Info
| Version: | 1.0.11 |
| Author(s): | Lee HUMPHRIES |
| Last Update: | Friday, July 14, 2017 |
| .NET Fiddle: | Create the first Fiddle |
| NuGet Url: | https://www.nuget.org/packages/SecHdrsCore |
Install
Install-Package SecHdrsCore
dotnet add package SecHdrsCore
paket add SecHdrsCore
SecHdrsCore Download (Unzip the "nupkg" after downloading)
Dependencies
- Microsoft.AspNetCore.Http.Extensions(>= 1.1.2)
- NETStandard.Library(>= 1.6.1)
- Microsoft.AspNetCore.Http.Abstractions(>= 1.1.2)
Tags
To use in an ASP.Net Core web project.
In startup.cs - add the following private members to the startup class
private SecurityHeaders _securityHeaders { get; set; }
private List<CspFrame> _cspFrames { get; set; }
And the following two private methods (and alter as you need to).
These do reference the samples nuget package.
private List<CspFrame> AssembleContentSecurityPolicies()
{
var defCspFrame = new CspFrame().Initialise("default");
defCspFrame.Clauses
.AddUpdateClause("script-src", "", "'unsafe-eval'")
.AddUpdateClause("style-src", "", "'unsafe-inline'")
.AddUpdateClause("img-src", "", "data:")
.AddUpdateClause("plugin-types", "", "application/pdf")
.AddUpdateClause("frame-ancestors", "", "'none'")
.AddUpdateClause("report-uri", "", "/cspreport");
var basicCdnCspFrame = new CspFrame().Initialise("basicCdn");
basicCdnCspFrame.Clauses
.AddUpdateClause("default-src", "", "https://maxcdn.bootstrapcdn.com/")
.AddUpdateClause("script-src", "", "https://ajax.googleapis.com/ https://code.jquery.com/ https://cdnjs.cloudflare.com/")
.AddUpdateClause("style-src", "", "https://fonts.googleapis.com/")
.AddUpdateClause("font-src", "", "https://fonts.gstatic.com/")
.AddUpdateClause("img-src", "", "https://csi.gstatic.com/");
var googleMapsCspFrame = new CspFrame().GoogleMaps();
var stripeCspFrame = new CspFrame().Stripe();
return new List<CspFrame>
{
defCspFrame,
basicCdnCspFrame,
googleMapsCspFrame,
stripeCspFrame
};
}
/// <summary>
/// Returns a merged copy of all relevant CspFrames - adding in the Dev CspFrame if required
/// </summary>
/// <param name="env"></param>
/// <returns></returns>
private CspFrame BuildContentSecurityPolicy(IHostingEnvironment env)
{
if (_cspFrames == null || !_cspFrames.Any())
{
_cspFrames = AssembleContentSecurityPolicies();
}
// Assemble the master CSP
var masterCsp = _cspFrames.Merge();
if (env.IsDevelopment())
{
var localhostSp = "localhost:56993/";
var stripe = "http://checkout.stripe.com/";
// Note that this dev CSP includes the http versions for Stripe
var devCspFrame = new CspFrame().Initialise("dev");
devCspFrame.Clauses.AddUpdateClause("default-src", "", "http://localhost:5000/")
.AddUpdateClause("connect-src", "", "http://" + localhostSp + " ws://" + localhostSp + " " + stripe)
.AddUpdateClause("script-src", "", "http://" + localhostSp + " " + stripe);
masterCsp = masterCsp.Merge(devCspFrame);
}
return masterCsp;
}
Finally include the following in the configuration method just before app.UseMvc( ...
// Set up the overall Security Headers
// This will also assemble the _cspFrames object if required
if (_securityHeaders == null)
{
_securityHeaders = app.BuildSecurityHeaders(BuildContentSecurityPolicy(env));
}
else
{
_securityHeaders.Csp = BuildContentSecurityPolicy(env);
}
app.UseSecurityHeaders(_securityHeaders);
.