Security headers added

fredrik-hjelmaeus · Mar 16, 2021 · 0c01b33 · 0c01b33
1 parent f57e7cc
commit 0c01b33
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 0 deletions.
diff --git a/API/API.csproj b/API/API.csproj
@@ -14,6 +14,7 @@
       <PrivateAssets>all</PrivateAssets>
     </PackageReference>
     <PackageReference Include="Microsoft.EntityFrameworkCore.Sqlite" Version="5.0.1" />
+    <PackageReference Include="NWebsec.AspNetCore.Middleware" Version="3.0.0" />
     <PackageReference Include="Swashbuckle.AspNetCore" Version="5.6.3" />
   </ItemGroup>
 

diff --git a/API/Startup.cs b/API/Startup.cs
@@ -57,11 +57,33 @@ public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
     {
       app.UseMiddleware<ExceptionMiddleware>();
 
+      app.UseXContentTypeOptions();
+      app.UseReferrerPolicy(opt => opt.NoReferrer());
+      app.UseXXssProtection(opt => opt.EnabledWithBlockMode());
+      app.UseXfo(opt => opt.Deny());
+      app.UseCsp(opt => opt
+        .BlockAllMixedContent()
+        .StyleSources(s => s.Self().CustomSources("https://fonts.googleapis.com"))
+        .FontSources(s => s.Self().CustomSources("https://fonts.gstatic.com/","data:"))
+        .FormActions(s => s.Self())
+        .FrameAncestors(s => s.Self())
+        .ImageSources(s => s.Self().CustomSources("https://res.cloudinary.com/"))
+        .ScriptSources(s => s.Self().CustomSources("sha256-3lZI6Gfb7F0cLrMi8cjN6viGQHvO5Vz8WQx2XddPKtM="))
+      );
+
       if (env.IsDevelopment())
       {
         app.UseSwagger();
         app.UseSwaggerUI(c => c.SwaggerEndpoint("/swagger/v1/swagger.json", "API v1"));
       }
+      else 
+      {
+        app.Use(async (context, next) => 
+        {
+          context.Response.Headers.Add("Strict-Transport-Security", "max-age=31536000");
+          await next.Invoke();
+        });
+      }
 
       // app.UseHttpsRedirection();