Umbraco, Security and Headers

If you want to improve your security within modern umbraco (9+), and potentially get an 'A' within securityheaders.com. Follow these steps!

Firstly install this nuget package:

NetEscapades.AspNetCore.SecurityHeaders

Create a new extension class, with the following code

public static class SecurityExtensions
{
    public static IApplicationBuilder ConfigureSecurityHeaders(this IApplicationBuilder app)
    {
        app.UseSecurityHeaders(
            new HeaderPolicyCollection()
            .AddFrameOptionsSameOrigin()
            .AddXssProtectionBlock()
            .AddContentTypeOptionsNoSniff()
            .AddReferrerPolicyNoReferrer()
            .AddPermissionsPolicy(b =>
            {
                b.AddAccelerometer().None();
                b.AddAutoplay().None();
                b.AddCamera().None();
                b.AddEncryptedMedia().None();
                b.AddFullscreen().All();
                b.AddGeolocation().None();
                b.AddGyroscope().None();
                b.AddMagnetometer().None();
                b.AddMicrophone().None();
                b.AddMidi().None();
                b.AddPayment().None();
                b.AddPictureInPicture().None();
                b.AddSyncXHR().None();
                b.AddUsb().None();
            })          
            .RemoveServerHeader()
            .RemoveCustomHeader("X-Powered-By")
            .AddCustomHeader("Strict-Transport-Security", $"max-age={StrictTransportSecurityHeader.OneYearInSeconds}; preload"));

        return app;
    }
}

Call the extension method within your startup.cs

   public void Configure(IApplicationBuilder app,
       IWebHostEnvironment env)
   {
      ...
       app.ConfigureSecurityHeaders();
      ...
      app.UseUmbraco()
        .WithMiddleware(u =>
        {
            u.UseBackOffice();
            u.UseWebsite();
        })
        .WithEndpoints(u =>
        {      
            u.UseInstallerEndpoints();
            u.UseBackOfficeEndpoints();
            u.UseWebsiteEndpoints();
        });
   }

This is completely configurable to your needs, but this should give you better security and improve your securityheaders.com score.

For the NetEscapades package, see this github repository:

https://github.com/andrewlock/NetEscapades.AspNetCore.SecurityHeaders

Improve security even further, secure your cookies

 public static class CookieExtensions
 {
     public static void ConfigureCookies(this IServiceCollection services)
     {
         services.Configure<CookiePolicyOptions>(o =>
         {
             o.MinimumSameSitePolicy = SameSiteMode.Strict;
             o.Secure = CookieSecurePolicy.Always;
         });

         services.ConfigureApplicationCookie(o =>
         {
             o.Cookie.HttpOnly = true;
             o.Cookie.SameSite = SameSiteMode.Strict;
             o.ExpireTimeSpan = TimeSpan.FromMinutes(30);
             o.SlidingExpiration = true;
             o.Cookie.SecurePolicy = CookieSecurePolicy.Always;
         });

         services.AddAntiforgery(o =>
         {
             o.SuppressXFrameOptionsHeader = false;
             o.Cookie.SecurePolicy = CookieSecurePolicy.Always;
         });
     }

     public static IApplicationBuilder ConfigureCookies(this IApplicationBuilder app)
     {
         app.UseCookiePolicy(new CookiePolicyOptions
         {
             Secure = CookieSecurePolicy.Always,
         });
         return app;
     }
 }

Call this within your Startup.cs

       public void ConfigureServices(IServiceCollection services)
       {
           ...
           services.ConfigureCookies();
           ...
       }
       ...
       public void Configure(IApplicationBuilder app, IWebHostEnvironment env)   
       {
          ...
          app.ConfigureCookies();
          ...
       }

This should secure up your cookies.

Contact

If you need any help, give me a shout! https://garpunkal.dev