Merge pull request #133 from TechnologyEnhancedLearning/Develop/Fixes/TD-3733-Information-Disclosures

swapnamol-abraham · web-flow · commit 311c3dc4cde5 · 2025-03-05T15:46:37.000Z
TD-3733:Information Disclosures
diff --git a/Auth/LearningHub.Nhs.Auth/Program.cs b/Auth/LearningHub.Nhs.Auth/Program.cs
@@ -56,20 +56,6 @@
         await next();
     });
 
-app.Use(async (context, next) =>
-{
-    // Add security headers
-    context.Response.Headers.Add("Strict-Transport-Security", "max-age=31536000; includeSubDomains; preload");
-    context.Response.Headers.Add("X-Content-Type-Options", "nosniff");
-    context.Response.Headers.Add("X-XSS-Protection", "1; mode=block");
-    context.Response.Headers.Add("X-Frame-Options", "DENY");
-    context.Response.Headers.Add("Content-Security-Policy", "default-src 'self'; script-src 'self'; object-src 'none';");
-    context.Response.Headers.Add("Referrer-Policy", "no-referrer-when-downgrade");
-    context.Response.Headers.Add("Feature-Policy", "geolocation 'self'; microphone 'none'; camera 'none'");
-
-    await next();
-});
-
 if (app.Environment.IsDevelopment())
 {
     app.UseDeveloperExceptionPage();
diff --git a/LearningHub.Nhs.UserApi/Program.cs b/LearningHub.Nhs.UserApi/Program.cs
@@ -10,6 +10,7 @@
 
 var logger = NLogBuilder.ConfigureNLog("nlog.config").GetCurrentClassLogger();
 
+var csp = "object-src 'none'; frame-ancestors 'none'; sandbox allow-forms allow-same-origin allow-scripts allow-popups; base-uri 'self';";
 try
 {
     logger.Debug("Log Started");
@@ -36,6 +37,17 @@
         c.SwaggerEndpoint($"/swagger/{app.Configuration["Swagger:Title"]}/swagger.json", app.Configuration["Swagger:Version"]);
     });
 
+    app.Use(async (context, next) =>
+    {
+        context.Response.Headers.Add("content-security-policy", csp);
+        context.Response.Headers.Add("Referrer-Policy", "no-referrer");
+        context.Response.Headers.Add("Strict-Transport-Security", "max-age=31536000; includeSubDomains");
+        context.Response.Headers.Add("X-Content-Type-Options", "nosniff");
+        context.Response.Headers.Add("X-Frame-Options", "SAMEORIGIN");
+        context.Response.Headers.Add("X-XSS-protection", "0");
+        await next();
+    });
+
     app.UseMiddleware<ExceptionMiddleware>();
 
     app.UseEndpoints(endpoints => endpoints.MapControllerRoute("default", "{controller=Home}/{action=Index}/{id?}"));
