Merge pull request #23 from damienbod/security-headers-update

Security headers update
damienbod · Oct 3, 2024 · 5aedaa1 · 5aedaa1
2 parents 94d8815 + 09e4f92
commit 5aedaa1
Show file tree

Hide file tree

Showing 38 changed files with 138 additions and 188 deletions.
diff --git a/.github/workflows/dotnet.yml b/.github/workflows/dotnet.yml
@@ -12,9 +12,9 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v4
     - name: Setup .NET
-      uses: actions/setup-dotnet@v1
+      uses: actions/setup-dotnet@v4
       with:
         dotnet-version: '8.0'
         include-prerelease: True

diff --git a/AspNetCore.sln b/AspNetCore.sln
@@ -13,7 +13,6 @@ Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "BlazorHosted.Shared", "Blaz
 EndProject
 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "_solutionItems", "_solutionItems", "{7F337AB1-98B9-4380-BFFF-3F6422EFDED0}"
 	ProjectSection(SolutionItems) = preProject
-		.github\workflows\codeql-analysis.yml = .github\workflows\codeql-analysis.yml
 		.github\workflows\dotnet.yml = .github\workflows\dotnet.yml
 		README.md = README.md
 	EndProjectSection

diff --git a/AspNetCoreRazor/AspNetCoreRazor.csproj b/AspNetCoreRazor/AspNetCoreRazor.csproj
@@ -8,12 +8,12 @@
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="8.0.1" NoWarn="NU1605" />
-    <PackageReference Include="Microsoft.AspNetCore.Authentication.OpenIdConnect" Version="8.0.1" NoWarn="NU1605" />
-    <PackageReference Include="Microsoft.Identity.Web" Version="2.16.1" />
-    <PackageReference Include="Microsoft.Identity.Web.UI" Version="2.16.1" />
-    <PackageReference Include="NetEscapades.AspNetCore.SecurityHeaders" Version="0.21.0" />
-    <PackageReference Include="NetEscapades.AspNetCore.SecurityHeaders.TagHelpers" Version="0.21.0" />
+    <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="8.0.8" NoWarn="NU1605" />
+    <PackageReference Include="Microsoft.AspNetCore.Authentication.OpenIdConnect" Version="8.0.8" NoWarn="NU1605" />
+    <PackageReference Include="Microsoft.Identity.Web" Version="3.2.0" />
+    <PackageReference Include="Microsoft.Identity.Web.UI" Version="3.2.0" />
+    <PackageReference Include="NetEscapades.AspNetCore.SecurityHeaders" Version="1.0.0-preview.1" />
+    <PackageReference Include="NetEscapades.AspNetCore.SecurityHeaders.TagHelpers" Version="1.0.0-preview.1" />
   </ItemGroup>
 
 </Project>
diff --git a/AspNetCoreRazor/Pages/Index.cshtml.cs b/AspNetCoreRazor/Pages/Index.cshtml.cs
@@ -1,5 +1,4 @@
-using Microsoft.AspNetCore.Mvc;
-using Microsoft.AspNetCore.Mvc.RazorPages;
+using Microsoft.AspNetCore.Mvc.RazorPages;
 
 namespace AspNetCoreRazor.Pages
 {

diff --git a/AspNetCoreRazor/Pages/Privacy.cshtml.cs b/AspNetCoreRazor/Pages/Privacy.cshtml.cs
@@ -1,5 +1,4 @@
-using Microsoft.AspNetCore.Mvc;
-using Microsoft.AspNetCore.Mvc.RazorPages;
+using Microsoft.AspNetCore.Mvc.RazorPages;
 
 namespace AspNetCoreRazor.Pages
 {

diff --git a/AspNetCoreRazor/Pages/Shared/_Layout.cshtml b/AspNetCoreRazor/Pages/Shared/_Layout.cshtml
@@ -4,9 +4,9 @@
     <meta charset="utf-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
     <title>@ViewData["Title"] - AspNetCoreRazor</title>
-    <link rel="stylesheet" href="~/lib/bootstrap/dist/css/bootstrap.min.css" />
-    <link rel="stylesheet" href="~/css/site.css" asp-append-version="true" />
-    <link rel="stylesheet" href="~/AspNetCoreRazor.styles.css" asp-append-version="true" />
+    <link asp-add-nonce rel="stylesheet" href="~/lib/bootstrap/dist/css/bootstrap.min.css" />
+    <link asp-add-nonce rel="stylesheet" href="~/css/site.css" asp-append-version="true" />
+    <link asp-add-nonce rel="stylesheet" href="~/AspNetCoreRazor.styles.css" asp-append-version="true" />
 </head>
 <body>
     <header>
@@ -43,10 +43,9 @@
         </div>
     </footer>
 
-    @{var nonce = Context.GetNonce();}
-    <script src="~/lib/jquery/dist/jquery.min.js" nonce="@nonce"></script>
-    <script src="~/lib/bootstrap/dist/js/bootstrap.bundle.min.js" nonce="@nonce"></script>
-    <script src="~/js/site.js" asp-append-version="true" nonce="@nonce"></script>
+    <script src="~/lib/jquery/dist/jquery.min.js" asp-add-nonce></script>
+    <script src="~/lib/bootstrap/dist/js/bootstrap.bundle.min.js" asp-add-nonce></script>
+    <script src="~/js/site.js" asp-append-version="true" asp-add-nonce></script>
 
     @await RenderSectionAsync("Scripts", required: false)
 </body>

diff --git a/AspNetCoreRazor/Pages/Shared/_ValidationScriptsPartial.cshtml b/AspNetCoreRazor/Pages/Shared/_ValidationScriptsPartial.cshtml
@@ -1,3 +1,2 @@
-@{var nonce = this.Context.GetNonce();}
-<script src="~/lib/jquery-validation/dist/jquery.validate.min.js" nonce="@nonce"></script>
-<script src="~/lib/jquery-validation-unobtrusive/jquery.validate.unobtrusive.min.js" nonce="@nonce"></script>
+<script src="~/lib/jquery-validation/dist/jquery.validate.min.js" asp-add-nonce></script>
+<script src="~/lib/jquery-validation-unobtrusive/jquery.validate.unobtrusive.min.js" asp-add-nonce></script>
diff --git a/AspNetCoreRazor/Pages/_ViewImports.cshtml b/AspNetCoreRazor/Pages/_ViewImports.cshtml
@@ -2,3 +2,4 @@
 @using NetEscapades.AspNetCore.SecurityHeaders
 @namespace AspNetCoreRazor.Pages
 @addTagHelper *, Microsoft.AspNetCore.Mvc.TagHelpers
+@addTagHelper *, NetEscapades.AspNetCore.SecurityHeaders.TagHelpers
diff --git a/AspNetCoreRazor/Program.cs b/AspNetCoreRazor/Program.cs
@@ -2,6 +2,7 @@
 using Microsoft.AspNetCore.Authentication.OpenIdConnect;
 using Microsoft.Identity.Web;
 using Microsoft.Identity.Web.UI;
+using NetEscapades.AspNetCore.SecurityHeaders.Infrastructure;
 
 var builder = WebApplication.CreateBuilder(args);
 
@@ -14,6 +15,12 @@
 var configuration = builder.Configuration;
 var env = builder.Environment;
 
+services.AddSecurityHeaderPolicies()
+  .SetPolicySelector((PolicySelectorContext ctx) =>
+  {
+      return SecurityHeadersDefinitions.GetHeaderPolicyCollection(env.IsDevelopment());
+  });
+
 services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
     .AddMicrosoftIdentityWebApp(builder.Configuration.GetSection("AzureAd"));
 
@@ -33,8 +40,7 @@
     app.UseHsts();
 }
 
-app.UseSecurityHeaders(SecurityHeadersDefinitions
-    .GetHeaderPolicyCollection(env.IsDevelopment()));
+app.UseSecurityHeaders();
 
 app.UseHttpsRedirection();
 app.UseStaticFiles();

diff --git a/AspNetCoreRazor/SecurityHeadersDefinitions.cs b/AspNetCoreRazor/SecurityHeadersDefinitions.cs
@@ -1,6 +1,4 @@
-using Microsoft.AspNetCore.Builder;
-
-namespace AspNetCoreRazor;
+namespace AspNetCoreRazor;
 
 public static class SecurityHeadersDefinitions
 {
@@ -20,39 +18,26 @@ public static HeaderPolicyCollection GetHeaderPolicyCollection(bool isDev)
                 builder.AddImgSrc().Self().From("data:");
                 builder.AddFormAction().Self();
                 builder.AddFontSrc().Self();
-                builder.AddStyleSrc().Self(); // .UnsafeInline();
                 builder.AddBaseUri().Self();
-                builder.AddScriptSrc().UnsafeInline().WithNonce();
                 builder.AddFrameAncestors().None();
+
+                builder.AddStyleSrc().WithNonce().UnsafeInline();
+
+                builder.AddScriptSrc()
+                    .WithNonce()
+                    .WithHash256("j7OoGArf6XW6YY4cAyS3riSSvrJRqpSi1fOF9vQ5SrI=")
+                    .UnsafeInline();
                 //builder.AddCustomDirective("require-trusted-types-for", "'script'");
             })
             .RemoveServerHeader()
-            .AddPermissionsPolicy(builder =>
-            {
-                builder.AddAccelerometer().None();
-                builder.AddAutoplay().None();
-                builder.AddCamera().None();
-                builder.AddEncryptedMedia().None();
-                builder.AddFullscreen().All();
-                builder.AddGeolocation().None();
-                builder.AddGyroscope().None();
-                builder.AddMagnetometer().None();
-                builder.AddMicrophone().None();
-                builder.AddMidi().None();
-                builder.AddPayment().None();
-                builder.AddPictureInPicture().None();
-                builder.AddSyncXHR().None();
-                builder.AddUsb().None();
-            });
+            .AddPermissionsPolicyWithDefaultSecureDirectives();
 
         if (!isDev)
         {
             // maxage = one year in seconds
             policy.AddStrictTransportSecurityMaxAgeIncludeSubDomains(maxAgeInSeconds: 60 * 60 * 24 * 365);
         }
 
-        policy.ApplyDocumentHeadersToAllResponses();
-
         return policy;
     }
 }
diff --git a/AspNetCoreRazorMultiClients/AspNetCoreRazorMultiClients.csproj b/AspNetCoreRazorMultiClients/AspNetCoreRazorMultiClients.csproj
@@ -8,12 +8,12 @@
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="8.0.1" NoWarn="NU1605" />
-    <PackageReference Include="Microsoft.AspNetCore.Authentication.OpenIdConnect" Version="8.0.1" NoWarn="NU1605" />
-    <PackageReference Include="Microsoft.Identity.Web" Version="2.16.1" />
-    <PackageReference Include="Microsoft.Identity.Web.UI" Version="2.16.1" />
-    <PackageReference Include="NetEscapades.AspNetCore.SecurityHeaders" Version="0.21.0" />
-    <PackageReference Include="NetEscapades.AspNetCore.SecurityHeaders.TagHelpers" Version="0.21.0" />
+    <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="8.0.8" NoWarn="NU1605" />
+    <PackageReference Include="Microsoft.AspNetCore.Authentication.OpenIdConnect" Version="8.0.8" NoWarn="NU1605" />
+    <PackageReference Include="Microsoft.Identity.Web" Version="3.2.0" />
+    <PackageReference Include="Microsoft.Identity.Web.UI" Version="3.2.0" />
+    <PackageReference Include="NetEscapades.AspNetCore.SecurityHeaders" Version="1.0.0-preview.1" />
+    <PackageReference Include="NetEscapades.AspNetCore.SecurityHeaders.TagHelpers" Version="1.0.0-preview.1" />
   </ItemGroup>
 
 </Project>
diff --git a/AspNetCoreRazorMultiClients/CustomAccountController.cs b/AspNetCoreRazorMultiClients/CustomAccountController.cs
@@ -1,9 +1,7 @@
-using System.Threading.Tasks;
-using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Authentication.Cookies;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
-using Microsoft.Extensions.Configuration;
 
 namespace AspNetCoreRazorMultiClients;
 

diff --git a/AspNetCoreRazorMultiClients/Pages/Index.cshtml.cs b/AspNetCoreRazorMultiClients/Pages/Index.cshtml.cs
@@ -1,5 +1,4 @@
-using Microsoft.AspNetCore.Mvc;
-using Microsoft.AspNetCore.Mvc.RazorPages;
+using Microsoft.AspNetCore.Mvc.RazorPages;
 
 namespace AspNetCoreRazorMultiClients.Pages
 {

diff --git a/AspNetCoreRazorMultiClients/Pages/Privacy.cshtml.cs b/AspNetCoreRazorMultiClients/Pages/Privacy.cshtml.cs
@@ -1,5 +1,4 @@
-using Microsoft.AspNetCore.Mvc;
-using Microsoft.AspNetCore.Mvc.RazorPages;
+using Microsoft.AspNetCore.Mvc.RazorPages;
 
 namespace AspNetCoreRazorMultiClients.Pages
 {

diff --git a/AspNetCoreRazorMultiClients/Pages/Shared/_Layout.cshtml b/AspNetCoreRazorMultiClients/Pages/Shared/_Layout.cshtml
@@ -4,9 +4,9 @@
     <meta charset="utf-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
     <title>@ViewData["Title"] - AspNetCoreRazorMultiClients</title>
-    <link rel="stylesheet" href="~/lib/bootstrap/dist/css/bootstrap.min.css" />
-    <link rel="stylesheet" href="~/css/site.css" asp-append-version="true" />
-    <link rel="stylesheet" href="~/AspNetCoreRazorMultiClients.styles.css" asp-append-version="true" />
+    <link asp-add-nonce rel="stylesheet" href="~/lib/bootstrap/dist/css/bootstrap.min.css" />
+    <link asp-add-nonce rel="stylesheet" href="~/css/site.css" asp-append-version="true" />
+    <link asp-add-nonce rel="stylesheet" href="~/AspNetCoreRazorMultiClients.styles.css" asp-append-version="true" />
 </head>
 <body>
     <header>
@@ -43,10 +43,9 @@
         </div>
     </footer>
 
-    @{var nonce = Context.GetNonce();}
-    <script src="~/lib/jquery/dist/jquery.min.js" nonce="@nonce"></script>
-    <script src="~/lib/bootstrap/dist/js/bootstrap.bundle.min.js" nonce="@nonce"></script>
-    <script src="~/js/site.js" asp-append-version="true" nonce="@nonce"></script>
+    <script src="~/lib/jquery/dist/jquery.min.js" asp-add-nonce></script>
+    <script src="~/lib/bootstrap/dist/js/bootstrap.bundle.min.js" asp-add-nonce></script>
+    <script src="~/js/site.js" asp-append-version="true" asp-add-nonce></script>
 
     @await RenderSectionAsync("Scripts", required: false)
 </body>

diff --git a/AspNetCoreRazorMultiClients/Pages/Shared/_ValidationScriptsPartial.cshtml b/AspNetCoreRazorMultiClients/Pages/Shared/_ValidationScriptsPartial.cshtml
@@ -1,3 +1,2 @@
-@{var nonce = this.Context.GetNonce();}
-<script src="~/lib/jquery-validation/dist/jquery.validate.min.js" nonce="@nonce"></script>
-<script src="~/lib/jquery-validation-unobtrusive/jquery.validate.unobtrusive.min.js" nonce="@nonce"></script>
+<script asp-add-nonce src="~/lib/jquery-validation/dist/jquery.validate.min.js"></script>
+<script asp-add-nonce src="~/lib/jquery-validation-unobtrusive/jquery.validate.unobtrusive.min.js"></script>
diff --git a/AspNetCoreRazorMultiClients/Pages/_ViewImports.cshtml b/AspNetCoreRazorMultiClients/Pages/_ViewImports.cshtml
@@ -2,3 +2,4 @@
 @using NetEscapades.AspNetCore.SecurityHeaders
 @namespace AspNetCoreRazorMultiClients.Pages
 @addTagHelper *, Microsoft.AspNetCore.Mvc.TagHelpers
+@addTagHelper *, NetEscapades.AspNetCore.SecurityHeaders.TagHelpers
diff --git a/AspNetCoreRazorMultiClients/Program.cs b/AspNetCoreRazorMultiClients/Program.cs
@@ -1,9 +1,10 @@
 using AspNetCoreRazorMultiClients;
+using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Authentication.Cookies;
 using Microsoft.AspNetCore.Authentication.OpenIdConnect;
 using Microsoft.Identity.Web;
 using Microsoft.Identity.Web.UI;
-using Microsoft.AspNetCore.Authentication;
+using NetEscapades.AspNetCore.SecurityHeaders.Infrastructure;
 
 var builder = WebApplication.CreateBuilder(args);
 
@@ -16,6 +17,12 @@
 var configuration = builder.Configuration;
 var env = builder.Environment;
 
+services.AddSecurityHeaderPolicies()
+  .SetPolicySelector((PolicySelectorContext ctx) =>
+  {
+      return SecurityHeadersDefinitions.GetHeaderPolicyCollection(env.IsDevelopment());
+  });
+
 // store the Microsoft Entra ID login
 services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
     .AddCookie();
@@ -48,7 +55,7 @@ await context.HttpContext.SignInAsync(
     {
         await existingOnTokenValidatedHandler(context);
 
-        if(context.Principal != null)
+        if (context.Principal != null)
         {
             await context.HttpContext.SignInAsync(
                 CookieAuthenticationDefaults.AuthenticationScheme, context.Principal);
@@ -71,8 +78,7 @@ await context.HttpContext.SignInAsync(
     app.UseHsts();
 }
 
-app.UseSecurityHeaders(SecurityHeadersDefinitions
-    .GetHeaderPolicyCollection(env.IsDevelopment()));
+app.UseSecurityHeaders();
 
 app.UseHttpsRedirection();
 app.UseStaticFiles();

diff --git a/AspNetCoreRazorMultiClients/SecurityHeadersDefinitions.cs b/AspNetCoreRazorMultiClients/SecurityHeadersDefinitions.cs
@@ -1,6 +1,4 @@
-using Microsoft.AspNetCore.Builder;
-
-namespace AspNetCoreRazorMultiClients;
+namespace AspNetCoreRazorMultiClients;
 
 public static class SecurityHeadersDefinitions
 {
@@ -19,40 +17,27 @@ public static HeaderPolicyCollection GetHeaderPolicyCollection(bool isDev)
                 builder.AddBlockAllMixedContent();
                 builder.AddImgSrc().Self().From("data:");
                 builder.AddFormAction().Self();
-                builder.AddFontSrc().Self();
-                builder.AddStyleSrc().Self(); // .UnsafeInline();
-                builder.AddBaseUri().Self();
-                builder.AddScriptSrc().UnsafeInline().WithNonce();
+                builder.AddFontSrc().Self();         
+                builder.AddBaseUri().Self();        
                 builder.AddFrameAncestors().None();
+
+                builder.AddStyleSrc().WithNonce().UnsafeInline();
+
+                builder.AddScriptSrc()
+                    .WithNonce()
+                    .WithHash256("j7OoGArf6XW6YY4cAyS3riSSvrJRqpSi1fOF9vQ5SrI=")
+                    .UnsafeInline();
                 // builder.AddCustomDirective("require-trusted-types-for", "'script'");
             })
             .RemoveServerHeader()
-            .AddPermissionsPolicy(builder =>
-            {
-                builder.AddAccelerometer().None();
-                builder.AddAutoplay().None();
-                builder.AddCamera().None();
-                builder.AddEncryptedMedia().None();
-                builder.AddFullscreen().All();
-                builder.AddGeolocation().None();
-                builder.AddGyroscope().None();
-                builder.AddMagnetometer().None();
-                builder.AddMicrophone().None();
-                builder.AddMidi().None();
-                builder.AddPayment().None();
-                builder.AddPictureInPicture().None();
-                builder.AddSyncXHR().None();
-                builder.AddUsb().None();
-            });
+            .AddPermissionsPolicyWithDefaultSecureDirectives();
 
         if (!isDev)
         {
             // maxage = one year in seconds
             policy.AddStrictTransportSecurityMaxAgeIncludeSubDomains(maxAgeInSeconds: 60 * 60 * 24 * 365);
         }
 
-        policy.ApplyDocumentHeadersToAllResponses();
-
         return policy;
     }
 }
diff --git a/BlazorBffAzureAD/Client/BlazorHosted.Client.csproj b/BlazorBffAzureAD/Client/BlazorHosted.Client.csproj
@@ -8,10 +8,10 @@
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.AspNetCore.Components.WebAssembly" Version="8.0.1" />
-    <PackageReference Include="Microsoft.AspNetCore.Components.WebAssembly.DevServer" Version="8.0.1" PrivateAssets="all" />
+    <PackageReference Include="Microsoft.AspNetCore.Components.WebAssembly" Version="8.0.8" />
+    <PackageReference Include="Microsoft.AspNetCore.Components.WebAssembly.DevServer" Version="8.0.8" PrivateAssets="all" />
     <PackageReference Include="Microsoft.Extensions.Http" Version="8.0.0" />
-    <PackageReference Include="Microsoft.AspNetCore.Components.WebAssembly.Authentication" Version="8.0.1" />
+    <PackageReference Include="Microsoft.AspNetCore.Components.WebAssembly.Authentication" Version="8.0.8" />
   </ItemGroup>
 
   <ItemGroup>

diff --git a/BlazorBffAzureAD/Client/Services/AuthorizedHandler.cs b/BlazorBffAzureAD/Client/Services/AuthorizedHandler.cs
@@ -18,7 +18,7 @@ protected override async Task<HttpResponseMessage> SendAsync(
     {
         var authState = await _authenticationStateProvider.GetAuthenticationStateAsync();
         HttpResponseMessage responseMessage;
-        if (authState.User.Identity!= null && !authState.User.Identity.IsAuthenticated)
+        if (authState.User.Identity != null && !authState.User.Identity.IsAuthenticated)
         {
             // if user is not authenticated, immediately set response status to 401 Unauthorized
             responseMessage = new HttpResponseMessage(HttpStatusCode.Unauthorized);