Set HSTS using aspnet

- Remove duplicate header definitions - Set Xss Protection to 0 - Moved forwardedHeader definition before response header manipulation
DFE-Digital · Jul 5, 2024 · f47b666 · f47b666
1 parent 1f0d37b
commit f47b666
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 23 deletions.
diff --git a/Dfe.PrepareTransfers.Web/Security/SecureHeadersDefinitions.cs b/Dfe.PrepareTransfers.Web/Security/SecureHeadersDefinitions.cs
@@ -9,7 +9,7 @@ public static HeaderPolicyCollection GetHeaderPolicyCollection(bool isDev, Allow
    {
       HeaderPolicyCollection policy = new HeaderPolicyCollection()
          .AddFrameOptionsDeny()
-         .AddXssProtectionBlock()
+         .AddXssProtectionDisabled()
          .AddContentTypeOptionsNoSniff()
          .AddReferrerPolicyStrictOriginWhenCrossOrigin()
          .RemoveServerHeader()
@@ -35,7 +35,6 @@ public static HeaderPolicyCollection GetHeaderPolicyCollection(bool isDev, Allow
                .WithNonce();
             builder.AddFrameAncestors().None();
          })
-         .RemoveServerHeader()
          .AddPermissionsPolicy(builder =>
          {
             builder.AddAccelerometer().None();
@@ -54,12 +53,6 @@ public static HeaderPolicyCollection GetHeaderPolicyCollection(bool isDev, Allow
             builder.AddUsb().None();
          });
 
-      if (isDev is false)
-         // max age = one year in seconds
-      {
-          policy.AddStrictTransportSecurityMaxAgeIncludeSubDomains(maxAgeInSeconds: 60 * 60 * 24 * 365);
-      }
-
       return policy;
    }
 }
diff --git a/Dfe.PrepareTransfers.Web/Startup.cs b/Dfe.PrepareTransfers.Web/Startup.cs
@@ -144,6 +144,15 @@ public void ConfigureServices(IServiceCollection services)
         // Initialize the ConversionsUrl
         var serviceLinkOptions = Configuration.GetSection("ServiceLink").Get<ServiceLinkOptions>();
         Links.InitializeConversionsUrl(serviceLinkOptions.ConversionsUrl);
+
+        // Enforce HTTPS in ASP.NET Core
+        // @link https://learn.microsoft.com/en-us/aspnet/core/security/enforcing-ssl?
+        services.AddHsts(options =>
+        {
+            options.Preload = true;
+            options.IncludeSubDomains = true;
+            options.MaxAge = TimeSpan.FromDays(365);
+        });
     }
 
     /// <summary>
@@ -167,20 +176,27 @@ private AuthorizationPolicyBuilder SetupAuthorizationPolicyBuilder()
     // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
     public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
     {
+        // Ensure we do not lose X-Forwarded-* Headers when behind a Proxy
+        var forwardOptions = new ForwardedHeadersOptions {
+            ForwardedHeaders = ForwardedHeaders.All,
+            RequireHeaderSymmetry = false
+        };
+        forwardOptions.KnownNetworks.Clear();
+        forwardOptions.KnownProxies.Clear();
+        app.UseForwardedHeaders(forwardOptions);
+
         if (env.IsDevelopment())
         {
             app.UseDeveloperExceptionPage();
         }
         else
         {
             app.UseExceptionHandler("/Errors");
-            // The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
-            app.UseHsts();
         }
 
         app.UseSecurityHeaders(SecurityHeadersDefinitions
-           .GetHeaderPolicyCollection(env.IsDevelopment(), GetTypedConfiguration<AllowedExternalSourcesOptions>())
-           .AddXssProtectionDisabled());
+           .GetHeaderPolicyCollection(env.IsDevelopment(), GetTypedConfiguration<AllowedExternalSourcesOptions>()));
+        app.UseHsts();
 
         app.UseCookiePolicy(new CookiePolicyOptions
         {
@@ -195,16 +211,6 @@ public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
             app.UseHttpsRedirection();
         }
 
-        //For Azure AD redirect uri to remain https
-        var forwardOptions = new ForwardedHeadersOptions
-        {
-            ForwardedHeaders = ForwardedHeaders.All,
-            RequireHeaderSymmetry = false
-        };
-        forwardOptions.KnownNetworks.Clear();
-        forwardOptions.KnownProxies.Clear();
-        app.UseForwardedHeaders(forwardOptions);
-
         app.UseStaticFiles();
 
         app.UseHealthChecks("/health");
@@ -282,7 +288,7 @@ private static void AddServices(IServiceCollection services, IConfiguration conf
         services.AddScoped<ITramsHttpClient, TramsHttpClient>();
         services.AddScoped<IAcademisationHttpClient, AcademisationHttpClient>();
         services.AddScoped<IAcademyTransfersAdvisoryBoardDecisionRepository, AcademyTransfersAdvisoryBoardDecisionRepository>();
-        
+
         services.AddSingleton<PerformanceDataChannel>();
         services.AddSingleton<IDateTimeProvider, DateTimeProvider>();
         services.AddSingleton<IAuthorizationHandler, HeaderRequirementHandler>();