From 777ba6c839b34c66240074659b9647b8e2b66170 Mon Sep 17 00:00:00 2001 From: damienbod Date: Sat, 26 Oct 2024 10:00:58 +0200 Subject: [PATCH] Update security headers --- BlazorAuth0Bff/Server/Program.cs | 15 +++++++--- .../Server/SecurityHeadersDefinitions.cs | 28 ++++++------------- 2 files changed, 19 insertions(+), 24 deletions(-) diff --git a/BlazorAuth0Bff/Server/Program.cs b/BlazorAuth0Bff/Server/Program.cs index e90db99..e12b76d 100644 --- a/BlazorAuth0Bff/Server/Program.cs +++ b/BlazorAuth0Bff/Server/Program.cs @@ -1,10 +1,20 @@ using Microsoft.AspNetCore.Mvc.Authorization; +using NetEscapades.AspNetCore.SecurityHeaders.Infrastructure; var builder = WebApplication.CreateBuilder(args); var services = builder.Services; var configuration = builder.Configuration; +var idp = $"https://{configuration["Auth0:Domain"]}"; + +services.AddSecurityHeaderPolicies() + .SetPolicySelector((PolicySelectorContext ctx) => + { + return SecurityHeadersDefinitions.GetHeaderPolicyCollection( + builder.Environment.IsDevelopment(), idp); + }); + services.AddAntiforgery(options => { options.HeaderName = AntiforgeryDefaults.HeaderName; @@ -111,10 +121,7 @@ app.UseExceptionHandler("/Error"); } -var idp = $"https://{configuration["Auth0:Domain"]}"; -app.UseSecurityHeaders( - SecurityHeadersDefinitions - .GetHeaderPolicyCollection(app.Environment.IsDevelopment(), idp)); +app.UseSecurityHeaders(); app.UseHttpsRedirection(); app.UseBlazorFrameworkFiles(); diff --git a/BlazorAuth0Bff/Server/SecurityHeadersDefinitions.cs b/BlazorAuth0Bff/Server/SecurityHeadersDefinitions.cs index c4ce8a6..1adaeda 100644 --- a/BlazorAuth0Bff/Server/SecurityHeadersDefinitions.cs +++ b/BlazorAuth0Bff/Server/SecurityHeadersDefinitions.cs @@ -2,11 +2,17 @@ public static class SecurityHeadersDefinitions { + private static HeaderPolicyCollection? policy; + public static HeaderPolicyCollection GetHeaderPolicyCollection(bool isDev, string? idpHost) { ArgumentNullException.ThrowIfNull(idpHost); - var policy = new HeaderPolicyCollection() + // Avoid building a new HeaderPolicyCollection on every request for performance reasons. + // Where possible, cache and reuse HeaderPolicyCollection instances. + if (policy != null) return policy; + + policy = new HeaderPolicyCollection() .AddFrameOptionsDeny() .AddContentTypeOptionsNoSniff() .AddReferrerPolicyStrictOriginWhenCrossOrigin() @@ -33,23 +39,7 @@ public static HeaderPolicyCollection GetHeaderPolicyCollection(bool isDev, strin }) .RemoveServerHeader() - .AddPermissionsPolicy(builder => - { - builder.AddAccelerometer().None(); - builder.AddAutoplay().None(); - builder.AddCamera().None(); - builder.AddEncryptedMedia().None(); - builder.AddFullscreen().All(); - builder.AddGeolocation().None(); - builder.AddGyroscope().None(); - builder.AddMagnetometer().None(); - builder.AddMicrophone().None(); - builder.AddMidi().None(); - builder.AddPayment().None(); - builder.AddPictureInPicture().None(); - builder.AddSyncXHR().None(); - builder.AddUsb().None(); - }); + .AddPermissionsPolicyWithDefaultSecureDirectives(); if (!isDev) { @@ -57,8 +47,6 @@ public static HeaderPolicyCollection GetHeaderPolicyCollection(bool isDev, strin policy.AddStrictTransportSecurityMaxAgeIncludeSubDomains(); } - policy.ApplyDocumentHeadersToAllResponses(); - return policy; } }