This article shows how to improve the security of an Umbraco 9 application by adding security headers to all HTTP Razor Page responses. In this article I'll show how to add security headers using the NetEscapades.AspNetCore.SecurityHeaders Nuget package from Andrew Lock.
First you will need to install the following two packages into the project containing the Umbraco 9 Website (the project containing the Startup.cs file).
dotnet add package NetEscapades.AspNetCore.SecurityHeaders dotnet add package NetEscapades.AspNetCore.SecurityHeaders.TagHelpers
The NetEscapades.AspNetCore.SecurityHeaders contains the core functionality of the package.
The NetEscapades.AspNetCore.SecurityHeaders.TagHelpers package contains tag helpers which allow you to use the CSP nonce in the Razor Pages.
We highly recommend taking a look at securityheaders.com to run a test of your website, the documentation found on the results page explains what each header protects extremely well.
The first class we need to create is called HeaderPolicyCollection.cs, by using this file to contain the header definitions we can keep the Startup.cs tidy.
In this policy as much is blocked as possible, you will need to customise to work with your website.
I highly recommend working through this alongside the readme from the GitHub repository:
https://github.com/andrewlock/NetEscapades.AspNetCore.SecurityHeaders#readme
Now you will need to add this to your Startup.cs class within the Configure method
app.UseSecurityHeaders(
SecurityHeadersDefinitions
.GetHeaderPolicyCollection(env.IsDevelopment()));
If you are running the site with Kestrel, you can remove the server header by changing webuilder as follows in your program.cs file
webBuilder
.ConfigureKestrel(options =>
options.AddServerHeader = false)
.UseStartup();
If you are running the site with IIS, then you will need to add the following to your web.config
<security>
<requestFiltering removeServerHeader="true" />
</security>
Next you will want to allow the CSP nonce to be used with the Razor Pages, to do this you need to add the NetEscapades.AspNetCore.SecurityHeaders to the _ViewImports.cshtml file.
@using NetEscapades.AspNetCore.SecurityHeaders
You can use the NonceTagHelper with an element by adding the following attribute:
asp-add-nonce
Alternatively if you wish to use the HashTagHelper you can dd the following attribute:
asp-add-content-to-csp
Optionally you can choose between SHA256 or SHA512 by adding the following attribute:
csp-hash-type
If you would prefer not to use the tag helpers, you can retrieve the CSP nonce within a Razor Page from the HttpContext as follows:
var nonce = Context.GetNonce();
And it can be used with a script or css file by adding the following attribute:
nonce="@nonce"
If you would prefer to configure permissions without using a NuGet package then in your Startup.cs file you can add the following within the Configure method:
app.Use(async (context, next) =>
{
context.Response.Headers.Add("X-Xss-Protection", "1; mode=block");
context.Response.Headers.Add("Referrer-Policy", "no-referrer-when-downgrade");
context.Response.Headers.Add("Permissions-Policy", "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()");
context.Response.Headers.Add("Content-Security-Policy", "");
await next();
});
Please note: The above Content-Security-Header has had the contents removed for abbreivation, you will need to enter your own requirements here for it to work.
For further reading I highly recommend the following links:
- ASP.NET Core Middleware Docs
- How to add default security headers in ASP.NET Core using custom middleware
- Content Security Policy - An Introduction by Scott Helme
- Content Security Policy Reference
- Content Security Policy (CSP) by Mozilla Developer Network
- Scott Helme's introduction to Permissions-Policy: https://scotthelme.co.uk/goodbye-feature-policy-and-hello-permissions-policy/
- The list of policy-controlled permissions: https://www.w3.org/TR/permissions-policy-1/
- MDN documentation: https://developer.mozilla.org/en-US/docs/Web/HTTP/Feature_Policy
- Google's introduction to Feature-Policy: https://developers.google.com/web/updates/2018/06/feature-policy
This post is based on the post by damienbod which can be found here
Comments
Recent Posts
Categories
