File tree Expand file tree Collapse file tree 3 files changed +6
-6
lines changed
OpenAPI/LearningHub.Nhs.OpenApi
ReportAPI/LearningHub.Nhs.ReportApi
WebAPI/LearningHub.Nhs.API Expand file tree Collapse file tree 3 files changed +6
-6
lines changed Original file line number Diff line number Diff line change @@ -192,11 +192,11 @@ public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
192192
193193 app . Use ( async ( context , next ) =>
194194 {
195- context . Response . Headers . Add ( "content-security-policy" , "default -src 'self '; " + $ "script-src 'self' 'nonce-random772362' https://script.hotjar.com https://www.google-analytics.com https://static.hotjar.com https://www.googletagmanager.com https://cdnjs.cloudflare.com 'unsafe-hashes' 'sha256-oywvD6W6okwID679n4cvPJtWLowSS70Pz87v1ryS0DU=' 'sha256-kbHtQyYDQKz4SWMQ8OHVol3EC0t3tHEJFPCSwNG9NxQ' 'sha256-YoDy5WvNzQHMq2kYTFhDYiGnEgPrvAY5Il6eUu/P4xY=' 'sha256-/n13APBYdqlQW71ZpWflMB/QoXNSUKDxZk1rgZc+Jz8=' 'sha256-+6WnXIl4mbFTCARd8N3COQmT3bJJmo32N8q8ZSQAIcU=' 'sha256-VQKp2qxuvQmMpqE/U/ASQ0ZQ0pIDvC3dgQPPCqDlvBo=';" + "style-src 'self' 'unsafe-inline' https://use.fontawesome.com; " + "font-src https://script.hotjar.com https://assets.nhs.uk/; " + "connect-src 'self' http: ws:; " + "img-src 'self' data: https:; " + "frame-src 'self' https: ") ;
195+ context . Response . Headers . Add ( "content-security-policy" , "object -src 'none '; frame-ancestors 'none'; sandbox allow-forms allow-same-origin allow-scripts allow-popups; base-uri 'self'; " ) ;
196196 context . Response . Headers . Add ( "Referrer-Policy" , "no-referrer" ) ;
197197 context . Response . Headers . Add ( "Strict-Transport-Security" , "max-age=31536000; includeSubDomains" ) ;
198198 context . Response . Headers . Add ( "X-Content-Type-Options" , "nosniff" ) ;
199- context . Response . Headers . Add ( "X-Frame-Options" , "deny " ) ;
199+ context . Response . Headers . Add ( "X-Frame-Options" , "SAMEORIGIN " ) ;
200200 context . Response . Headers . Add ( "X-XSS-protection" , "0" ) ;
201201 await next ( ) ;
202202 } ) ;
Original file line number Diff line number Diff line change 2222
2323 app . Use ( async ( context , next ) =>
2424 {
25- context . Response . Headers . Add ( "content-security-policy" , "default -src 'self '; " + $ "script-src 'self' 'nonce-random772362' https://script.hotjar.com https://www.google-analytics.com https://static.hotjar.com https://www.googletagmanager.com https://cdnjs.cloudflare.com 'unsafe-hashes' 'sha256-oywvD6W6okwID679n4cvPJtWLowSS70Pz87v1ryS0DU=' 'sha256-kbHtQyYDQKz4SWMQ8OHVol3EC0t3tHEJFPCSwNG9NxQ' 'sha256-YoDy5WvNzQHMq2kYTFhDYiGnEgPrvAY5Il6eUu/P4xY=' 'sha256-/n13APBYdqlQW71ZpWflMB/QoXNSUKDxZk1rgZc+Jz8=' 'sha256-+6WnXIl4mbFTCARd8N3COQmT3bJJmo32N8q8ZSQAIcU=' 'sha256-VQKp2qxuvQmMpqE/U/ASQ0ZQ0pIDvC3dgQPPCqDlvBo=';" + "style-src 'self' 'unsafe-inline' https://use.fontawesome.com; " + "font-src https://script.hotjar.com https://assets.nhs.uk/; " + "connect-src 'self' http: ws:; " + "img-src 'self' data: https:; " + "frame-src 'self' https: ") ;
25+ context . Response . Headers . Add ( "content-security-policy" , "object -src 'none '; frame-ancestors 'none'; sandbox allow-forms allow-same-origin allow-scripts allow-popups; base-uri 'self'; " ) ;
2626 context . Response . Headers . Add ( "Referrer-Policy" , "no-referrer" ) ;
2727 context . Response . Headers . Add ( "Strict-Transport-Security" , "max-age=31536000; includeSubDomains" ) ;
2828 context . Response . Headers . Add ( "X-Content-Type-Options" , "nosniff" ) ;
29- context . Response . Headers . Add ( "X-Frame-Options" , "deny " ) ;
29+ context . Response . Headers . Add ( "X-Frame-Options" , "SAMEORIGIN " ) ;
3030 context . Response . Headers . Add ( "X-XSS-protection" , "0" ) ;
3131 await next ( ) ;
3232 } ) ;
Original file line number Diff line number Diff line change 4040
4141 app . Use ( async ( context , next ) =>
4242 {
43- context . Response . Headers . Add ( "content-security-policy" , "default -src 'self '; " + $ "script-src 'self' 'nonce-random772362' https://script.hotjar.com https://www.google-analytics.com https://static.hotjar.com https://www.googletagmanager.com https://cdnjs.cloudflare.com 'unsafe-hashes' 'sha256-oywvD6W6okwID679n4cvPJtWLowSS70Pz87v1ryS0DU=' 'sha256-kbHtQyYDQKz4SWMQ8OHVol3EC0t3tHEJFPCSwNG9NxQ' 'sha256-YoDy5WvNzQHMq2kYTFhDYiGnEgPrvAY5Il6eUu/P4xY=' 'sha256-/n13APBYdqlQW71ZpWflMB/QoXNSUKDxZk1rgZc+Jz8=' 'sha256-+6WnXIl4mbFTCARd8N3COQmT3bJJmo32N8q8ZSQAIcU=' 'sha256-VQKp2qxuvQmMpqE/U/ASQ0ZQ0pIDvC3dgQPPCqDlvBo=';" + "style-src 'self' 'unsafe-inline' https://use.fontawesome.com; " + "font-src https://script.hotjar.com https://assets.nhs.uk/; " + "connect-src 'self' http: ws:; " + "img-src 'self' data: https:; " + "frame-src 'self' https: ") ;
43+ context . Response . Headers . Add ( "content-security-policy" , "object -src 'none '; frame-ancestors 'none'; sandbox allow-forms allow-same-origin allow-scripts allow-popups; base-uri 'self'; " ) ;
4444 context . Response . Headers . Add ( "Referrer-Policy" , "no-referrer" ) ;
4545 context . Response . Headers . Add ( "Strict-Transport-Security" , "max-age=31536000; includeSubDomains" ) ;
4646 context . Response . Headers . Add ( "X-Content-Type-Options" , "nosniff" ) ;
47- context . Response . Headers . Add ( "X-Frame-Options" , "deny " ) ;
47+ context . Response . Headers . Add ( "X-Frame-Options" , "SAMEORIGIN " ) ;
4848 context . Response . Headers . Add ( "X-XSS-protection" , "0" ) ;
4949 await next ( ) ;
5050 } ) ;
You can’t perform that action at this time.
0 commit comments