-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathDefaultSecurityHeadersDefinitions.cs
More file actions
63 lines (55 loc) · 2.22 KB
/
DefaultSecurityHeadersDefinitions.cs
File metadata and controls
63 lines (55 loc) · 2.22 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
namespace BffMicrosoftEntraID.Server.Security;
public static class DefaultSecurityHeadersDefinitions
{
private static HeaderPolicyCollection? _policy;
public static HeaderPolicyCollection GetHeaderPolicyCollection(bool isDev, string? idpHost)
{
ArgumentNullException.ThrowIfNullOrWhiteSpace(idpHost);
// Avoid building a new HeaderPolicyCollection on every request for performance reasons.
// Where possible, cache and reuse HeaderPolicyCollection instances.
if (_policy is not null)
{
return _policy;
}
_policy = new HeaderPolicyCollection()
.AddFrameOptionsDeny()
.AddContentTypeOptionsNoSniff()
.AddReferrerPolicyStrictOriginWhenCrossOrigin()
.AddCrossOriginOpenerPolicy(builder => builder.SameOrigin())
.AddCrossOriginResourcePolicy(builder => builder.SameOrigin())
.AddCrossOriginEmbedderPolicy(builder => builder.RequireCorp()) // remove for dev if using hot reload
.AddContentSecurityPolicy(builder =>
{
builder.AddObjectSrc().None();
builder.AddBlockAllMixedContent();
builder.AddImgSrc().Self().From("data:");
builder.AddFormAction().Self().From(idpHost);
builder.AddFontSrc().Self();
builder.AddBaseUri().Self();
builder.AddFrameAncestors().None();
if (isDev)
{
builder.AddStyleSrc()
.Self()
.UnsafeInline();
}
else
{
builder.AddStyleSrc()
.WithNonce()
.UnsafeInline();
}
builder.AddScriptSrc()
.WithNonce()
.UnsafeInline(); // for browser backward compatibility
})
.RemoveServerHeader()
.AddPermissionsPolicyWithDefaultSecureDirectives();
if (!isDev)
{
// max-age = one year in seconds
_policy.AddStrictTransportSecurityMaxAgeIncludeSubDomainsAndPreload();
}
return _policy;
}
}