ricardo/BCards
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: XSS

Browse Source
This commit is contained in:
Ricardo Carneiro 2025-11-16 14:16:57 -03:00
parent 94c77fc867
commit 4e97efc160
1 changed files with 13 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
src/BCards.Web/Program.cs
View File

@ -587,6 +587,19 @@ app.Use(async (context, next) =>
context.Response.Headers.Append("Referrer-Policy", "no-referrer");
context.Response.Headers.Append("Permissions-Policy", "camera=(), microphone=(), geolocation=()");
// Content Security Policy - Protects against XSS attacks
var csp = "default-src 'self'; " +
"script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.jsdelivr.net https://code.jquery.com https://cdn.jsdelivr.net/npm/bootstrap@5.3.2 https://accounts.google.com https://apis.google.com; " +
"style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net https://fonts.googleapis.com https://cdn.jsdelivr.net/npm/bootstrap@5.3.2; " +
"img-src 'self' data: https: blob:; " +
"font-src 'self' https://fonts.gstatic.com https://cdn.jsdelivr.net; " +
"connect-src 'self' https://accounts.google.com https://apis.google.com https://login.microsoftonline.com; " +
"frame-src 'self' https://accounts.google.com https://login.microsoftonline.com; " +
"object-src 'none'; " +
"base-uri 'self'; " +
"form-action 'self'";
context.Response.Headers.Append("Content-Security-Policy", csp);
// Load balancer e debugging headers
context.Response.Headers.Append("X-Server-ID", Environment.MachineName);
context.Response.Headers.Append("X-Instance-ID", $"{Environment.MachineName}-{Environment.ProcessId}");