-
Notifications
You must be signed in to change notification settings - Fork 135
Security Headers
Edi Wang edited this page Jan 21, 2024
·
1 revision
The security headers for Moonglade are controlled at web server level, not from ASP.NET Core kestrel. Because:
- Different users have different security policies, I can not hard code it into
startup.cs
- Web server like IIS, Nginx or LB, WAF can provide much richer and flexibility to set security headers
The ./src/Moonglade.Web/web.Release.config
is a default web.config transformation file to set security headers.
<location>
<system.webServer>
<security xdt:Transform="InsertIfMissing">
<requestFiltering removeServerHeader="true" />
</security>
<httpProtocol xdt:Transform="InsertIfMissing">
<customHeaders>
<remove name="X-Powered-By" />
<add name="x-content-type-options" value="nosniff" />
<add name="x-frame-options" value="SAMEORIGIN" />
<add name="x-xss-protection" value="1" />
<add name="feature-policy" value="camera 'none'; microphone 'none'; payment 'none'; usb 'none'; accelerometer 'none'" />
<add name="content-security-policy" value="form-action 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.vo.msecnd.net https://*.services.visualstudio.com" />
</customHeaders>
</httpProtocol>
</system.webServer>
</location>
I am not a Linux guy, this need some time to research...