Merge branch 'main' into CFODEV-539

ministryofjustice · Aug 15, 2024 · 67fd2f2 · 67fd2f2
2 parents 489ce3d + 0e4f2bb
commit 67fd2f2
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 4 deletions.
diff --git a/src/Infrastructure/DependencyInjection.cs b/src/Infrastructure/DependencyInjection.cs
@@ -308,10 +308,17 @@ private static IServiceCollection AddAuthenticationService(this IServiceCollecti
 
         services.AddSingleton<IPasswordService, PasswordService>();
 
+        CookieSecurePolicy policy = CookieSecurePolicy.SameAsRequest;
+        if(configuration["IdentitySettings:SecureCookies"] is not null && configuration["IdentitySettings:SecureCookies"]!.Equals("True", StringComparison.CurrentCultureIgnoreCase))
+        {
+            policy = CookieSecurePolicy.Always;
+        }
+
+
         services.ConfigureApplicationCookie(options => {
             options.LoginPath = "/pages/authentication/login";
             options.Cookie.SameSite = SameSiteMode.Strict;
-            options.Cookie.SecurePolicy = CookieSecurePolicy.SameAsRequest;
+            options.Cookie.SecurePolicy = policy;
         });
 
         services

diff --git a/src/Server.UI/DependencyInjection.cs b/src/Server.UI/DependencyInjection.cs
@@ -31,10 +31,17 @@ public static WebApplicationBuilder AddServerUi(this WebApplicationBuilder build
         var services = builder.Services;
         var config = builder.Configuration;
         var environment = builder.Environment;
-
+
+
+        CookieSecurePolicy policy = CookieSecurePolicy.SameAsRequest;
+        if(config["IdentitySettings:SecureCookies"] is not null && config["IdentitySettings:SecureCookies"]!.Equals("True", StringComparison.CurrentCultureIgnoreCase))
+        {
+            policy = CookieSecurePolicy.Always;
+        }
+
         services.AddAntiforgery(options =>
         {
-            options.Cookie.SecurePolicy = CookieSecurePolicy.SameAsRequest;
+            options.Cookie.SecurePolicy = policy;
         });
 
         services.AddRazorComponents().AddInteractiveServerComponents();
@@ -140,6 +147,13 @@ public static WebApplication ConfigureServer(this WebApplication app, IConfigura
         app.UseAuthentication();
         app.UseAuthorization();
 
+
+        app.Use((context, next) =>
+        {
+            context.Request.Scheme = "https";
+            return next();
+        });
+
         app.Use(async (context, next) =>
         {
             context.Response.Headers.Append("Content-Security-Policy", "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; object-src 'self' data:; frame-src 'self' data:;"); 

diff --git a/src/Server.UI/appsettings.json b/src/Server.UI/appsettings.json
@@ -70,7 +70,8 @@
     "RequireUpperCase": true,
     "RequireLowerCase": true,
     "DefaultLockoutTimeSpan": 30,
-    "MaxFailedAccessAttempts": 5
+    "MaxFailedAccessAttempts": 5,
+    "SecureCookies": true
   },
   "Notify": {
     "ApiKey": "",