abp icon indicating copy to clipboard operation
abp copied to clipboard

Published 20 hours ago verified publisher icon abpframework

Content-Security-Policy header not set

Open ageiter opened this issue 9 months ago • 2 comments

Is there an existing issue for this?

  • [X] I have searched the existing issues

Description

I would like Content-Security-Policy headers to be set. I have implemented this following the documentation, but no such headers are set.

Configure<AbpSecurityHeadersOptions>(options =>
{
    options.UseContentSecurityPolicyHeader = true; //false by default
    options.ContentSecurityPolicyValue = "object-src 'none'; form-action 'self'; frame-ancestors 'none'"; //default value
});

It's a Blazor server app, but that should work there too, right? Does it depend on when I configure this (at which position in the ConfigureServices method)?

Reproduction Steps

No response

Expected behavior

The response header "Content-Security-Policy" is set to the values: object-src 'none'; form-action 'self'; frame-ancestors 'none'

Actual behavior

No response header "Content-Security-Policy" is set

image

Regression?

No response

Known Workarounds

If I add the header myself, it works:

Configure<AbpSecurityHeadersOptions>(options =>
{
     options.Headers["Content-Security-Policy"] = "object-src 'none'; form-action 'self'; frame-ancestors 'none'";
});

image

Version

8.0.4

User Interface

Blazor Server

Database Provider

EF Core (Default)

Tiered or separate authentication server

None (Default)

Operation System

Windows (Default)

Other information

No response

ageiter avatar Apr 29 '24 16:04 ageiter

Hi @ageiter , As far as I understand, you added app.UseAbpSecurityHeaders(); before app.UseRouting();. Can you add app.UseAbpSecurityHeaders(); after app.UseRouting(); and try again?

salihozkara avatar May 02 '24 07:05 salihozkara

Why are you already closing the issue?

In your default template, this method is called BEFORE UseRouting:

image

But it seems to work when I push it down.

Please change the template accordingly and make a note in the documentation... https://docs.abp.io/en/abp/latest/UI/AspNetCore/Security-Headers

ageiter avatar May 02 '24 10:05 ageiter

https://github.com/abpframework/abp/pull/19692

salihozkara avatar May 03 '24 06:05 salihozkara

Thank you for updating the documentation.

Will you also change the template with which a new solution (Blazor Server) can be generated (via ABP Suite)?

ageiter avatar May 03 '24 14:05 ageiter

Thank you for updating the documentation.

Will you also change the template with which a new solution (Blazor Server) can be generated (via ABP Suite)?

I've also updated the templates and they should be fixed in the new version.

salihozkara avatar May 03 '24 14:05 salihozkara

Perfect, thanks!

ageiter avatar May 03 '24 14:05 ageiter