Skip to content

Commit

Permalink
Merge pull request #57 from damienbod/dev
Browse files Browse the repository at this point in the history 
Improve CSP, using nonce
  • Loading branch information
@damienbod
damienbod authored Jan 14, 2024
2 parents b3d4b9f + 6d755c2 commit f649951
Show file tree
Hide file tree
Showing 5 changed files with 21 additions and 14 deletions.
6 changes: 3 additions & 3 deletions BlazorBffOpenIdConnect/Client/BlazorBffOpenIDConnect.Client.csproj
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,10 +8,10 @@
</PropertyGroup>

<ItemGroup>
<PackageReference Include="Microsoft.AspNetCore.Components.WebAssembly" Version="8.0.0" />
<PackageReference Include="Microsoft.AspNetCore.Components.WebAssembly.DevServer" Version="8.0.0" PrivateAssets="all" />
<PackageReference Include="Microsoft.AspNetCore.Components.WebAssembly" Version="8.0.1" />
<PackageReference Include="Microsoft.AspNetCore.Components.WebAssembly.DevServer" Version="8.0.1" PrivateAssets="all" />
<PackageReference Include="Microsoft.Extensions.Http" Version="8.0.0" />
<PackageReference Include="Microsoft.AspNetCore.Components.WebAssembly.Authentication" Version="8.0.0" />
<PackageReference Include="Microsoft.AspNetCore.Components.WebAssembly.Authentication" Version="8.0.1" />
</ItemGroup>

<ItemGroup>
Expand Down
5 changes: 3 additions & 2 deletions BlazorBffOpenIdConnect/Server/BlazorBffOpenIDConnect.Server.csproj
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,9 +12,10 @@
</ItemGroup>

<ItemGroup>
<PackageReference Include="Microsoft.AspNetCore.Components.WebAssembly.Server" Version="8.0.0" />
<PackageReference Include="Microsoft.AspNetCore.Authentication.OpenIdConnect" Version="8.0.0" NoWarn="NU1605" />
<PackageReference Include="Microsoft.AspNetCore.Components.WebAssembly.Server" Version="8.0.1" />
<PackageReference Include="Microsoft.AspNetCore.Authentication.OpenIdConnect" Version="8.0.1" NoWarn="NU1605" />
<PackageReference Include="NetEscapades.AspNetCore.SecurityHeaders" Version="0.21.0" />
<PackageReference Include="NetEscapades.AspNetCore.SecurityHeaders.TagHelpers" Version="0.21.0" />
</ItemGroup>

</Project>
5 changes: 3 additions & 2 deletions BlazorBffOpenIdConnect/Server/Pages/_Host.cshtml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@
@namespace BlazorBffOpenIDConnect.Pages
@using BlazorBffOpenIDConnect.Client
@addTagHelper *, Microsoft.AspNetCore.Mvc.TagHelpers
@addTagHelper *, NetEscapades.AspNetCore.SecurityHeaders.TagHelpers
@{
Layout = null;
}
Expand Down Expand Up @@ -40,8 +41,8 @@
<a class="dismiss">🗙</a>
</div>

<script src="_framework/blazor.webassembly.js" ></script>
<script src="antiForgeryToken.js" ></script>
<script asp-add-nonce src="_framework/blazor.webassembly.js"></script>
<script asp-add-nonce src="antiForgeryToken.js"></script>
@Html.AntiForgeryToken()
</body>
</html>
13 changes: 6 additions & 7 deletions BlazorBffOpenIdConnect/Server/SecurityHeadersDefinitions.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,15 +2,17 @@

public static class SecurityHeadersDefinitions
{
public static HeaderPolicyCollection GetHeaderPolicyCollection(bool isDev, string idpHost)
public static HeaderPolicyCollection GetHeaderPolicyCollection(bool isDev, string? idpHost)
{
ArgumentNullException.ThrowIfNull(idpHost);

var policy = new HeaderPolicyCollection()
.AddFrameOptionsDeny()
.AddContentTypeOptionsNoSniff()
.AddReferrerPolicyStrictOriginWhenCrossOrigin()
.AddCrossOriginOpenerPolicy(builder => builder.SameOrigin())
.AddCrossOriginResourcePolicy(builder => builder.SameOrigin())
.AddCrossOriginEmbedderPolicy(builder => builder.RequireCorp()) // remove for dev if using hot reload
.AddCrossOriginEmbedderPolicy(builder => builder.RequireCorp())
.AddContentSecurityPolicy(builder =>
{
builder.AddObjectSrc().None();
Expand All @@ -24,12 +26,9 @@ public static HeaderPolicyCollection GetHeaderPolicyCollection(bool isDev, strin

// due to Blazor
builder.AddScriptSrc()
.Self()
.WithHash256("v8v3RKRPmN4odZ1CWM5gw80QKPCCWMcpNeOmimNL2AA=")
// .Self() Add this if you want to use the visual studio debugging tools
.WithNonce()
.UnsafeEval();

// disable script and style CSP protection if using Blazor hot reload
// if using hot reload, DO NOT deploy with an insecure CSP
})
.RemoveServerHeader()
.AddPermissionsPolicy(builder =>
Expand Down
6 changes: 6 additions & 0 deletions Changelog.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,12 @@

[Readme](https://github.com/damienbod/Blazor.BFF.OpenIDConnect.Template/blob/main/README.md)


**2024-01-14** 3.0.2
- Improve CSP, using nonce
- updated packages


**2023-12-31** 3.0.1
- Open redirect protection on login

Expand Down

0 comments on commit f649951

Please sign in to comment.