A .NET Core middleware for injecting the Owasp recommended HTTP Headers into Azure Isolated Functions
The nuget package can be accessed here
The Azure Function Isolate is not completely the same as DotNet Core Middleware so the normal solutions won't work. Therefore, the need came for a project like this.
First of all a big thank to GaProgMan for creating OwaspHeaders.Core This library is just an extension to his work to support Azure Isolated function.
using OwaspHeaders.IsolatedFunction;
public class Program
{
public static void Main()
{
var host = new HostBuilder()
.ConfigureFunctionsWorkerDefaults(builder =>
{
builder.UseMiddleware<OwaspHandlerMiddleware>();
})Without any configuration the above single line would add following headers:
| Config | Output |
|---|---|
| UseHsts | Strict-Transport-Security |
| UseXFrameOptions | X-Frame-Options |
| UseXssProtection | X-XSS-Protection |
| UseXContentTypeOptions | X-Content-Type-Options |
| UseContentSecurityPolicyReportOnly | Content-Security-Policy-Report-Only |
| UseContentSecurityPolicy | Content-Security-Policy |
| UseXContentSecurityPolicy | X-Content-Security-Policy |
| UseExpectCt | Expect-CT |
| UseCacheControl | Cache-Control |
The configuration values are based on the original project, however, because Azure middleware doesn't accept parameter, the configuration provider should be registered.
services.AddSingleton<IOwaspMiddlewareConfigurationProvider, CustomConfigurationProviderProvider>();and the configuration provider should be like:
public class CustomConfigurationProvider : IOwaspMiddlewareConfigurationProvider
{
public SecureHeadersMiddlewareConfiguration CustomConfiguration()
{
return SecureHeadersMiddlewareBuilder
.CreateBuilder()
.UseHsts(1200, false)
.UseXSSProtection(XssMode.oneReport, "https://reporturi.com/some-report-url")
.UseContentDefaultSecurityPolicy()
.UseCacheControl(false, maxAge: (int)TimeSpan.FromHours(1).TotalSeconds)
.UsePermittedCrossDomainPolicies(XPermittedCrossDomainOptionValue.masterOnly)
.UseReferrerPolicy(ReferrerPolicyOptions.sameOrigin)
.Build();
}
}To find the details of SecureHeadersMiddlewareConfiguration find the details here
Follwoing screenshot is from the default configuration.
Please note that swagger UI would stop with the default configuration. It's because Swagger UI is having mixed content. So to fix this it needs custom configuarion and mixed content should be allowed:
.UseContentSecurityPolicy(blockAllMixedContent: false)or
configurationBuilder.ContentSecurityPolicyConfiguration.FrameAncestors.Add(new ContentSecurityPolicyElement
{
DirectiveOrUri = "none"
});
configurationBuilder.ContentSecurityPolicyConfiguration.FormAction.Add(new ContentSecurityPolicyElement
{
DirectiveOrUri = "self"
});
configurationBuilder.ContentSecurityPolicyConfiguration.UpgradeInsecureRequests = true;
configurationBuilder.ContentSecurityPolicyConfiguration.BlockAllMixedContent = true;