Skip to content

Commit ee5c721

Browse files
swapnamol-abrahamswapnamol-abraham
authored
Merge pull request #1010 from TechnologyEnhancedLearning/Develop/Fixes/TD-3732-Missing-Security-Headers
TD-3732: Missing Security Headers
2 parents c07874e + 5dcd8b0 commit ee5c721

File tree

3 files changed

+33
-0
lines changed

3 files changed

+33
-0
lines changed

OpenAPI/LearningHub.Nhs.OpenApi/Startup.cs

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -190,6 +190,17 @@ public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
190190
c.OAuthUsePkce();
191191
});
192192

193+
app.Use(async (context, next) =>
194+
{
195+
context.Response.Headers.Add("content-security-policy", "default-src 'self'; " + $"script-src 'self' 'nonce-random772362' https://script.hotjar.com https://www.google-analytics.com https://static.hotjar.com https://www.googletagmanager.com https://cdnjs.cloudflare.com 'unsafe-hashes' 'sha256-oywvD6W6okwID679n4cvPJtWLowSS70Pz87v1ryS0DU=' 'sha256-kbHtQyYDQKz4SWMQ8OHVol3EC0t3tHEJFPCSwNG9NxQ' 'sha256-YoDy5WvNzQHMq2kYTFhDYiGnEgPrvAY5Il6eUu/P4xY=' 'sha256-/n13APBYdqlQW71ZpWflMB/QoXNSUKDxZk1rgZc+Jz8=' 'sha256-+6WnXIl4mbFTCARd8N3COQmT3bJJmo32N8q8ZSQAIcU=' 'sha256-VQKp2qxuvQmMpqE/U/ASQ0ZQ0pIDvC3dgQPPCqDlvBo=';" + "style-src 'self' 'unsafe-inline' https://use.fontawesome.com; " + "font-src https://script.hotjar.com https://assets.nhs.uk/; " + "connect-src 'self' http: ws:; " + "img-src 'self' data: https:; " + "frame-src 'self' https:");
196+
context.Response.Headers.Add("Referrer-Policy", "no-referrer");
197+
context.Response.Headers.Add("Strict-Transport-Security", "max-age=31536000; includeSubDomains");
198+
context.Response.Headers.Add("X-Content-Type-Options", "nosniff");
199+
context.Response.Headers.Add("X-Frame-Options", "deny");
200+
context.Response.Headers.Add("X-XSS-protection", "0");
201+
await next();
202+
});
203+
193204
app.UseHttpsRedirection();
194205

195206
app.UseRouting();

ReportAPI/LearningHub.Nhs.ReportApi/Program.cs

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,17 @@
2020

2121
var app = builder.Build();
2222

23+
app.Use(async (context, next) =>
24+
{
25+
context.Response.Headers.Add("content-security-policy", "default-src 'self'; " + $"script-src 'self' 'nonce-random772362' https://script.hotjar.com https://www.google-analytics.com https://static.hotjar.com https://www.googletagmanager.com https://cdnjs.cloudflare.com 'unsafe-hashes' 'sha256-oywvD6W6okwID679n4cvPJtWLowSS70Pz87v1ryS0DU=' 'sha256-kbHtQyYDQKz4SWMQ8OHVol3EC0t3tHEJFPCSwNG9NxQ' 'sha256-YoDy5WvNzQHMq2kYTFhDYiGnEgPrvAY5Il6eUu/P4xY=' 'sha256-/n13APBYdqlQW71ZpWflMB/QoXNSUKDxZk1rgZc+Jz8=' 'sha256-+6WnXIl4mbFTCARd8N3COQmT3bJJmo32N8q8ZSQAIcU=' 'sha256-VQKp2qxuvQmMpqE/U/ASQ0ZQ0pIDvC3dgQPPCqDlvBo=';" + "style-src 'self' 'unsafe-inline' https://use.fontawesome.com; " + "font-src https://script.hotjar.com https://assets.nhs.uk/; " + "connect-src 'self' http: ws:; " + "img-src 'self' data: https:; " + "frame-src 'self' https:");
26+
context.Response.Headers.Add("Referrer-Policy", "no-referrer");
27+
context.Response.Headers.Add("Strict-Transport-Security", "max-age=31536000; includeSubDomains");
28+
context.Response.Headers.Add("X-Content-Type-Options", "nosniff");
29+
context.Response.Headers.Add("X-Frame-Options", "deny");
30+
context.Response.Headers.Add("X-XSS-protection", "0");
31+
await next();
32+
});
33+
2334
app.UseRouting();
2435
app.UseAuthorization();
2536

WebAPI/LearningHub.Nhs.API/Program.cs

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -38,6 +38,17 @@
3838

3939
app.UseMiddleware<ExceptionMiddleware>();
4040

41+
app.Use(async (context, next) =>
42+
{
43+
context.Response.Headers.Add("content-security-policy", "default-src 'self'; " + $"script-src 'self' 'nonce-random772362' https://script.hotjar.com https://www.google-analytics.com https://static.hotjar.com https://www.googletagmanager.com https://cdnjs.cloudflare.com 'unsafe-hashes' 'sha256-oywvD6W6okwID679n4cvPJtWLowSS70Pz87v1ryS0DU=' 'sha256-kbHtQyYDQKz4SWMQ8OHVol3EC0t3tHEJFPCSwNG9NxQ' 'sha256-YoDy5WvNzQHMq2kYTFhDYiGnEgPrvAY5Il6eUu/P4xY=' 'sha256-/n13APBYdqlQW71ZpWflMB/QoXNSUKDxZk1rgZc+Jz8=' 'sha256-+6WnXIl4mbFTCARd8N3COQmT3bJJmo32N8q8ZSQAIcU=' 'sha256-VQKp2qxuvQmMpqE/U/ASQ0ZQ0pIDvC3dgQPPCqDlvBo=';" + "style-src 'self' 'unsafe-inline' https://use.fontawesome.com; " + "font-src https://script.hotjar.com https://assets.nhs.uk/; " + "connect-src 'self' http: ws:; " + "img-src 'self' data: https:; " + "frame-src 'self' https:");
44+
context.Response.Headers.Add("Referrer-Policy", "no-referrer");
45+
context.Response.Headers.Add("Strict-Transport-Security", "max-age=31536000; includeSubDomains");
46+
context.Response.Headers.Add("X-Content-Type-Options", "nosniff");
47+
context.Response.Headers.Add("X-Frame-Options", "deny");
48+
context.Response.Headers.Add("X-XSS-protection", "0");
49+
await next();
50+
});
51+
4152
app.UseEndpoints(endpoints => endpoints.MapControllerRoute("default", "{controller=Home}/{action=Index}/{id?}"));
4253

4354
app.Run();

0 commit comments

Comments
 (0)