Merge pull request #11 from TerribleDev/2.0

upgrade to 2.0

Readme.md

@@ -1,5 +1,7 @@
 # Hard Hat
 
+[![Build status](https://ci.appveyor.com/api/projects/status/orm7sjpwxde03pbj/branch/master?svg=true)](https://ci.appveyor.com/project/tparnell8/hardhat/branch/master)
+
 <img src="Hat.png" width="350px"/>
 
 HardHat is a set of .net core middleware that adds various headers to help protect your site from vulnerabilities. Inspired by [helmetJS](https://helmetjs.github.io). We have [some docs](docs/Readme.md) they are still a work in progress, so please feel free to submit changes to them.
@@ -51,5 +53,5 @@ In short this allows:
 ## Getting started
 
 
-* Install the nuget package `Install-Package HardHat -Pre`
+* Install the nuget package `Install-Package HardHat`
 * Add the middleware you desire to your configure block.

appveyor.yml

@@ -9,6 +9,10 @@ build_script:
         {
           dotnet pack src\HardHat\HardHat.csproj --configuration Release --output ..\..\output /p:Version=$env:APPVEYOR_REPO_TAG_NAME
         }
+        else
+        {
+          dotnet pack src\HardHat\HardHat.csproj --configuration Release --output ..\..\output /p:Version=0.0.1-build-$env:APPVEYOR_BUILD_NUMBER
+        }
 test_script:
 - ps: dotnet test src\HardHat.UnitTests\HardHat.UnitTests.csproj
 artifacts:
@@ -16,6 +20,6 @@ artifacts:
 deploy:
 - provider: NuGet
   api_key:
-    secure: bGn7M6dHOJ3QjwYIv7e34tcY/n9cCUZmL1MnM6jRfmnJOOfwlrS+cdRj2n8Wf31n
+    secure: //tKHlb2yqAtpxnR6p9IAtXwQNaq8UYYyIFSD0QVF3XnEasIxG2gTWdmWuG87fUX
   on:
     appveyor_repo_tag: true

docs/Readme.md

@@ -1,6 +1,6 @@
 ## Index
 
-Hard hat is essentially a group of 12+ individual middleware that help you improve the security of your aspnet core based applications.
+Hard hat is essentially a group of individual middleware that help you improve the security of your aspnet core based applications.
 
 Each middleware has a seperate readme file. These docs were inspired by helmetjs.
 

src/HardHat.Example/HardHat.Example.csproj

@@ -1,12 +1,11 @@
 <Project Sdk="Microsoft.NET.Sdk.Web">
 
   <PropertyGroup>
-    <TargetFramework>netcoreapp1.0</TargetFramework>
+    <TargetFramework>netcoreapp2.1</TargetFramework>
     <PreserveCompilationContext>true</PreserveCompilationContext>
     <AssemblyName>HardHat.Example</AssemblyName>
     <OutputType>Exe</OutputType>
     <PackageId>HardHat.Example</PackageId>
-    <PackageTargetFallback>$(PackageTargetFallback);dotnet5.6;portable-net45+win8</PackageTargetFallback>
   </PropertyGroup>
 
   <ItemGroup>
@@ -20,19 +19,7 @@
   </ItemGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.AspNetCore.Diagnostics" Version="1.0.2" />
-    <PackageReference Include="Microsoft.AspNetCore.Mvc" Version="1.0.3" />
-    <PackageReference Include="Microsoft.AspNetCore.Routing" Version="1.0.3" />
-    <PackageReference Include="Microsoft.AspNetCore.Server.IISIntegration" Version="1.0.2" />
-    <PackageReference Include="Microsoft.AspNetCore.Server.Kestrel" Version="1.0.3" />
-    <PackageReference Include="Microsoft.AspNetCore.StaticFiles" Version="1.0.2" />
-    <PackageReference Include="Microsoft.Extensions.Configuration.EnvironmentVariables" Version="1.0.2" />
-    <PackageReference Include="Microsoft.Extensions.Configuration.Json" Version="1.0.2" />
-    <PackageReference Include="Microsoft.Extensions.Logging" Version="1.0.2" />
-    <PackageReference Include="Microsoft.Extensions.Logging.Console" Version="1.0.2" />
-    <PackageReference Include="Microsoft.Extensions.Logging.Debug" Version="1.0.2" />
-    <PackageReference Include="Microsoft.Extensions.Options.ConfigurationExtensions" Version="1.0.2" />
-    <PackageReference Include="Microsoft.VisualStudio.Web.BrowserLink" Version="1.0.1" />
+    <PackageReference Include="Microsoft.AspNetCore.App" />
   </ItemGroup>
 
   <Target Name="PrepublishScript" BeforeTargets="PrepareForPublish">

src/HardHat.Example/Startup.cs

@@ -37,7 +37,6 @@ namespace HardHat.Example
             if (env.IsDevelopment())
             {
                 app.UseDeveloperExceptionPage();
-                app.UseBrowserLink();
             }
             else
             {

src/HardHat.UnitTests/ExpectCtHeaderTests.cs

@@ -0,0 +1,33 @@
+using HardHat.Builders;
+using System;
+using System.Collections.Generic;
+using System.Text;
+using Xunit;
+
+namespace HardHat.UnitTests
+{
+    public class ExpectCtHeaderTests
+    {
+        [Fact]
+        public void TestExceptions()
+        {
+            Assert.Throws<ArgumentNullException>(() => ExpectCtHeaderBuilder.Build(0, string.Empty));
+        }
+
+        [Fact]
+        public void TestHeader()
+        {
+            var result = ExpectCtHeaderBuilder.Build(0, "/awesome");
+
+            Assert.Equal("max-age=0; report-uri=\"/awesome\"", result);
+        }
+
+        [Fact]
+        public void TestHeaderWithEnforce()
+        {
+            var result = ExpectCtHeaderBuilder.Build(0, "/awesome", true);
+
+            Assert.Equal("max-age=0; report-uri=\"/awesome\"; enforce", result);
+        }
+    }
+}

src/HardHat.UnitTests/HardHat.UnitTests.csproj

@@ -1,9 +1,9 @@
 <Project Sdk="Microsoft.NET.Sdk">
   <PropertyGroup>
-    <TargetFramework>netcoreapp1.1</TargetFramework>
+    <TargetFramework>netcoreapp2.1</TargetFramework>
   </PropertyGroup>
   <ItemGroup>
-    <PackageReference Include="Microsoft.AspNetCore.Http.Abstractions" Version="1.1.2" />
+    <PackageReference Include="Microsoft.AspNetCore.Http.Abstractions" Version="2.1.1" />
     <PackageReference Include="Microsoft.NET.Test.Sdk" Version="15.0.0" />
     <PackageReference Include="Moq" Version="4.7.25" />
     <PackageReference Include="xunit" Version="2.2.0" />

src/HardHat/Builders/ExpectCtHeaderBuilder.cs

@@ -0,0 +1,23 @@
+using System;
+using System.Collections.Generic;
+using System.Text;
+
+namespace HardHat.Builders
+{
+    internal static class ExpectCtHeaderBuilder
+    {
+        internal static string Build(ulong maxAge, string reportUri, bool enforce = false)
+        {
+            if (string.IsNullOrWhiteSpace(reportUri))
+            {
+                throw new ArgumentNullException(nameof(reportUri), "Report URI must have a value");
+            }
+            var builder = new StringBuilder($"max-age={maxAge}; report-uri=\"{reportUri}\"");
+            if (enforce)
+            {
+                builder.Append("; enforce");
+            }
+            return builder.ToString();
+        }
+    }
+}

src/HardHat/Constants.cs

@@ -22,6 +22,7 @@
         internal const string semicolon = ";";
         internal const string HpKpHeader = "Public-Key-Pins";
         internal const string HpKpHeaderReportOnly = "Public-Key-Pins-Report-Only";
+        internal const string ExpectCt = "Expect-CT";
         internal static class Referrers
         {
             internal const string NoReferrer = "no-referrer";

src/HardHat/Extensions.cs

@@ -90,6 +90,17 @@ namespace Microsoft.AspNetCore.Builder
         /// <returns></returns>
         public static IApplicationBuilder UseHpkp(this IApplicationBuilder app, ulong maxAge, ICollection<PublicKeyPin> keys, bool includeSubDomains = false, string reportUri = "", bool reportOnly = false) => app.UseMiddleware<Hpkp>(maxAge, keys, includeSubDomains, reportUri, reportOnly);
 
+        /// <summary>
+        /// NOTE: This is still in draft spec, browser support maybe very limited 
+        /// <para>Certificate Transparency is an open framework for monitoring and auditing the certificates issued by Certificate Authorities in near real-time. By requiring a CA to log all certificates they generate, site owners can quickly identify mis-issued certificates and it becomes much easier to detect a rogue CA. <see href="https://scotthelme.co.uk/a-new-security-header-expect-ct/"/></para>
+        /// </summary>
+        /// <param name="app"></param>
+        /// <param name="maxAge"> specifies the number of seconds that the browser should cache and apply the received policy for, whether enforced or report-only.</param>
+        /// <param name="reportUri"> specifies where the browser should send reports if it does not receive valid CT information. This is specified as an absolute URI.</param>
+        /// <param name="enforce">controls whether the browser should enforce the policy or treat it as report-only mode. The directive has no value so you simply include it or not depending on whether or not you want the browser to enforce the policy or just report on it.</param>
+        /// <returns></returns>
+        public static IApplicationBuilder UseCertificateTransparency(this IApplicationBuilder app, ulong maxAge, string reportUri, bool enforce = false) => app.UseMiddleware<ExpectCt>(maxAge, reportUri, enforce);
+
         /// <summary>
         /// change or remove the server header.
         /// </summary>

src/HardHat/HardHat.csproj

@@ -3,18 +3,28 @@
   <PropertyGroup>
     <Description>.Net core Middleware, Add various headers to help secure your site. Disable XSS attacks with Content Security Policies, and make sure browsers do not mime sniff</Description>
     <Authors>Tommy Parnell</Authors>
-    <TargetFramework>netstandard1.6</TargetFramework>
+    <TargetFramework>netstandard2.0</TargetFramework>
     <AssemblyName>HardHat</AssemblyName>
     <PackageId>HardHat</PackageId>
     <PackageTags>xss;clickjack;clickjacking;security;.net core;Middleware;core;Content Security Policy;CSP</PackageTags>
     <PackageIconUrl>https://media.githubusercontent.com/media/TerribleDev/HardHat/master/Hat.png</PackageIconUrl>
     <PackageProjectUrl>https://github.com/TerribleDev/HardHat</PackageProjectUrl>
     <PackageLicenseUrl>https://opensource.org/licenses/MIT</PackageLicenseUrl>
-    <PackageTargetFallback>$(PackageTargetFallback);dnxcore50</PackageTargetFallback>
+    <SourceLinkServerType>GitHub</SourceLinkServerType>
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.AspNetCore.Http.Abstractions" Version="1.0.2" />
+    <PackageReference Include="Microsoft.AspNetCore.Http.Abstractions" Version="2.1.1" />
+    <PackageReference Include="SourceLink.Create.CommandLine" Version="2.4.0" PrivateAssets="All" /> 
   </ItemGroup>
 
+  <PropertyGroup>
+    <TargetsForTfmSpecificContentInPackage>$(TargetsForTfmSpecificContentInPackage);IncludePDBsInPackage</TargetsForTfmSpecificContentInPackage>
+  </PropertyGroup>
+  <Target Name="IncludePDBsInPackage" Condition="'$(IncludeBuildOutput)' != 'false'">
+    <ItemGroup>
+      <TfmSpecificPackageFile Include="$(OutputPath)\$(AssemblyName).pdb" PackagePath="lib\$(TargetFramework)" />
+    </ItemGroup>
+  </Target>
+
 </Project>

src/HardHat/Middlewares/ExpectCt.cs

@@ -0,0 +1,30 @@
+using HardHat.Builders;
+using Microsoft.AspNetCore.Http;
+using System;
+using System.Collections.Generic;
+using System.Text;
+using System.Threading.Tasks;
+
+namespace HardHat.Middlewares
+{
+    public class ExpectCt
+    {
+        private readonly RequestDelegate _next;
+        private readonly string headerValue;
+        public ExpectCt(RequestDelegate next, ulong maxAge, string reportUri, bool enforce = false)
+        {
+            this._next = next;
+            if(string.IsNullOrWhiteSpace(reportUri))
+            {
+                throw new ArgumentNullException(nameof(reportUri), "Report URI must have a value");
+            }
+            headerValue = ExpectCtHeaderBuilder.Build(maxAge, reportUri, enforce);
+        }
+
+        public Task Invoke(HttpContext context)
+        {
+            context.Response.Headers[Constants.ExpectCt] = headerValue;
+            return _next?.Invoke(context);
+        }
+    }
+}