PT-10550: adds the security headers to all responses (#2680)

feat: adds the security headers to all responses (#2680) * X-Content-Type-Options: nosniff * Strict-Transport-Security: max-age=31536000; includeSubDomains - only applied to HTTPS responses * X-Frame-Options: Deny - only applied to "document" responses * X-XSS-Protection: 1; mode=block - only applied to "document" responses * Referrer-Policy: strict-origin-when-cross-origin - only applied to "document" responses * Content-Security-Policy: object-src 'none'; form-action 'self'; frame-ancestors 'none' - only applied to "document" responses
VirtoCommerce · Aug 23, 2023 · 824b7b2 · 824b7b2
1 parent daa99cb
commit 824b7b2
Show file tree

Hide file tree

Showing 2 changed files with 1 addition and 18 deletions.
diff --git a/src/VirtoCommerce.Platform.Web/Extensions/ApplicationBuilderExtensions.cs b/src/VirtoCommerce.Platform.Web/Extensions/ApplicationBuilderExtensions.cs
@@ -6,8 +6,6 @@
 using Microsoft.AspNetCore.Http;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.FileProviders;
-using Microsoft.Extensions.Primitives;
-using VirtoCommerce.Platform.Core.Common;
 using VirtoCommerce.Platform.Core.Modularity;
 using VirtoCommerce.Platform.Core.Modularity.Exceptions;
 using VirtoCommerce.Platform.Core.Settings;
@@ -19,11 +17,6 @@ namespace VirtoCommerce.Platform.Web.Extensions
 {
     public static class ApplicationBuilderExtensions
     {
-        private static readonly Dictionary<string, StringValues> CustomHeaders = new()
-        {
-            { "X-Frame-Options", new StringValues("SAMEORIGIN") }
-        };
-
         public static IApplicationBuilder UsePlatformSettings(this IApplicationBuilder appBuilder)
         {
             var settingsRegistrar = appBuilder.ApplicationServices.GetRequiredService<ISettingsRegistrar>();
@@ -61,17 +54,6 @@ public static IApplicationBuilder UseModules(this IApplicationBuilder appBuilder
             return appBuilder;
         }
 
-        public static IApplicationBuilder UseSecurityHeaders(this IApplicationBuilder appBuilder)
-        {
-            appBuilder.Use(async (context, next) =>
-            {
-                context.Response.Headers.AddRange(CustomHeaders);
-                await next();
-            });
-
-            return appBuilder;
-        }
-
         private static IEnumerable<ManifestModuleInfo> GetInstalledModules(IServiceProvider serviceProvider)
         {
             var moduleCatalog = serviceProvider.GetRequiredService<ILocalModuleCatalog>();

diff --git a/src/VirtoCommerce.Platform.Web/VirtoCommerce.Platform.Web.csproj b/src/VirtoCommerce.Platform.Web/VirtoCommerce.Platform.Web.csproj
@@ -39,6 +39,7 @@
         <PackageReference Include="Microsoft.Identity.Client" Version="4.45.0" />
         <PackageReference Include="Microsoft.VisualStudio.Azure.Containers.Tools.Targets" Version="1.10.8" />
         <PackageReference Include="Microsoft.VisualStudio.Web.BrowserLink" Version="2.2.0" />
+        <PackageReference Include="NetEscapades.AspNetCore.SecurityHeaders" Version="0.20.0" />
         <PackageReference Include="OpenIddict.AspNetCore" Version="3.0.4" />
         <PackageReference Include="OpenIddict.EntityFrameworkCore" Version="3.0.4" />
         <PackageReference Include="Scrutor" Version="4.2.0" />