diff --git a/.claude/settings.local.json b/.claude/settings.local.json index 9585068..fae88d6 100644 --- a/.claude/settings.local.json +++ b/.claude/settings.local.json @@ -4,6 +4,9 @@ "Bash(dotnet test:*)", "Bash(dotnet build:*)", "Bash(dotnet pack:*)" + ], + "additionalDirectories": [ + "D:\\Code\\GitHub\\migration-validator" ] } } diff --git a/src/PSW/Controllers/CommunityTemplatesApiController.cs b/src/PSW/Controllers/CommunityTemplatesApiController.cs index 54f8549..b3de77f 100644 --- a/src/PSW/Controllers/CommunityTemplatesApiController.cs +++ b/src/PSW/Controllers/CommunityTemplatesApiController.cs @@ -51,8 +51,8 @@ public async Task GetIndex() { cacheEntry.AbsoluteExpirationRelativeToNow = TimeSpan.FromMinutes(CacheTimeInMinutes); - var indexPath = Path.Combine(_webHostEnvironment.WebRootPath, - "community-templates", + var indexPath = Path.Combine(_webHostEnvironment.WebRootPath, + "community-templates", "index.json"); if (!System.IO.File.Exists(indexPath)) diff --git a/src/PSW/Middleware/SecurityHeadersMiddleware.cs b/src/PSW/Middleware/SecurityHeadersMiddleware.cs index 4c86592..70312b5 100644 --- a/src/PSW/Middleware/SecurityHeadersMiddleware.cs +++ b/src/PSW/Middleware/SecurityHeadersMiddleware.cs @@ -18,8 +18,20 @@ public Task Invoke(HttpContext context) context.Response.Headers.Append("X-Xss-Protection", "0"); context.Response.Headers.Append("Referrer-Policy", "no-referrer"); context.Response.Headers.Append("X-Permitted-Cross-Domain-Policies", "none"); - context.Response.Headers.Append("X-Powered-By", ""); - //context.Response.Headers.Add("Content-Security-Policy", "default-src 'self';script-src 'self' code.jquery.com;style-src 'self' cdn.rawgit.com cdn.jsdelivr.net;img-src 'self' our.umbraco.com;font-src 'self';connect-src 'self'"); + context.Response.OnStarting(() => + { + context.Response.Headers.Remove("X-Powered-By"); + context.Response.Headers.Remove("Server"); + return Task.CompletedTask; + }); + context.Response.Headers.Append("Content-Security-Policy", + "default-src 'self'; " + + "script-src 'self' 'unsafe-inline' www.googletagmanager.com cdnjs.cloudflare.com cdn.jsdelivr.net; " + + "style-src 'self' 'unsafe-inline' cdnjs.cloudflare.com cdn.jsdelivr.net; " + + "img-src 'self' data:; " + + "font-src 'self'; " + + "connect-src 'self' *.google-analytics.com *.analytics.google.com *.googletagmanager.com; " + + "frame-ancestors 'self'"); context.Response.Headers.Append("Permissions-Policy", "fullscreen=(), geolocation=()"); return _next(context); } diff --git a/src/PSW/Program.cs b/src/PSW/Program.cs index e0f7823..844762d 100644 --- a/src/PSW/Program.cs +++ b/src/PSW/Program.cs @@ -41,13 +41,18 @@ builder.Services.Configure( builder.Configuration.GetSection(PSWConfig.SectionName)); +builder.Services.AddHsts(options => +{ + options.MaxAge = TimeSpan.FromDays(365); + options.IncludeSubDomains = true; +}); + var app = builder.Build(); // Configure the HTTP request pipeline. if (!app.Environment.IsDevelopment()) { app.UseExceptionHandler("/Home/Error"); - // The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts. app.UseHsts(); }