Sotsera.Blazor.Server 1.0.0-preview.2

This is a prerelease version of Sotsera.Blazor.Server.
dotnet add package Sotsera.Blazor.Server --version 1.0.0-preview.2                
NuGet\Install-Package Sotsera.Blazor.Server -Version 1.0.0-preview.2                
This command is intended to be used within the Package Manager Console in Visual Studio, as it uses the NuGet module's version of Install-Package.
<PackageReference Include="Sotsera.Blazor.Server" Version="1.0.0-preview.2" />                
For projects that support PackageReference, copy this XML node into the project file to reference the package.
paket add Sotsera.Blazor.Server --version 1.0.0-preview.2                
#r "nuget: Sotsera.Blazor.Server, 1.0.0-preview.2"                
#r directive can be used in F# Interactive and Polyglot Notebooks. Copy this into the interactive tool or source code of the script to reference the package.
// Install Sotsera.Blazor.Server as a Cake Addin
#addin nuget:?package=Sotsera.Blazor.Server&version=1.0.0-preview.2&prerelease

// Install Sotsera.Blazor.Server as a Cake Tool
#tool nuget:?package=Sotsera.Blazor.Server&version=1.0.0-preview.2&prerelease                

Sotsera.Blazor.Server

sotsera.blazor.server

Some Blazor Server extensions

GitHub license Target GitHub last commit GitHub Actions Workflow Status NuGet NuGet Downloads

Security headers

A very simple middleware that adds headers to requests using the Response.OnStarting hook. In fact, it allows executing any code on an HttpContext at the start of a request, as it expects a type that implements the interface

public interface ISecurityHeadersPolicy
{
    void ApplyHeaders(HttpContext context, IWebHostEnvironment environment);
}

I needed a simple way to manage security headers on a Blazor Server site and, well, the name stuck.

Usage

Add the required services to the WebApplicationBuilder and, optionally, configure the only two settings available

using Sotsera.Blazor.Server.SecurityHeaders.Blazor;
using Sotsera.Blazor.Server.SecurityHeaders.Policies;
using Sotsera.Blazor.Server.SecurityHeaders.Policies.Permissions;

var builder = WebApplication.CreateBuilder(args);

builder.Services.AddSecurityHeaders(c =>
{
    c.DisableKestrelServerHeader = true;
    c.AntiforgeryTokenPrefix = "SuperSecretToken";
});

Add the middleware to the pipeline specifying the default policy (example defined below)

var app = builder.Build();

app.UseSecurityHeaders(new DefaultPolicy());

Override the policy on any IEndpointConventionBuilder like, for example, on a group

// This endpoint will have the default policy
app.MapGet("with-default-headers", () => "default headers");

// Override the security headers for a specific or group of endpoints
var group = app.MapGroup("api")
    .RequireSecurityHeaders(new ApiPolicy());

// This endpoint will have the api policy
group.MapGet("with-api-headers", () => "api headers");

Disable the security headers for an IEndpointConventionBuilder

group.MapGet("without-headers", () => "without headers")
    .DisableSecurityHeaders();

Override the policy specifically for Blazor server with interactivity auto or web assembly. The library contains a SHA-256 provider for the importmap script added by the <ImportMap /> component which can be resolved by a policy in order to include the sha in the Content Security Policy (CSP).

app.MapRazorComponents<App>().AddInteractiveServerRenderMode()
    .RequireSecurityHeaders(new BlazorPolicy());

Example policies

// very basic policy
internal class DefaultPolicy : ISecurityHeadersPolicy
{
    public virtual void ApplyHeaders(HttpContext context, IWebHostEnvironment environment)
    {
        var headers = context.Response.Headers;
        headers.Remove("-- header name --");
        headers.XContentTypeOptions = "-- value --";
    }
}

// derived policy
internal class ApiPolicy : DefaultPolicy
{
    public override void ApplyHeaders(HttpContext context, IWebHostEnvironment environment)
    {
        base.ApplyHeaders(context, environment);
        context.Response.Headers.ContentSecurityPolicy = "-- value --";
    }
}

// Blazor specific policy with importmap's SHA-256 in the Csp and a simple Permission policy
internal class BlazorPolicy : DefaultPolicy
{
    public override void ApplyHeaders(HttpContext context, IWebHostEnvironment environment)
    {
        // retrieve the SHA-256 for the importmap script created by the <ImportMap /> component
        var provider = context.GetRequiredService<IBlazorImportMapDefinitionShaProvider>();
        var sha = provider.GetSha256(context);

        // append the sha to the allowed sources
        context.Response.Headers.ContentSecurityPolicy = $"script-src-elem {sha}";

        // disable the camera and geolocation usage
        context.Response.Headers["Permissions-Policy"] = new PermissionsPolicy
        {
            Camera = "()",
            Microphone = "()"
        };
    }
}

Thanks

Product Compatible and additional computed target framework versions.
.NET net9.0 is compatible. 
Compatible target framework(s)
Included target framework(s) (in package)
Learn more about Target Frameworks and .NET Standard.
  • net9.0

    • No dependencies.

NuGet packages

This package is not used by any NuGet packages.

GitHub repositories

This package is not used by any popular GitHub repositories.

Version Downloads Last updated
1.0.0-preview.2 52 9/19/2024
1.0.0-preview.1 57 9/17/2024