DEV Community

Cover image for Umbraco, Security and Headers
Gareth Wright
Gareth Wright

Posted on

Umbraco, Security and Headers

If you want to improve your security within modern umbraco (9+), and potentially get an 'A' within securityheaders.com. Follow these steps!

Firstly install this nuget package:

NetEscapades.AspNetCore.SecurityHeaders
Enter fullscreen mode Exit fullscreen mode

Create a new extension class, with the following code

public static class SecurityExtensions
{
    public static IApplicationBuilder ConfigureSecurityHeaders(this IApplicationBuilder app)
    {
        app.UseSecurityHeaders(
            new HeaderPolicyCollection()
            .AddFrameOptionsSameOrigin()
            .AddXssProtectionBlock()
            .AddContentTypeOptionsNoSniff()
            .AddReferrerPolicyNoReferrer()
            .AddPermissionsPolicy(b =>
            {
                b.AddAccelerometer().None();
                b.AddAutoplay().None();
                b.AddCamera().None();
                b.AddEncryptedMedia().None();
                b.AddFullscreen().All();
                b.AddGeolocation().None();
                b.AddGyroscope().None();
                b.AddMagnetometer().None();
                b.AddMicrophone().None();
                b.AddMidi().None();
                b.AddPayment().None();
                b.AddPictureInPicture().None();
                b.AddSyncXHR().None();
                b.AddUsb().None();
            })          
            .RemoveServerHeader()
            .RemoveCustomHeader("X-Powered-By")
            .AddCustomHeader("Strict-Transport-Security", $"max-age={StrictTransportSecurityHeader.OneYearInSeconds}; preload"));

        return app;
    }
}
Enter fullscreen mode Exit fullscreen mode

Call the extension method within your startup.cs

   public void Configure(IApplicationBuilder app,
       IWebHostEnvironment env)
   {
      ...
       app.ConfigureSecurityHeaders();
      ...
      app.UseUmbraco()
        .WithMiddleware(u =>
        {
            u.UseBackOffice();
            u.UseWebsite();
        })
        .WithEndpoints(u =>
        {      
            u.UseInstallerEndpoints();
            u.UseBackOfficeEndpoints();
            u.UseWebsiteEndpoints();
        });
   }
Enter fullscreen mode Exit fullscreen mode

This is completely configurable to your needs, but this should give you better security and improve your securityheaders.com score.

For the NetEscapades package, see this github repository:

https://github.com/andrewlock/NetEscapades.AspNetCore.SecurityHeaders

Improve security even further, secure your cookies


 public static class CookieExtensions
 {
     public static void ConfigureCookies(this IServiceCollection services)
     {
         services.Configure<CookiePolicyOptions>(o =>
         {
             o.MinimumSameSitePolicy = SameSiteMode.Strict;
             o.Secure = CookieSecurePolicy.Always;
         });

         services.ConfigureApplicationCookie(o =>
         {
             o.Cookie.HttpOnly = true;
             o.Cookie.SameSite = SameSiteMode.Strict;
             o.ExpireTimeSpan = TimeSpan.FromMinutes(30);
             o.SlidingExpiration = true;
             o.Cookie.SecurePolicy = CookieSecurePolicy.Always;
         });

         services.AddAntiforgery(o =>
         {
             o.SuppressXFrameOptionsHeader = false;
             o.Cookie.SecurePolicy = CookieSecurePolicy.Always;
         });
     }

     public static IApplicationBuilder ConfigureCookies(this IApplicationBuilder app)
     {
         app.UseCookiePolicy(new CookiePolicyOptions
         {
             Secure = CookieSecurePolicy.Always,
         });
         return app;
     }
 }

Enter fullscreen mode Exit fullscreen mode

Call this within your Startup.cs

       public void ConfigureServices(IServiceCollection services)
       {
           ...
           services.ConfigureCookies();
           ...
       }
       ...
       public void Configure(IApplicationBuilder app, IWebHostEnvironment env)   
       {
          ...
          app.ConfigureCookies();
          ...
       }
Enter fullscreen mode Exit fullscreen mode

This should secure up your cookies.

Contact

If you need any help, give me a shout! https://garpunkal.dev

Top comments (0)