TerribleDev/HardHat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ieNoOpen, Referrer

Browse Source
This commit is contained in:
Tommy Parnell
2016-12-31 06:24:33 -05:00
parent 32f41bd057
commit 6d6058d16a
10 changed files with 150 additions and 219 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
.vscode/launch.json vendored Normal file
View File

@@ -0,0 +1,42 @@
{
"version": "0.2.0",
"configurations": [
{
"name": ".NET Core Launch (web)",
"type": "coreclr",
"request": "launch",
"preLaunchTask": "build",
"program": "${workspaceRoot}\\src\\HardHat.Example\\bin\\Debug\\netcoreapp1.0\\HardHat.Example.dll",
"args": [],
"cwd": "${workspaceRoot}",
"stopAtEntry": false,
"internalConsoleOptions": "openOnSessionStart",
"launchBrowser": {
"enabled": true,
"args": "${auto-detect-url}",
"windows": {
"command": "cmd.exe",
"args": "/C start ${auto-detect-url}"
},
"osx": {
"command": "open"
},
"linux": {
"command": "xdg-open"
}
},
"env": {
"ASPNETCORE_ENVIRONMENT": "Development"
},
"sourceFileMap": {
"/Views": "${workspaceRoot}/Views"
}
},
{
"name": ".NET Core Attach",
"type": "coreclr",
"request": "attach",
"processId": "${command.pickProcess}"
}
]
}

16
.vscode/tasks.json vendored Normal file
View File

@@ -0,0 +1,16 @@
{
"version": "0.1.0",
"command": "dotnet",
"isShellCommand": true,
"args": [],
"tasks": [
{
"taskName": "build",
"args": [
"${workspaceRoot}\\src\\HardHat.Example\\project.json"
],
"isBuildCommand": true,
"problemMatcher": "$msCompile"
}
]
}

4
Readme.md
View File

@@ -13,6 +13,8 @@ In short this allows:
app.DnsPrefetch(allow: false); //turn off dns prefetch to keep privacy of users on site
app.AddFrameGuard(new FrameGuardOptions(FrameGuardOptions.FrameGuard.SAMEORIGIN)); //prevent content from being loaded in an iframe unless its within the same origin
app.UseHsts(maxAge: 5000, includeSubDomains: true, preload: false); //enforce hsts
app.AddReferrerPolicy(ReferrerPolicy.NoReferrer);
app.AddIENoOpen();
...
app.UseMvc(routes =>
{
@@ -30,8 +32,6 @@ In short this allows:
todo:
* CSP
* ie NoOpen
* don't sniff mime type
* XSS protection
* disable referer

187
src/HardHat.Example/Project_Readme.html
View File

@@ -1,187 +0,0 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8" />
<title>Welcome to ASP.NET Core</title>
<style>
html {
background: #f1f1f1;
height: 100%;
}
body {
background: #fff;
color: #505050;
font: 14px 'Segoe UI', tahoma, arial, helvetica, sans-serif;
margin: 1%;
min-height: 95.5%;
border: 1px solid silver;
position: relative;
}
#header {
padding: 0;
}
#header h1 {
font-size: 44px;
font-weight: normal;
margin: 0;
padding: 10px 30px 10px 30px;
}
#header span {
margin: 0;
padding: 0 30px;
display: block;
}
#header p {
font-size: 20px;
color: #fff;
background: #007acc;
padding: 0 30px;
line-height: 50px;
margin-top: 25px;
}
#header p a {
color: #fff;
text-decoration: underline;
font-weight: bold;
padding-right: 35px;
background: no-repeat right bottom url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABcAAAAWCAMAAAAcqPc3AAAANlBMVEUAAAAAeswfitI9mthXp91us+KCvuaTx+mjz+2x1u+83PLH4vTR5/ba7Pjj8Pns9fv1+v3////wy3dWAAAAAXRSTlMAQObYZgAAAHxJREFUeNp9kVcSwCAIRMHUYoH7XzaxOxJ9P8oyQ1uIqNPwh3s2aLmIM2YtqrLcQIeQEylhuCeUOlhgve5yoBCfWmlnlgkN4H8ykbpaE7gR03AbUHiwoOxUH9Xp+ubd41p1HF3mBPrfC87BHeTdaB3ceeKL9HGpcvX9zu6+DdMWT9KQPvYAAAAASUVORK5CYII=);
}
#main {
padding: 5px 30px;
clear: both;
}
.section {
width: 21.7%;
float: left;
margin: 0 0 0 4%;
}
.section h2 {
font-size: 13px;
text-transform: uppercase;
margin: 0;
border-bottom: 1px solid silver;
padding-bottom: 12px;
margin-bottom: 8px;
}
.section.first {
margin-left: 0;
}
.section.first h2 {
font-size: 24px;
text-transform: none;
margin-bottom: 25px;
border: none;
}
.section.first li {
border-top: 1px solid silver;
padding: 8px 0;
}
.section.last {
margin-right: 0;
}
ul {
list-style: none;
padding: 0;
margin: 0;
line-height: 20px;
}
li {
padding: 4px 0;
}
a {
color: #267cb2;
text-decoration: none;
}
a:hover {
text-decoration: underline;
}
#footer {
clear: both;
padding-top: 50px;
}
#footer p {
position: absolute;
bottom: 10px;
}
</style>
</head>
<body>
<div id="header">
<h1>Welcome to ASP.NET Core</h1>
<span>
We've made some big updates in this release, so its <b>important</b> that you spend
a few minutes to learn whats new.
</span>
<p>You've created a new ASP.NET Core project. <a href="http://go.microsoft.com/fwlink/?LinkId=518016">Learn what's new</a></p>
</div>
<div id="main">
<div class="section first">
<h2>This application consists of:</h2>
<ul>
<li>Sample pages using ASP.NET Core MVC</li>
<li><a href="http://go.microsoft.com/fwlink/?LinkId=518004">Bower</a> for managing client-side libraries</li>
<li>Theming using <a href="http://go.microsoft.com/fwlink/?LinkID=398939">Bootstrap</a></li>
</ul>
</div>
<div class="section">
<h2>How to</h2>
<ul>
<li><a href="http://go.microsoft.com/fwlink/?LinkID=398600">Add a Controller and View</a></li>
<li><a href="http://go.microsoft.com/fwlink/?LinkID=699562">Add an appsetting in config and access it in app.</a></li>
<li><a href="http://go.microsoft.com/fwlink/?LinkId=699315">Manage User Secrets using Secret Manager.</a></li>
<li><a href="http://go.microsoft.com/fwlink/?LinkId=699316">Use logging to log a message.</a></li>
<li><a href="http://go.microsoft.com/fwlink/?LinkId=699317">Add packages using NuGet.</a></li>
<li><a href="http://go.microsoft.com/fwlink/?LinkId=699318">Add client packages using Bower.</a></li>
<li><a href="http://go.microsoft.com/fwlink/?LinkId=699319">Target development, staging or production environment.</a></li>
</ul>
</div>
<div class="section">
<h2>Overview</h2>
<ul>
<li><a href="http://go.microsoft.com/fwlink/?LinkId=518008">Conceptual overview of what is ASP.NET Core</a></li>
<li><a href="http://go.microsoft.com/fwlink/?LinkId=699320">Fundamentals of ASP.NET Core such as Startup and middleware.</a></li>
<li><a href="http://go.microsoft.com/fwlink/?LinkId=398602">Working with Data</a></li>
<li><a href="http://go.microsoft.com/fwlink/?LinkId=398603">Security</a></li>
<li><a href="http://go.microsoft.com/fwlink/?LinkID=699321">Client side development</a></li>
<li><a href="http://go.microsoft.com/fwlink/?LinkID=699322">Develop on different platforms</a></li>
<li><a href="http://go.microsoft.com/fwlink/?LinkID=699323">Read more on the documentation site</a></li>
</ul>
</div>
<div class="section last">
<h2>Run & Deploy</h2>
<ul>
<li><a href="http://go.microsoft.com/fwlink/?LinkID=517851">Run your app</a></li>
<li><a href="http://go.microsoft.com/fwlink/?LinkID=517853">Run tools such as EF migrations and more</a></li>
<li><a href="http://go.microsoft.com/fwlink/?LinkID=398609">Publish to Microsoft Azure Web Apps</a></li>
</ul>
</div>
<div id="footer">
<p>We would love to hear your <a href="http://go.microsoft.com/fwlink/?LinkId=518015">feedback</a></p>
</div>
</div>
</body>
</html>

3
src/HardHat.Example/Startup.cs
View File

@@ -50,7 +50,8 @@ namespace HardHat.Example
app.AddFrameGuard(new FrameGuardOptions(FrameGuardOptions.FrameGuard.SAMEORIGIN));
app.UseHsts(maxAge: 5000, includeSubDomains: true, preload: false);
app.UseStaticFiles();
app.AddReferrerPolicy(ReferrerPolicy.NoReferrer);
app.AddIENoOpen();
app.UseMvc(routes =>
{
routes.MapRoute(

29
src/HardHat/Constants.cs
View File

@@ -5,13 +5,28 @@ using System.Threading.Tasks;
namespace HardHat
{
public static class Constants
internal static class Constants
{
public static string DnsControlHeader = "X-DNS-Prefetch-Control";
public static string FrameGuardHeader = "X-Frame-Options";
public static string StrictTransportSecurity = "Strict-Transport-Security";
public static string MaxAge = "max-age";
public static string IncludeSubDomains = "; includeSubDomains";
public static string Preload = "; preload";
internal const string DnsControlHeader = "X-DNS-Prefetch-Control";
internal const string FrameGuardHeader = "X-Frame-Options";
internal const string StrictTransportSecurity = "Strict-Transport-Security";
internal const string MaxAge = "max-age";
internal const string IncludeSubDomains = "; includeSubDomains";
internal const string Preload = "; preload";
internal const string DowloadOptions = "X-Download-Options";
internal const string NoOpen = "noopen";
internal const string ReferrerPolicy = "Referrer-Policy";
internal static class Referrers
{
internal const string NoReferrer = "no-referrer";
internal const string NoReferrerWhenDowngrade = "no-referrer-when-downgrade";
internal const string SameOrigin = "same-origin";
internal const string Origin = "origin";
internal const string StrictOrigin = "strict-origin";
internal const string OriginWhenCrossOrigin = "origin-when-cross-origin";
internal const string StrictOriginWhenCrossOrigin = "strict-origin-when-cross-origin";
internal const string UnsafeUrl = "unsafe-url";
}
}
}

25
src/HardHat/Extensions.cs
View File

@@ -1,28 +1,13 @@
using HardHat;
using Microsoft.AspNetCore.Builder;
using System;
using System.Collections.Generic;
using System.Linq;
using System.Threading.Tasks;
namespace Microsoft.AspNetCore.Builder
{
public static class Extensions
{
public static IApplicationBuilder DnsPrefetch(this IApplicationBuilder app, bool allow = false)
{
app.UseMiddleware<DnsPrefetch>(allow);
return app;
}
public static IApplicationBuilder AddFrameGuard(this IApplicationBuilder app, FrameGuardOptions options)
{
app.UseMiddleware<FrameGuard>(options);
return app;
}
public static IApplicationBuilder UseHsts(this IApplicationBuilder app, ulong maxAge, bool includeSubDomains = false, bool preload = false)
{
app.UseMiddleware<Hsts>(maxAge, includeSubDomains, preload);
return app;
}
public static IApplicationBuilder DnsPrefetch(this IApplicationBuilder app, bool allow = false) => app.UseMiddleware<DnsPrefetch>(allow);
public static IApplicationBuilder AddFrameGuard(this IApplicationBuilder app, FrameGuardOptions options) => app.UseMiddleware<FrameGuard>(options);
public static IApplicationBuilder UseHsts(this IApplicationBuilder app, ulong maxAge, bool includeSubDomains = false, bool preload = false) => app.UseMiddleware<Hsts>(maxAge, includeSubDomains, preload);
public static IApplicationBuilder AddIENoOpen(this IApplicationBuilder app) => app.UseMiddleware<IENoOpen>();
public static IApplicationBuilder AddReferrerPolicy(this IApplicationBuilder app, ReferrerPolicy policy) => app.UseMiddleware<ReferrerPolicyMiddlewear>(policy);
}
}

2
src/HardHat/FrameGuard.cs
View File

@@ -1,7 +1,5 @@
using Microsoft.AspNetCore.Http;
using System;
using System.Collections.Generic;
using System.Linq;
using System.Threading.Tasks;
namespace HardHat

20
src/HardHat/IENoOpen.cs Normal file
View File

@@ -0,0 +1,20 @@
using Microsoft.AspNetCore.Http;
using System.Threading.Tasks;
namespace HardHat
{
public class IENoOpen
{
private readonly RequestDelegate _next;
public IENoOpen(RequestDelegate next)
{
_next = next;
}
public Task Invoke(HttpContext context)
{
context.Response.Headers[Constants.DowloadOptions] = Constants.NoOpen;
return _next.Invoke(context);
}
}
}

41
src/HardHat/RefererPolicy.cs Normal file
View File

@@ -0,0 +1,41 @@
using Microsoft.AspNetCore.Http;
using System.Threading.Tasks;
namespace HardHat
{
public class ReferrerPolicyMiddlewear
{
private readonly RequestDelegate _next;
private readonly ReferrerPolicy policy;
public ReferrerPolicyMiddlewear(RequestDelegate next, ReferrerPolicy policy)
{
this.policy = policy;
_next = next;
}
public Task Invoke(HttpContext context)
{
context.Response.Headers[Constants.ReferrerPolicy] = this.policy.Policy;
return _next.Invoke(context);
}
}
public struct ReferrerPolicy
{
internal readonly string Policy;
internal ReferrerPolicy(string policy)
{
this.Policy = policy;
}
//todo: document https://www.w3.org/TR/referrer-policy/#referrer-policies
public static readonly ReferrerPolicy Empty = new ReferrerPolicy(string.Empty);
public static readonly ReferrerPolicy NoReferrer = new ReferrerPolicy(Constants.Referrers.NoReferrer);
public static readonly ReferrerPolicy NoReferrerWhenDowngrade = new ReferrerPolicy(Constants.Referrers.NoReferrerWhenDowngrade);
public static readonly ReferrerPolicy SameOrigin = new ReferrerPolicy(Constants.Referrers.SameOrigin);
public static readonly ReferrerPolicy Origin = new ReferrerPolicy(Constants.Referrers.Origin);
public static readonly ReferrerPolicy StrictOrigin = new ReferrerPolicy(Constants.Referrers.StrictOrigin);
public static readonly ReferrerPolicy OriginWhenCrossOrigin = new ReferrerPolicy(Constants.Referrers.OriginWhenCrossOrigin);
public static readonly ReferrerPolicy StrictOriginWhenCrossOrigin = new ReferrerPolicy(Constants.Referrers.StrictOriginWhenCrossOrigin);
public static readonly ReferrerPolicy UnsafeUrl = new ReferrerPolicy(Constants.Referrers.UnsafeUrl);
}
}