Merge pull request 'Release/ajustes-headers' (#23) from Release/ajustes-headers into main

Reviewed-on: https://git.carneiro.ddnsfree.com/ricardo/BCards/pulls/23

.claude/settings.local.json

@@ -34,8 +34,7 @@
       "Bash(netstat:*)",
       "Bash(ss:*)",
       "Bash(lsof:*)",
-      "Bash(dotnet run:*)",
+      "Bash(dotnet run:*)"
-      "Bash(dotnet user-secrets:*)"
     ]
   },
   "enableAllProjectMcpServers": false

src/BCards.Web/Areas/Support/ViewComponents/SupportFabViewComponent.cs

@@ -20,18 +20,10 @@ public class SupportFabViewComponent : ViewComponent
         try
         {
             var userId = UserClaimsPrincipal?.FindFirst(ClaimTypes.NameIdentifier)?.Value;
-
-            // Não mostrar botão de ajuda para usuários não autenticados
-            if (string.IsNullOrEmpty(userId))
-            {
-                _logger.LogDebug("SupportFab não exibido - usuário não autenticado");
-                return Content(string.Empty);
-            }
-
             var options = await _supportService.GetAvailableOptionsAsync(userId);
 
             _logger.LogDebug("SupportFab invocado para usuário {UserId} - Opções: Rating={CanRate}, Form={CanUseContactForm}, Telegram={CanAccessTelegram}",
-                userId, options.CanRate, options.CanUseContactForm, options.CanAccessTelegram);
+                userId ?? "anônimo", options.CanRate, options.CanUseContactForm, options.CanAccessTelegram);
 
             return View(options);
         }

src/BCards.Web/Program.cs

@@ -309,18 +309,8 @@ authBuilder.AddCookie(options =>
     options.SlidingExpiration = true;
     options.Cookie.HttpOnly = true;
     options.Cookie.IsEssential = true;
-
+    options.Cookie.SameSite = SameSiteMode.None; // Para Cloudflare
-    // SameSite: None para produção (Cloudflare), Lax para desenvolvimento (OAuth local)
+    options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
-    if (builder.Environment.IsDevelopment())
-    {
-        options.Cookie.SameSite = SameSiteMode.Lax;
-        options.Cookie.SecurePolicy = CookieSecurePolicy.SameAsRequest; // Permite HTTP em dev
-    }
-    else
-    {
-        options.Cookie.SameSite = SameSiteMode.None; // Para Cloudflare
-        options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
-    }
 });
 
 // Always register Google and Microsoft authentication schemes
@@ -622,11 +612,11 @@ app.Use(async (context, next) =>
 
     // Content Security Policy - Protects against XSS attacks
     var csp = "default-src 'self'; " +
-              "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.jsdelivr.net https://code.jquery.com https://cdn.jsdelivr.net/npm/bootstrap@5.3.2 https://accounts.google.com https://apis.google.com https://www.clarity.ms https://static.cloudflareinsights.com; " +
+              "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.jsdelivr.net https://code.jquery.com https://cdn.jsdelivr.net/npm/bootstrap@5.3.2 https://accounts.google.com https://apis.google.com; " +
-              "style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net https://fonts.googleapis.com https://cdn.jsdelivr.net/npm/bootstrap@5.3.2 https://cdnjs.cloudflare.com; " +
+              "style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net https://fonts.googleapis.com https://cdn.jsdelivr.net/npm/bootstrap@5.3.2; " +
               "img-src 'self' data: https: blob:; " +
-              "font-src 'self' https://fonts.gstatic.com https://cdn.jsdelivr.net https://cdnjs.cloudflare.com; " +
+              "font-src 'self' https://fonts.gstatic.com https://cdn.jsdelivr.net; " +
-              "connect-src 'self' https://accounts.google.com https://apis.google.com https://login.microsoftonline.com https://www.clarity.ms; " +
+              "connect-src 'self' https://accounts.google.com https://apis.google.com https://login.microsoftonline.com; " +
               "frame-src 'self' https://accounts.google.com https://login.microsoftonline.com; " +
               "object-src 'none'; " +
               "base-uri 'self'; " +