Last active
December 2, 2021 18:05
-
-
Save AaronSadlerUK/a6db2c2342f7390014be55d018a607c2 to your computer and use it in GitHub Desktop.
Configuring HTTP Security Headers In Umbraco V9
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
public static HeaderPolicyCollection GetHeaderPolicyCollection(bool isDev) | |
{ | |
var policy = new HeaderPolicyCollection() | |
.AddFrameOptionsDeny() | |
.AddXssProtectionBlock() | |
.AddContentTypeOptionsNoSniff() | |
.AddReferrerPolicyStrictOriginWhenCrossOrigin() | |
.RemoveServerHeader() | |
.AddCrossOriginOpenerPolicy(builder => | |
{ | |
builder.SameOrigin(); | |
}) | |
.AddCrossOriginEmbedderPolicy(builder => | |
{ | |
builder.RequireCorp(); | |
}) | |
.AddCrossOriginResourcePolicy(builder => | |
{ | |
builder.SameOrigin(); | |
}) | |
.AddContentSecurityPolicy(builder => | |
{ | |
builder.AddObjectSrc().None(); | |
builder.AddBlockAllMixedContent(); | |
builder.AddImgSrc().Self().From("data:"); | |
builder.AddFormAction().Self(); | |
builder.AddFontSrc().Self(); | |
builder.AddStyleSrc().Self(); // .UnsafeInline(); | |
builder.AddBaseUri().Self(); | |
builder.AddScriptSrc().UnsafeInline().WithNonce(); | |
builder.AddFrameAncestors().None(); | |
}) | |
.RemoveServerHeader() | |
.AddPermissionsPolicy(builder => | |
{ | |
builder.AddAccelerometer().None(); | |
builder.AddAutoplay().None(); | |
builder.AddCamera().None(); | |
builder.AddEncryptedMedia().None(); | |
builder.AddFullscreen().All(); | |
builder.AddGeolocation().None(); | |
builder.AddGyroscope().None(); | |
builder.AddMagnetometer().None(); | |
builder.AddMicrophone().None(); | |
builder.AddMidi().None(); | |
builder.AddPayment().None(); | |
builder.AddPictureInPicture().None(); | |
builder.AddSyncXHR().None(); | |
builder.AddUsb().None(); | |
}); | |
if (!isDev) | |
{ | |
// maxage = one year in seconds | |
policy.AddStrictTransportSecurityMaxAgeIncludeSubDomains(maxAgeInSeconds: 60 * 60 * 24 * 365); | |
} | |
return policy; | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
app.UseSecurityHeaders( | |
SecurityHeadersDefinitions | |
.GetHeaderPolicyCollection(env.IsDevelopment())); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment