From a1008641c78174a50ab994d94ecc1e2fa3fec23b Mon Sep 17 00:00:00 2001 From: plockwood Date: Wed, 15 Mar 2023 16:02:41 +0000 Subject: [PATCH] added feature-policy --- Dfe.Academies.External.Web/Program.cs | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/Dfe.Academies.External.Web/Program.cs b/Dfe.Academies.External.Web/Program.cs index c0ffde2ce..76c505aaf 100644 --- a/Dfe.Academies.External.Web/Program.cs +++ b/Dfe.Academies.External.Web/Program.cs @@ -205,8 +205,14 @@ static IAsyncPolicy GetRetryPolicy() // added content security policy, manual for now but should probably look at this package in the future NWebsec.AspNetCore.Middleware app.Use(async (context, next) => { - context.Response.Headers.Add("Content-Security-Policy", "default-src 'self' wss://localhost:44352/Dfe.Academies.External.Web/; script-src 'self' 'sha256-qL+CKdDo+s+wbAVlMRNaKTthlML5CHI7jaNN8xIHquM=' 'sha256-oJB7VN5D3FsVWp4IBkMG5wPNDs4/Yf73/2mCN7Va9ao=' 'sha256-mmu7ufJkx6yK/dAWH2qN/k0kRhIj7O1GP53WoweDgVw=' 'sha256-YXeAP6J7c5mHporqs1+yXBn3qwau95EZrnniBY+4bpQ=' 'sha256-l1eTVSK8DTnK8+yloud7wZUqFrI0atVo6VlC6PJvYaQ=' https://www.googletagmanager.com/gtm.js; style-src 'self'; font-src 'self'; img-src 'self'; frame-src 'self'"); - + if (!context.Response.Headers.ContainsKey("Content-Security-Policy")) + { + context.Response.Headers.Add("Content-Security-Policy", "default-src 'self' wss://localhost:44352/Dfe.Academies.External.Web/; script-src 'self' 'sha256-qL+CKdDo+s+wbAVlMRNaKTthlML5CHI7jaNN8xIHquM=' 'sha256-oJB7VN5D3FsVWp4IBkMG5wPNDs4/Yf73/2mCN7Va9ao=' 'sha256-mmu7ufJkx6yK/dAWH2qN/k0kRhIj7O1GP53WoweDgVw=' 'sha256-YXeAP6J7c5mHporqs1+yXBn3qwau95EZrnniBY+4bpQ=' 'sha256-l1eTVSK8DTnK8+yloud7wZUqFrI0atVo6VlC6PJvYaQ=' https://www.googletagmanager.com/gtm.js; style-src 'self'; font-src 'self'; img-src 'self'; frame-src 'self'"); + } + if (!context.Response.Headers.ContainsKey("Feature-Policy")) + { + context.Response.Headers.Add("Feature-Policy", "accelerometer 'none'; camera 'none'; microphone 'none';"); + } await next(); });