Improve bit Boilerplate response security headers (#12014)

[yasmoradi]

closes #12014

Summary by CodeRabbit

• Refactor

  • Consolidated security headers configuration into a unified approach for improved maintainability.
  • Improved caching logic to better support Content Delivery Network edge caching scenarios.
  • Antiforgery protection configuration now adapts based on CDN edge caching settings.
  • Reorganized security dependencies across shared and project-specific server components.

• Documentation

  • Enhanced documentation for antiforgery configuration and CDN caching interactions.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

• 🔍 Trigger a full review

Walkthrough

The PR consolidates security header middleware configuration by centralizing NWebsec.AspNetCore.Middleware to the shared library, introducing a new UseSecurityHeaders() extension method, and refactoring cache policy flag naming while conditioning antiforgery registration based on CDN caching settings.

Changes

Cohort / File(s)	Summary
Package Dependencies Boilerplate.Server.Api.csproj, Boilerplate.Server.Web.csproj, Boilerplate.Server.Shared.csproj	Removed NWebsec.AspNetCore.Middleware from Api and Web projects; added it to Shared project to centralize security header middleware management.
Security Headers Centralization Infrastructure/Extensions/WebApplicationExtensions.cs, Boilerplate.Server.Api/Program.Middlewares.cs, Boilerplate.Server.Web/Program.Middlewares.cs	Created new UseSecurityHeaders() extension method in Shared that chains HSTS, X-Content-Type-Options, X-XSS-Protection, X-Frame-Options, Referrer-Policy, Permissions-Policy, Cross-Origin-Resource-Policy, and Content-Security-Policy headers. Replaced four individual middleware calls in both Api and Web Program.Middlewares with single UseSecurityHeaders() invocation.
Cache Policy Refactoring Infrastructure/Services/AppResponseCachePolicy.cs, Infrastructure/Extensions/HttpContextExtensions.cs, Infrastructure/Extensions/HttpRequestExtensions.cs	Renamed cache flag from AppResponseCachePolicy__DisableStreamPrerendering to AppResponseCachePolicy__SharedCacheEnabled with inverted logic (computed as outputCacheTtl > 0 || edgeCacheTtl > 0). Added IsSharedCacheEnabled() extension method on HttpContext and updated IsStreamPrerenderingSuppressed() to use new extension.
Services Configuration & Documentation Program.Services.cs, Infrastructure/Services/NoOpAntiforgery.cs, Infrastructure/Services/WebServerExceptionHandler.cs	Conditionalized antiforgery registration to only register NoOpAntiforgery when CDN edge caching is enabled. Added ServerSharedSettings binding in service configuration. Enhanced NoOpAntiforgery with comprehensive XML documentation explaining CDN caching rationale. Updated comment reference in WebServerExceptionHandler.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 Hop, hop! Security headers now align,
One method to rule them all so fine,
Cache flags are renamed, logic refined,
From four calls to one—a rabbit's design!
Shared libraries strengthen the whole,
Making boilerplate reach its goal! ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 44.44% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly describes the main change: improving response security headers in the Boilerplate project.
Linked Issues check	✅ Passed	The pull request implements security header improvements by consolidating middleware, relocating NWebsec dependency, and adding new security header configurations as required.
Out of Scope Changes check	✅ Passed	All changes directly support security header improvements; cache-related updates in AppResponseCachePolicy and HttpRequestExtensions are necessary refactoring to support the new security architecture.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In
`@src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Shared/Boilerplate.Server.Shared.csproj`:
- Line 13: Remove the unmaintained PackageReference to
NWebsec.AspNetCore.Middleware from Boilerplate.Server.Shared.csproj and replace
its usage with a supported approach: either add a maintained security-header
package (e.g., a modern ASP.NET Core header middleware) or implement a small
custom middleware in Startup/Program (AddSecurityHeadersMiddleware or similar)
that sets the required headers; update any Startup/Program.cs references
currently relying on NWebsec.AspNetCore.Middleware to use the new package or the
custom AddSecurityHeadersMiddleware and remove the obsolete PackageReference
entry from the .csproj.

In
`@src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Shared/Infrastructure/Extensions/WebApplicationExtensions.cs`:
- Around line 86-135: The CSP set in UseSecurityHeaders is missing a script-src
directive which breaks Blazor; update the Content-Security-Policy header (set on
context.Response.Headers.Append("Content-Security-Policy", ...)) to include a
script-src directive—for Blazor Server use "script-src 'self'" and for Blazor
WASM include "script-src 'self' 'wasm-unsafe-eval'"; also consider adding
style-src and img-src directives for styles/images; replace Headers.Append with
a non-duplicating approach (e.g., check/replace or TryAdd-like logic) so calling
UseSecurityHeaders multiple times won’t duplicate headers.

[Copilot]

Pull request overview

Improves the Boilerplate template’s HTTP response security headers by centralizing header configuration and reducing duplicated middleware setup, while also adjusting caching-related behavior for antiforgery.

Changes:

• Introduces a shared UseSecurityHeaders() extension and replaces per-project NWebsec header middleware calls with it.
• Moves NWebsec.AspNetCore.Middleware package reference into Boilerplate.Server.Shared for shared consumption.
• Updates response-caching signaling (HttpContext.Items) and stream prerendering suppression logic, and makes antiforgery “no-op” conditional based on caching settings.

Reviewed changes

Copilot reviewed 12 out of 12 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Web/Program.Services.cs	Conditionally registers NoOpAntiforgery based on response caching settings.
src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Web/Program.Middlewares.cs	Switches to app.UseSecurityHeaders() in non-development.
src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Web/Infrastructure/Services/WebServerExceptionHandler.cs	Updates internal comment to reflect renamed caching flag key.
src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Web/Infrastructure/Services/NoOpAntiforgery.cs	Expands documentation explaining antiforgery disabling for CDN caching scenarios.
src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Web/Infrastructure/Extensions/HttpRequestExtensions.cs	Uses shared-cache flag to suppress streaming prerendering when caching is enabled.
src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Web/Infrastructure/Extensions/HttpContextExtensions.cs	Adds IsSharedCacheEnabled() helper for the new cache-flag key.
src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Web/Boilerplate.Server.Web.csproj	Removes direct NWebsec package reference (now shared).
src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Shared/Infrastructure/Services/AppResponseCachePolicy.cs	Renames/rewrites the HttpContext cache flag to represent “shared cache enabled”.
src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Shared/Infrastructure/Extensions/WebApplicationExtensions.cs	Adds UseSecurityHeaders() and configures additional headers (Permissions-Policy, CORP, CSP).
src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Shared/Boilerplate.Server.Shared.csproj	Adds NWebsec package reference to support shared security header middleware.
src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Api/Program.Middlewares.cs	Switches to app.UseSecurityHeaders() in non-development.
src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Api/Boilerplate.Server.Api.csproj	Removes direct NWebsec package reference (now shared).

[sonarqubecloud]

Quality Gate passed

Issues
1 New issue
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud