diff --git a/Directory.Packages.props b/Directory.Packages.props
index 87fba0d8..7bdf04ab 100644
--- a/Directory.Packages.props
+++ b/Directory.Packages.props
@@ -32,6 +32,7 @@
+
diff --git a/src/LinkDotNet.Blog.Web/LinkDotNet.Blog.Web.csproj b/src/LinkDotNet.Blog.Web/LinkDotNet.Blog.Web.csproj
index 4625b7a6..69da7b48 100644
--- a/src/LinkDotNet.Blog.Web/LinkDotNet.Blog.Web.csproj
+++ b/src/LinkDotNet.Blog.Web/LinkDotNet.Blog.Web.csproj
@@ -19,6 +19,7 @@
all
+
diff --git a/src/LinkDotNet.Blog.Web/Program.cs b/src/LinkDotNet.Blog.Web/Program.cs
index 2c08dc54..58265197 100644
--- a/src/LinkDotNet.Blog.Web/Program.cs
+++ b/src/LinkDotNet.Blog.Web/Program.cs
@@ -6,6 +6,7 @@
using LinkDotNet.Blog.Web.RegistrationExtensions;
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Diagnostics.HealthChecks;
+using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Hosting;
namespace LinkDotNet.Blog.Web;
@@ -25,6 +26,18 @@ public static async Task Main(string[] args)
private static void RegisterServices(WebApplicationBuilder builder)
{
+ builder.Services.AddSecurityHeaderPolicies()
+ .SetDefaultPolicy(p =>
+ p.AddDefaultSecurityHeaders()
+ .AddCrossOriginEmbedderPolicy(policy => policy.UnsafeNone())
+ .AddPermissionsPolicy(policy =>
+ {
+ policy.AddCamera().None();
+ policy.AddMicrophone().None();
+ policy.AddGeolocation().None();
+ }))
+ .AddPolicy("API", p => p.AddDefaultApiSecurityHeaders());
+
builder.Services
.AddHostingServices()
.AddConfiguration()
@@ -49,6 +62,8 @@ private static void RegisterServices(WebApplicationBuilder builder)
private static void ConfigureApp(WebApplication app)
{
+ app.UseSecurityHeaders();
+
if (app.Environment.IsDevelopment())
{
app.UseDeveloperExceptionPage();