Skip to content

Add CSP nonces and security headers#70

Merged
antosubash merged 2 commits intomainfrom
feature/agitated-khayyam
Apr 3, 2026
Merged

Add CSP nonces and security headers#70
antosubash merged 2 commits intomainfrom
feature/agitated-khayyam

Conversation

@antosubash
Copy link
Copy Markdown
Owner

@antosubash antosubash commented Apr 3, 2026

Changes

  • Security Headers: Add middleware to set Content-Security-Policy with nonces, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, and X-Permitted-Cross-Domain-Policies headers
  • CSP Nonce Support: Introduce ICspNonce interface and CspNonce implementation that generates random base64-encoded nonces per request
  • Apply Nonces to Scripts: Add nonce attributes to inline scripts in Razor components (DarkModeScript, InertiaShell, AppLayout, PublicLayout, OAuthCallback)
  • Harden XML Processing: Disable DTD processing in InstalledPackageDetector to prevent XXE attacks
  • Improve Process Arguments: Use ArgumentList instead of string concatenation in InstallCommand for safer argument handling
  • Enhanced Logging: Add warning log when seeding users with default passwords in non-development environments
  • Fix XSS in Error Toast: Use textContent instead of innerHTML interpolation to prevent DOM XSS in error messages

@antosubash
Add security headers, CSP with nonces, and harden input handling
3e2f161 
- Add Content-Security-Policy with per-request cryptographic nonces
  for all inline Blazor scripts (DarkModeScript, InertiaShell importmap,
  AppLayout, PublicLayout, OAuthCallback)
- Add X-Content-Type-Options, X-Frame-Options, Referrer-Policy, and
  X-Permitted-Cross-Domain-Policies response headers
- Replace innerHTML message interpolation with textContent in error
  toast to eliminate XSS vector in app.tsx
- Harden XML parsing in InstalledPackageDetector with DtdProcessing.Prohibit
  and null XmlResolver to prevent XXE
- Switch InstallCommand from string-concatenated Arguments to ArgumentList
  for safe process argument passing
- Add production warning log when seed users are created with default
  passwords outside Development environment
@cloudflare-workers-and-pages
Copy link
Copy Markdown

cloudflare-workers-and-pages Bot commented Apr 3, 2026
edited
Loading

Deploying simplemodule-website with  Cloudflare Pages  Cloudflare Pages

Latest commit: b31f1f1
Status: ✅  Deploy successful!
Preview URL: https://a54d9d17.simplemodule-website.pages.dev
Branch Preview URL: https://feature-agitated-khayyam.simplemodule-website.pages.dev

View logs

@antosubash
Merge remote-tracking branch 'origin/main' into feature/agitated-khayyam
b31f1f1 
# Conflicts:
#	framework/SimpleModule.Hosting/SimpleModuleHostExtensions.cs
@antosubash antosubash merged commit c1011c3 into main Apr 3, 2026
4 checks passed
@antosubash antosubash deleted the feature/agitated-khayyam branch April 3, 2026 21:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@antosubash