Reverted Open API and report API CSP changes also.

Swapnamol · Swapnamol · commit 7dfaf18d635d · 2025-03-19T09:31:22.000Z
diff --git a/OpenAPI/LearningHub.Nhs.OpenApi/Startup.cs b/OpenAPI/LearningHub.Nhs.OpenApi/Startup.cs
@@ -211,16 +211,16 @@ public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
                 c.OAuthUsePkce();
             });
 
-            app.Use(async (context, next) =>
-            {
-                context.Response.Headers.Add("content-security-policy", "object-src 'none'; frame-ancestors 'none'; sandbox allow-forms allow-same-origin allow-scripts allow-popups; base-uri 'self';");
-                context.Response.Headers.Add("Referrer-Policy", "no-referrer");
-                context.Response.Headers.Add("Strict-Transport-Security", "max-age=31536000; includeSubDomains");
-                context.Response.Headers.Add("X-Content-Type-Options", "nosniff");
-                context.Response.Headers.Add("X-Frame-Options", "SAMEORIGIN");
-                context.Response.Headers.Add("X-XSS-protection", "0");
-                await next();
-            });
+            ////app.Use(async (context, next) =>
+            ////{
+            ////    context.Response.Headers.Add("content-security-policy", "object-src 'none'; frame-ancestors 'none'; sandbox allow-forms allow-same-origin allow-scripts allow-popups; base-uri 'self';");
+            ////    context.Response.Headers.Add("Referrer-Policy", "no-referrer");
+            ////    context.Response.Headers.Add("Strict-Transport-Security", "max-age=31536000; includeSubDomains");
+            ////    context.Response.Headers.Add("X-Content-Type-Options", "nosniff");
+            ////    context.Response.Headers.Add("X-Frame-Options", "SAMEORIGIN");
+            ////    context.Response.Headers.Add("X-XSS-protection", "0");
+            ////    await next();
+            ////});
 
             app.UseHttpsRedirection();
 
diff --git a/ReportAPI/LearningHub.Nhs.ReportApi/Program.cs b/ReportAPI/LearningHub.Nhs.ReportApi/Program.cs
@@ -20,16 +20,16 @@
 
     var app = builder.Build();
 
-    app.Use(async (context, next) =>
-    {
-        context.Response.Headers.Add("content-security-policy", "object-src 'none'; frame-ancestors 'none'; sandbox allow-forms allow-same-origin allow-scripts allow-popups; base-uri 'self';");
-        context.Response.Headers.Add("Referrer-Policy", "no-referrer");
-        context.Response.Headers.Add("Strict-Transport-Security", "max-age=31536000; includeSubDomains");
-        context.Response.Headers.Add("X-Content-Type-Options", "nosniff");
-        context.Response.Headers.Add("X-Frame-Options", "SAMEORIGIN");
-        context.Response.Headers.Add("X-XSS-protection", "0");
-        await next();
-    });
+    ////app.Use(async (context, next) =>
+    ////{
+    ////    context.Response.Headers.Add("content-security-policy", "object-src 'none'; frame-ancestors 'none'; sandbox allow-forms allow-same-origin allow-scripts allow-popups; base-uri 'self';");
+    ////    context.Response.Headers.Add("Referrer-Policy", "no-referrer");
+    ////    context.Response.Headers.Add("Strict-Transport-Security", "max-age=31536000; includeSubDomains");
+    ////    context.Response.Headers.Add("X-Content-Type-Options", "nosniff");
+    ////    context.Response.Headers.Add("X-Frame-Options", "SAMEORIGIN");
+    ////    context.Response.Headers.Add("X-XSS-protection", "0");
+    ////    await next();
+    ////});
 
     app.UseRouting();
     app.UseAuthorization();
