search

abpframework / abp

Open Source Web Application Framework for ASP.NET Core. Offers an opinionated architecture to build enterprise software solutions with best practices on top of the .NET and the ASP.NET Core platforms. Provides the fundamental infrastructure, production-ready startup templates, application modules, UI themes, tooling, guides and documentation.
https://abp.io
GNU Lesser General Public License v3.0
12.31k stars 3.32k forks source link

Content-Security-Policy header not set #19653

Closed ageiter closed 2 weeks ago

ageiter commented 2 weeks ago

Is there an existing issue for this?

Description

I would like Content-Security-Policy headers to be set. I have implemented this following the documentation, but no such headers are set.

Configure<AbpSecurityHeadersOptions>(options =>
{
    options.UseContentSecurityPolicyHeader = true; //false by default
    options.ContentSecurityPolicyValue = "object-src 'none'; form-action 'self'; frame-ancestors 'none'"; //default value
});

It's a Blazor server app, but that should work there too, right? Does it depend on when I configure this (at which position in the ConfigureServices method)?

Reproduction Steps

No response

Expected behavior

The response header "Content-Security-Policy" is set to the values: object-src 'none'; form-action 'self'; frame-ancestors 'none'

Actual behavior

No response header "Content-Security-Policy" is set

image

Regression?

No response

Known Workarounds

If I add the header myself, it works:

Configure<AbpSecurityHeadersOptions>(options =>
{
     options.Headers["Content-Security-Policy"] = "object-src 'none'; form-action 'self'; frame-ancestors 'none'";
});

image

Version

8.0.4

User Interface

Blazor Server

Database Provider

EF Core (Default)

Tiered or separate authentication server

None (Default)

Operation System

Windows (Default)

Other information

No response

salihozkara commented 2 weeks ago

Hi @ageiter , As far as I understand, you added app.UseAbpSecurityHeaders(); before app.UseRouting();. Can you add app.UseAbpSecurityHeaders(); after app.UseRouting(); and try again?

ageiter commented 2 weeks ago

Why are you already closing the issue?

In your default template, this method is called BEFORE UseRouting:

image

But it seems to work when I push it down.

Please change the template accordingly and make a note in the documentation... https://docs.abp.io/en/abp/latest/UI/AspNetCore/Security-Headers

salihozkara commented 2 weeks ago

https://github.com/abpframework/abp/pull/19692

ageiter commented 2 weeks ago

Thank you for updating the documentation.

Will you also change the template with which a new solution (Blazor Server) can be generated (via ABP Suite)?

salihozkara commented 2 weeks ago

Thank you for updating the documentation.

Will you also change the template with which a new solution (Blazor Server) can be generated (via ABP Suite)?

I've also updated the templates and they should be fixed in the new version.

ageiter commented 2 weeks ago

Perfect, thanks!