";
// once for standards compliant browsers
if (!context.HttpContext.Response.Headers.ContainsKey ("Content-Security-Policy")) {
context.HttpContext.Response.Headers.Add ("Content-Security-Policy", csp);
}
// and once again for IE
if (!context.HttpContext.Response.Headers.ContainsKey ("X-Content-Security-Policy")) {
context.HttpContext.Response.Headers.Add ("X-Content-Security-Policy", csp);
}
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
var referrer_policy = "no-referrer";
if (!context.HttpContext.Response.Headers.ContainsKey ("Referrer-Policy")) {
context.HttpContext.Response.Headers.Add ("Referrer-Policy", referrer_policy);
}
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment