dotnet-starter-kit icon indicating copy to clipboard operation
dotnet-starter-kit copied to clipboard

Published 20 hours ago verified publisher icon fullstackhero

[BUG] Security headers import from securityheaders.json

Open theArtist-dev opened this issue 2 years ago • 7 comments

Describe the bug The headers described in json file are encapsulated in "Headers", but during the loading of json file to the container class the headers is not imported. The name of the header "XXSS-Protection" does not conform.

To Reproduce Steps to reproduce the behavior: Put à breakpoint in the Startup file in SecurityHeaders in Infrastructure to see the value retrieved from the json file.

Thank you Mukesh for your incredible work 😀

theArtist-dev avatar Mar 27 '22 10:03 theArtist-dev

Jep... have actually mentioned this before somewhere...

found it: https://github.com/fullstackhero/dotnet-webapi-boilerplate/pull/526#issue-1151802606 ;-)

I don't think this has been tested very thoroughly...

A pr to fix this is more than welcome! (the easiest solution would be to just change the configuration file so the headers are not in a sub "headers" object... the nicer solution would probably be to create a new object to represent that header object (although it might make it actually more complicated ==> so the easier solution might probably be the best in this case)).

Extra bonus points if the pr would also include some tests ;-)

fretje avatar Mar 27 '22 17:03 fretje

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Apr 16 '22 17:04 stale[bot]

bug still here

fretje avatar Apr 16 '22 17:04 fretje

I would like to create a pr to fix this but I do not understand why this sub "headers" object causes the issue, why its not imported?

snax4a avatar May 10 '22 08:05 snax4a

this is the SecurityHeaderSettings object:

public class SecurityHeaderSettings
{
    public bool Enable { get; set; }
    public string? XFrameOptions { get; set; }
    public string? XContentTypeOptions { get; set; }
    public string? ReferrerPolicy { get; set; }
    public string? PermissionsPolicy { get; set; }
    public string? SameSite { get; set; }
    public string? XXSSProtection { get; set; }
}

this is the config:

{
  "SecurityHeaderSettings": {
    "Enable": true,
    "Headers": {
      "XFrameOptions": "SAMEORIGIN",
      "XContentTypeOptions": "nosniff",
      "ReferrerPolicy": "same-origin",
      "PermissionsPolicy": "geolocation=(), camera=()",
      "SameSite": "",
      "XXSS-Protection": "1; mode=block"
    }
  }
}

Do you see the problem now?

fretje avatar May 10 '22 08:05 fretje

the easier solution is making the config like this:

{
  "SecurityHeaderSettings": {
    "Enable": true,
    "XFrameOptions": "SAMEORIGIN",
    "XContentTypeOptions": "nosniff",
    "ReferrerPolicy": "same-origin",
    "PermissionsPolicy": "geolocation=(), camera=()",
    "SameSite": "",
    "XXSS-Protection": "1; mode=block"
  }
}

the other one is creating another "SecurityHeaders" object:

public class SecurityHeaderSettings
{
    public bool Enable { get; set; }
    public SecurityHeaders Headers { get; set; }
}

public class SecurityHeaders
{
    public string? XFrameOptions { get; set; }
    public string? XContentTypeOptions { get; set; }
    public string? ReferrerPolicy { get; set; }
    public string? PermissionsPolicy { get; set; }
    public string? SameSite { get; set; }
    public string? XXSSProtection { get; set; }
}

fretje avatar May 10 '22 08:05 fretje

Oh I missed that, now I got it and I can create the PR

snax4a avatar May 10 '22 08:05 snax4a