Created
September 5, 2018 07:02
-
-
Save nickhodge/f16abb2c75f5123743c1199fb308e4e4 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
using Microsoft.AspNetCore.Builder; | |
using Microsoft.AspNetCore.Rewrite; | |
using Microsoft.Extensions.Configuration; | |
using Microsoft.Extensions.DependencyInjection; | |
namespace xxx | |
{ | |
public static class ConfigureAppHandlers | |
{ | |
public static void AddTransportSecurity(this IApplicationBuilder app) | |
{ | |
// use Strict-Transport-Security Header | |
// ie: ONLY access via HTTPS | |
// ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security | |
app.UseHsts(hsts => hsts.MaxAge(365)); | |
// as it says on the label | |
app.UseHttpsRedirection(); | |
} | |
public static void AddCustomisedCORS(this IApplicationBuilder app) | |
{ | |
//TBD: restrict to local access only | |
app.UseCors(builder => | |
builder | |
.WithOrigins(<ORIGINS HERE>) | |
.AllowAnyMethod()); | |
} | |
public static void AddCustomisedRedirects(this IApplicationBuilder app) | |
{ | |
// here we rewrite (permanent) all old team.credosity.com & try.credosity.com to www.credosity.com | |
app.UseRewriter(new RewriteOptions() | |
.Add(new xxxService())); | |
} | |
public static void AddContentSecurityPolicies(this IApplicationBuilder app) | |
{ | |
app.UseCsp(options => options | |
.StyleSources(s => s.Self() | |
.UnsafeInline() | |
.CustomSources( "https://*.typekit.net/", // web fonts | |
"https://cdnjs.cloudflare.com/", // CDN source for bootstrap, vue, jquery libraries | |
"https://use.fontawesome.com/", // web fonts | |
"https://cdn.jsdelivr.net/" // CDN source emojis! | |
))); | |
} | |
public static void SetupStaticFileHanding(this IApplicationBuilder app) | |
{ | |
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options | |
app.UseXContentTypeOptions(); | |
app.UseDefaultFiles(); | |
app.UseStaticFiles(); | |
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options | |
app.UseXfo(xfo => xfo.Deny()); | |
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection | |
app.UseXXssProtection(options => options.EnabledWithBlockMode()); | |
} | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment