Sotsera.Blazor.Server 1.0.0-preview.1

This is a prerelease version of Sotsera.Blazor.Server.

There is a newer prerelease version of this package available.
See the version list below for details.

dotnet add package Sotsera.Blazor.Server --version 1.0.0-preview.1

NuGet\Install-Package Sotsera.Blazor.Server -Version 1.0.0-preview.1

This command is intended to be used within the Package Manager Console in Visual Studio, as it uses the NuGet module's version of Install-Package.

<PackageReference Include="Sotsera.Blazor.Server" Version="1.0.0-preview.1" />

For projects that support PackageReference, copy this XML node into the project file to reference the package.

paket add Sotsera.Blazor.Server --version 1.0.0-preview.1

The NuGet Team does not provide support for this client. Please contact its maintainers for support.

#r "nuget: Sotsera.Blazor.Server, 1.0.0-preview.1"

#r directive can be used in F# Interactive and Polyglot Notebooks. Copy this into the interactive tool or source code of the script to reference the package.

// Install Sotsera.Blazor.Server as a Cake Addin
#addin nuget:?package=Sotsera.Blazor.Server&version=1.0.0-preview.1&prerelease

// Install Sotsera.Blazor.Server as a Cake Tool
#tool nuget:?package=Sotsera.Blazor.Server&version=1.0.0-preview.1&prerelease

The NuGet Team does not provide support for this client. Please contact its maintainers for support.

Sotsera.Blazor.Server

sotsera.blazor.server

Some Blazor Server extensions

Security headers

A very simple middleware that adds headers to requests using the Response.OnStarting hook. In fact, it allows executing any code on an HttpContext at the start of a request, as it expects a type that implements the interface

public interface ISecurityHeadersPolicy
{
    void ApplyHeaders(HttpContext context, IWebHostEnvironment environment);
}

I needed a simple way to manage security headers on a Blazor Server site and, well, the name stuck.

Usage

Add the required services to the WebApplicationBuilder and, optionally, configure the only two settings available

using Sotsera.Blazor.Server.SecurityHeaders.Blazor;
using Sotsera.Blazor.Server.SecurityHeaders.Policies;
using Sotsera.Blazor.Server.SecurityHeaders.Policies.Permissions;

var builder = WebApplication.CreateBuilder(args);

builder.Services.AddSecurityHeaders(c =>
{
    c.DisableKestrelServerHeader = true;
    c.AntiforgeryTokenPrefix = "SuperSecretToken";
});

Add the middleware to the pipeline specifying the default policy (example defined below)

var app = builder.Build();

app.UseSecurityHeaders(new DefaultPolicy());

Override the policy on any IEndpointConventionBuilder like, for example, on a group

// This endpoint will have the default policy
app.MapGet("with-default-headers", () => "default headers");

// Override the security headers for a specific or group of endpoints
var group = app.MapGroup("api")
    .RequireSecurityHeaders(new ApiPolicy());

// This endpoint will have the api policy
group.MapGet("with-api-headers", () => "api headers");

Disable the security headers for IEndpointConventionBuilder

group.MapGet("without-headers", () => "without headers")
    .DisableSecurityHeaders();

Override the policy specifically for Blazor server. The library contains a SHA-256 provider for the importmap script added by the <ImportMap /> component which can be resolved and used by a policy.

app.MapRazorComponents<App>().AddInteractiveServerRenderMode()
    .RequireSecurityHeaders(new BlazorPolicy());

Example policies

// very basic policy
internal class DefaultPolicy : ISecurityHeadersPolicy
{
    public virtual void ApplyHeaders(HttpContext context, IWebHostEnvironment environment)
    {
        var headers = context.Response.Headers;
        headers.Remove("-- header name --");
        headers.XContentTypeOptions = "-- value --";
    }
}

// derived policy
internal class ApiPolicy : DefaultPolicy
{
    public override void ApplyHeaders(HttpContext context, IWebHostEnvironment environment)
    {
        base.ApplyHeaders(context, environment);
        context.Response.Headers.ContentSecurityPolicy = "-- value --";
    }
}

// Blazor specific policy with importmap's SHA-256 in the Csp and a simple Permission policy
internal class BlazorPolicy : DefaultPolicy
{
    public override void ApplyHeaders(HttpContext context, IWebHostEnvironment environment)
    {
        // retrieve the SHA-256 for the importmap script created by the <ImportMap /> component
        var provider = context.GetRequiredService<IBlazorImportMapDefinitionShaProvider>();
        var sha = provider.GetSha256(context);

        // append the sha to the allowed sources
        context.Response.Headers.ContentSecurityPolicy = $"script-src-elem {sha}";

        // disable the camera and geolocation usage
        context.Response.Headers["Permissions-Policy"] = new PermissionsPolicy
        {
            Camera = "()",
            Microphone = "()"
        };
    }
}

Thanks

Andrew Lock (@andrewlocknet) for NetEscapades.AspNetCore.SecurityHeaders
IconShock (FreeIcons) for the library icon (color: #702AF7)

Product	Compatible and additional computed target framework versions.
.NET	net9.0 is compatible.

Compatible target framework(s)

Included target framework(s) (in package)

Learn more about Target Frameworks and .NET Standard.

net9.0
- No dependencies.

NuGet packages

This package is not used by any NuGet packages.

GitHub repositories

This package is not used by any popular GitHub repositories.

Version	Downloads	Last updated
1.0.0-preview.2	46	9/19/2024
1.0.0-preview.1	51	9/17/2024