From 4e97efc1602486c4fa9778fcac93c6eb97c0540d Mon Sep 17 00:00:00 2001
From: Ricardo Carneiro <ricardoroberto@outlook.com>
Date: Sun, 16 Nov 2025 14:16:57 -0300
Subject: [PATCH 1/2] fix: XSS

---
 src/BCards.Web/Program.cs | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/src/BCards.Web/Program.cs b/src/BCards.Web/Program.cs
index 9ea0f6c..9d4cf23 100644
--- a/src/BCards.Web/Program.cs
+++ b/src/BCards.Web/Program.cs
@@ -587,6 +587,19 @@ app.Use(async (context, next) =>
     context.Response.Headers.Append("Referrer-Policy", "no-referrer");
     context.Response.Headers.Append("Permissions-Policy", "camera=(), microphone=(), geolocation=()");
 
+    // Content Security Policy - Protects against XSS attacks
+    var csp = "default-src 'self'; " +
+              "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.jsdelivr.net https://code.jquery.com https://cdn.jsdelivr.net/npm/bootstrap@5.3.2 https://accounts.google.com https://apis.google.com; " +
+              "style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net https://fonts.googleapis.com https://cdn.jsdelivr.net/npm/bootstrap@5.3.2; " +
+              "img-src 'self' data: https: blob:; " +
+              "font-src 'self' https://fonts.gstatic.com https://cdn.jsdelivr.net; " +
+              "connect-src 'self' https://accounts.google.com https://apis.google.com https://login.microsoftonline.com; " +
+              "frame-src 'self' https://accounts.google.com https://login.microsoftonline.com; " +
+              "object-src 'none'; " +
+              "base-uri 'self'; " +
+              "form-action 'self'";
+    context.Response.Headers.Append("Content-Security-Policy", csp);
+
     // Load balancer e debugging headers
     context.Response.Headers.Append("X-Server-ID", Environment.MachineName);
     context.Response.Headers.Append("X-Instance-ID", $"{Environment.MachineName}-{Environment.ProcessId}");

From 98709256eaabf106d69f4da5b134aecea79d1ab7 Mon Sep 17 00:00:00 2001
From: Ricardo Carneiro <ricardoroberto@outlook.com>
Date: Tue, 30 Dec 2025 17:26:46 -0300
Subject: [PATCH 2/2] feat: headers

---
 src/BCards.Web/Program.cs | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/BCards.Web/Program.cs b/src/BCards.Web/Program.cs
index 4bd8960..6200460 100644
--- a/src/BCards.Web/Program.cs
+++ b/src/BCards.Web/Program.cs
@@ -581,7 +581,10 @@ builder.Services.AddHsts(options =>
 
 var app = builder.Build();
 
-app.UseForwardedHeaders();
+app.UseForwardedHeaders(new ForwardedHeadersOptions
+{
+    ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto
+});
 
 if (!app.Environment.IsDevelopment())
 {