Update security headers

damienbod · Oct 26, 2024 · 777ba6c · 777ba6c
1 parent 146a3a8
commit 777ba6c
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 24 deletions.
diff --git a/BlazorAuth0Bff/Server/Program.cs b/BlazorAuth0Bff/Server/Program.cs
@@ -1,10 +1,20 @@
 using Microsoft.AspNetCore.Mvc.Authorization;
+using NetEscapades.AspNetCore.SecurityHeaders.Infrastructure;
 
 var builder = WebApplication.CreateBuilder(args);
 
 var services = builder.Services;
 var configuration = builder.Configuration;
 
+var idp = $"https://{configuration["Auth0:Domain"]}";
+
+services.AddSecurityHeaderPolicies()
+  .SetPolicySelector((PolicySelectorContext ctx) =>
+  {
+  return SecurityHeadersDefinitions.GetHeaderPolicyCollection(
+      builder.Environment.IsDevelopment(), idp);
+  });
+
 services.AddAntiforgery(options =>
 {
     options.HeaderName = AntiforgeryDefaults.HeaderName;
@@ -111,10 +121,7 @@
     app.UseExceptionHandler("/Error");
 }
 
-var idp = $"https://{configuration["Auth0:Domain"]}";
-app.UseSecurityHeaders(
-    SecurityHeadersDefinitions
-        .GetHeaderPolicyCollection(app.Environment.IsDevelopment(), idp));
+app.UseSecurityHeaders();
 
 app.UseHttpsRedirection();
 app.UseBlazorFrameworkFiles();

diff --git a/BlazorAuth0Bff/Server/SecurityHeadersDefinitions.cs b/BlazorAuth0Bff/Server/SecurityHeadersDefinitions.cs
@@ -2,11 +2,17 @@
 
 public static class SecurityHeadersDefinitions
 {
+    private static HeaderPolicyCollection? policy;
+
     public static HeaderPolicyCollection GetHeaderPolicyCollection(bool isDev, string? idpHost)
     {
         ArgumentNullException.ThrowIfNull(idpHost);
 
-        var policy = new HeaderPolicyCollection()
+        // Avoid building a new HeaderPolicyCollection on every request for performance reasons.
+        // Where possible, cache and reuse HeaderPolicyCollection instances.
+        if (policy != null) return policy;
+
+        policy = new HeaderPolicyCollection()
             .AddFrameOptionsDeny()
             .AddContentTypeOptionsNoSniff()
             .AddReferrerPolicyStrictOriginWhenCrossOrigin()
@@ -33,32 +39,14 @@ public static HeaderPolicyCollection GetHeaderPolicyCollection(bool isDev, strin
 
             })
             .RemoveServerHeader()
-            .AddPermissionsPolicy(builder =>
-            {
-                builder.AddAccelerometer().None();
-                builder.AddAutoplay().None();
-                builder.AddCamera().None();
-                builder.AddEncryptedMedia().None();
-                builder.AddFullscreen().All();
-                builder.AddGeolocation().None();
-                builder.AddGyroscope().None();
-                builder.AddMagnetometer().None();
-                builder.AddMicrophone().None();
-                builder.AddMidi().None();
-                builder.AddPayment().None();
-                builder.AddPictureInPicture().None();
-                builder.AddSyncXHR().None();
-                builder.AddUsb().None();
-            });
+            .AddPermissionsPolicyWithDefaultSecureDirectives();
 
         if (!isDev)
         {
             // maxage = one year in seconds
             policy.AddStrictTransportSecurityMaxAgeIncludeSubDomains();
         }
 
-        policy.ApplyDocumentHeadersToAllResponses();
-
         return policy;
     }
 }