Sotsera.Blazor.Server
1.0.0-preview.2
dotnet add package Sotsera.Blazor.Server --version 1.0.0-preview.2
NuGet\Install-Package Sotsera.Blazor.Server -Version 1.0.0-preview.2
<PackageReference Include="Sotsera.Blazor.Server" Version="1.0.0-preview.2" />
paket add Sotsera.Blazor.Server --version 1.0.0-preview.2
#r "nuget: Sotsera.Blazor.Server, 1.0.0-preview.2"
// Install Sotsera.Blazor.Server as a Cake Addin #addin nuget:?package=Sotsera.Blazor.Server&version=1.0.0-preview.2&prerelease // Install Sotsera.Blazor.Server as a Cake Tool #tool nuget:?package=Sotsera.Blazor.Server&version=1.0.0-preview.2&prerelease
sotsera.blazor.server
Some Blazor Server extensions
Security headers
A very simple middleware that adds headers to requests using the Response.OnStarting
hook. In fact, it allows executing any code on an HttpContext at the start of a request, as it expects a type that implements the interface
public interface ISecurityHeadersPolicy
{
void ApplyHeaders(HttpContext context, IWebHostEnvironment environment);
}
I needed a simple way to manage security headers on a Blazor Server site and, well, the name stuck.
Usage
Add the required services to the WebApplicationBuilder
and, optionally, configure the only two settings available
using Sotsera.Blazor.Server.SecurityHeaders.Blazor;
using Sotsera.Blazor.Server.SecurityHeaders.Policies;
using Sotsera.Blazor.Server.SecurityHeaders.Policies.Permissions;
var builder = WebApplication.CreateBuilder(args);
builder.Services.AddSecurityHeaders(c =>
{
c.DisableKestrelServerHeader = true;
c.AntiforgeryTokenPrefix = "SuperSecretToken";
});
Add the middleware to the pipeline specifying the default policy (example defined below)
var app = builder.Build();
app.UseSecurityHeaders(new DefaultPolicy());
Override the policy on any IEndpointConventionBuilder like, for example, on a group
// This endpoint will have the default policy
app.MapGet("with-default-headers", () => "default headers");
// Override the security headers for a specific or group of endpoints
var group = app.MapGroup("api")
.RequireSecurityHeaders(new ApiPolicy());
// This endpoint will have the api policy
group.MapGet("with-api-headers", () => "api headers");
Disable the security headers for an IEndpointConventionBuilder
group.MapGet("without-headers", () => "without headers")
.DisableSecurityHeaders();
Override the policy specifically for Blazor server with interactivity auto or web assembly. The library contains a SHA-256 provider for the importmap script added by the <ImportMap />
component which can be resolved by a policy in order to include the sha in the Content Security Policy (CSP).
app.MapRazorComponents<App>().AddInteractiveServerRenderMode()
.RequireSecurityHeaders(new BlazorPolicy());
Example policies
// very basic policy
internal class DefaultPolicy : ISecurityHeadersPolicy
{
public virtual void ApplyHeaders(HttpContext context, IWebHostEnvironment environment)
{
var headers = context.Response.Headers;
headers.Remove("-- header name --");
headers.XContentTypeOptions = "-- value --";
}
}
// derived policy
internal class ApiPolicy : DefaultPolicy
{
public override void ApplyHeaders(HttpContext context, IWebHostEnvironment environment)
{
base.ApplyHeaders(context, environment);
context.Response.Headers.ContentSecurityPolicy = "-- value --";
}
}
// Blazor specific policy with importmap's SHA-256 in the Csp and a simple Permission policy
internal class BlazorPolicy : DefaultPolicy
{
public override void ApplyHeaders(HttpContext context, IWebHostEnvironment environment)
{
// retrieve the SHA-256 for the importmap script created by the <ImportMap /> component
var provider = context.GetRequiredService<IBlazorImportMapDefinitionShaProvider>();
var sha = provider.GetSha256(context);
// append the sha to the allowed sources
context.Response.Headers.ContentSecurityPolicy = $"script-src-elem {sha}";
// disable the camera and geolocation usage
context.Response.Headers["Permissions-Policy"] = new PermissionsPolicy
{
Camera = "()",
Microphone = "()"
};
}
}
Thanks
- Andrew Lock (@andrewlocknet) for NetEscapades.AspNetCore.SecurityHeaders
- IconShock (FreeIcons) for the library icon (color: #702AF7)
Product | Versions Compatible and additional computed target framework versions. |
---|---|
.NET | net9.0 is compatible. |
-
net9.0
- No dependencies.
NuGet packages
This package is not used by any NuGet packages.
GitHub repositories
This package is not used by any popular GitHub repositories.
Version | Downloads | Last updated |
---|---|---|
1.0.0-preview.2 | 52 | 9/19/2024 |
1.0.0-preview.1 | 57 | 9/17/2024 |