If you want to improve your security within modern umbraco (9+), and potentially get an 'A' within securityheaders.com. Follow these steps!
Firstly install this nuget package:
NetEscapades.AspNetCore.SecurityHeaders
Create a new extension class, with the following code
public static class SecurityExtensions
{
public static IApplicationBuilder ConfigureSecurityHeaders(this IApplicationBuilder app)
{
app.UseSecurityHeaders(
new HeaderPolicyCollection()
.AddFrameOptionsSameOrigin()
.AddXssProtectionBlock()
.AddContentTypeOptionsNoSniff()
.AddReferrerPolicyNoReferrer()
.AddPermissionsPolicy(b =>
{
b.AddAccelerometer().None();
b.AddAutoplay().None();
b.AddCamera().None();
b.AddEncryptedMedia().None();
b.AddFullscreen().All();
b.AddGeolocation().None();
b.AddGyroscope().None();
b.AddMagnetometer().None();
b.AddMicrophone().None();
b.AddMidi().None();
b.AddPayment().None();
b.AddPictureInPicture().None();
b.AddSyncXHR().None();
b.AddUsb().None();
})
.RemoveServerHeader()
.RemoveCustomHeader("X-Powered-By")
.AddCustomHeader("Strict-Transport-Security", $"max-age={StrictTransportSecurityHeader.OneYearInSeconds}; preload"));
return app;
}
}
Call the extension method within your startup.cs
public void Configure(IApplicationBuilder app,
IWebHostEnvironment env)
{
...
app.ConfigureSecurityHeaders();
...
app.UseUmbraco()
.WithMiddleware(u =>
{
u.UseBackOffice();
u.UseWebsite();
})
.WithEndpoints(u =>
{
u.UseInstallerEndpoints();
u.UseBackOfficeEndpoints();
u.UseWebsiteEndpoints();
});
}
This is completely configurable to your needs, but this should give you better security and improve your securityheaders.com score.
For the NetEscapades package, see this github repository:
https://github.com/andrewlock/NetEscapades.AspNetCore.SecurityHeaders
Improve security even further, secure your cookies
public static class CookieExtensions
{
public static void ConfigureCookies(this IServiceCollection services)
{
services.Configure<CookiePolicyOptions>(o =>
{
o.MinimumSameSitePolicy = SameSiteMode.Strict;
o.Secure = CookieSecurePolicy.Always;
});
services.ConfigureApplicationCookie(o =>
{
o.Cookie.HttpOnly = true;
o.Cookie.SameSite = SameSiteMode.Strict;
o.ExpireTimeSpan = TimeSpan.FromMinutes(30);
o.SlidingExpiration = true;
o.Cookie.SecurePolicy = CookieSecurePolicy.Always;
});
services.AddAntiforgery(o =>
{
o.SuppressXFrameOptionsHeader = false;
o.Cookie.SecurePolicy = CookieSecurePolicy.Always;
});
}
public static IApplicationBuilder ConfigureCookies(this IApplicationBuilder app)
{
app.UseCookiePolicy(new CookiePolicyOptions
{
Secure = CookieSecurePolicy.Always,
});
return app;
}
}
Call this within your Startup.cs
public void ConfigureServices(IServiceCollection services)
{
...
services.ConfigureCookies();
...
}
...
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
...
app.ConfigureCookies();
...
}
This should secure up your cookies.
Contact
If you need any help, give me a shout! https://garpunkal.dev
Top comments (0)