nickhodge/ConfigureAppHandlers.cs

## ConfigureAppHandlers.cs
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Rewrite;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection;

namespace xxx
{
    public static class ConfigureAppHandlers
    {
        public static void AddTransportSecurity(this IApplicationBuilder app)
        {
            // use Strict-Transport-Security Header
            // ie: ONLY access via HTTPS
            // ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
            app.UseHsts(hsts => hsts.MaxAge(365));

            // as it says on the label
            app.UseHttpsRedirection();
        }

        public static void AddCustomisedCORS(this IApplicationBuilder app)
        {
            //TBD: restrict to local access only
            app.UseCors(builder =>
                    builder
                        .WithOrigins(<ORIGINS HERE>)
                        .AllowAnyMethod());
        }

        public static void AddCustomisedRedirects(this IApplicationBuilder app)
        {
            // here we rewrite (permanent) all old team.credosity.com & try.credosity.com to www.credosity.com
            app.UseRewriter(new RewriteOptions()
                    .Add(new xxxService()));
        }

        public static void AddContentSecurityPolicies(this IApplicationBuilder app)
        {
            app.UseCsp(options => options
                .StyleSources(s => s.Self()
                    .UnsafeInline()
                    .CustomSources( "https://*.typekit.net/",               // web fonts
                                    "https://cdnjs.cloudflare.com/",        // CDN source for bootstrap, vue, jquery libraries
                                    "https://use.fontawesome.com/",         // web fonts
                                    "https://cdn.jsdelivr.net/"             // CDN source emojis!
            )));
        }

        public static void SetupStaticFileHanding(this IApplicationBuilder app)
        {
            // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
            app.UseXContentTypeOptions();

            app.UseDefaultFiles();
            app.UseStaticFiles();

            // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
            app.UseXfo(xfo => xfo.Deny());

            // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
            app.UseXXssProtection(options => options.EnabledWithBlockMode());
        }
    }
}
	using Microsoft.AspNetCore.Builder;
	using Microsoft.AspNetCore.Rewrite;
	using Microsoft.Extensions.Configuration;
	using Microsoft.Extensions.DependencyInjection;

	namespace xxx
	{
	public static class ConfigureAppHandlers
	{
	public static void AddTransportSecurity(this IApplicationBuilder app)
	{
	// use Strict-Transport-Security Header
	// ie: ONLY access via HTTPS
	// ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
	app.UseHsts(hsts => hsts.MaxAge(365));

	// as it says on the label
	app.UseHttpsRedirection();
	}

	public static void AddCustomisedCORS(this IApplicationBuilder app)
	{
	//TBD: restrict to local access only
	app.UseCors(builder =>
	builder
	.WithOrigins(<ORIGINS HERE>)
	.AllowAnyMethod());
	}

	public static void AddCustomisedRedirects(this IApplicationBuilder app)
	{
	// here we rewrite (permanent) all old team.credosity.com & try.credosity.com to www.credosity.com
	app.UseRewriter(new RewriteOptions()
	.Add(new xxxService()));
	}

	public static void AddContentSecurityPolicies(this IApplicationBuilder app)
	{
	app.UseCsp(options => options
	.StyleSources(s => s.Self()
	.UnsafeInline()
	.CustomSources( "https://*.typekit.net/", // web fonts
	"https://cdnjs.cloudflare.com/", // CDN source for bootstrap, vue, jquery libraries
	"https://use.fontawesome.com/", // web fonts
	"https://cdn.jsdelivr.net/" // CDN source emojis!
	)));
	}

	public static void SetupStaticFileHanding(this IApplicationBuilder app)
	{
	// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
	app.UseXContentTypeOptions();

	app.UseDefaultFiles();
	app.UseStaticFiles();

	// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
	app.UseXfo(xfo => xfo.Deny());

	// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
	app.UseXXssProtection(options => options.EnabledWithBlockMode());
	}
	}
	}