diff --git a/src/UmbracoProject/Program.cs b/src/UmbracoProject/Program.cs index 642744b..f1f9da5 100644 --- a/src/UmbracoProject/Program.cs +++ b/src/UmbracoProject/Program.cs @@ -1,3 +1,5 @@ +using Joonasw.AspNetCore.SecurityHeaders; + WebApplicationBuilder builder = WebApplication.CreateBuilder(args); builder.CreateUmbracoBuilder() @@ -27,6 +29,52 @@ app.UseHsts(); } +app.Use(async (context, next) => +{ + context.Response.Headers.Add("X-Frame-Options", "SAMEORIGIN"); + context.Response.Headers.Add("X-Content-Type-Options", "nosniff"); + await next(); +}); + +app.UseCsp(csp => +{ + csp.ByDefaultAllow + .FromSelf() + .From("packages.umbraco.org") + .From("our.umbraco.org"); + csp.AllowScripts + .FromSelf() + .From("ajax.googleapis.com") + .From("unpkg.com") + .From("ajax.aspnetcdn.com") + .From("cdnjs.cloudflare.com") + .From("cdn.jsdelivr.net"); + csp.AllowStyles + .FromSelf() + .AllowUnsafeInline() + .From("fonts.googleapis.com") + .From("cdn.jsdelivr.net") + .From("cdnjs.cloudflare.com") + .From("cdn.linearicons.com"); + csp.AllowImages + .FromSelf() + .From("*.googleapis.com") + .From("via.placeholder.com") + .From("umbraco.com"); + csp.AllowFonts + .FromSelf() + .From("cdnjs.cloudflare.com") + .From("fonts.gstatic.com") + .From("cdn.linearicons.com"); + + csp.AllowFraming.FromSelf(); + csp.OnSendingHeader = context => + { + context.ShouldNotSend = context.HttpContext.Request.Path.StartsWithSegments("/umbraco"); + return Task.CompletedTask; + }; +}); + app.UseUmbraco() .WithMiddleware(u => { diff --git a/src/UmbracoProject/UmbracoProject.csproj b/src/UmbracoProject/UmbracoProject.csproj index 8a471e4..7c974cd 100644 --- a/src/UmbracoProject/UmbracoProject.csproj +++ b/src/UmbracoProject/UmbracoProject.csproj @@ -638,6 +638,7 @@ +