nhyatt/bitwarden
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2025-04-05 13:08:17 -05:00
Code

Added middleware for general security headers (#1700)

Browse Source
This commit is contained in:
Kyle Spearrin 2021-11-09 11:37:14 -05:00 committed by GitHub
parent f26a235964
commit 327e784336
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
10 changed files with 56 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
bitwarden_license/src/Sso/Startup.cs
View File

@ -95,6 +95,9 @@ namespace Bit.Sso
app.UseSerilog(env, appLifetime, globalSettings);
// Add general security headers
app.UseMiddleware<SecurityHeadersMiddleware>();
if (!env.IsDevelopment())
{
var uri = new Uri(globalSettings.BaseServiceUri.Sso);

3
src/Admin/Startup.cs
View File

@ -115,6 +115,9 @@ namespace Bit.Admin
{
app.UseSerilog(env, appLifetime, globalSettings);
// Add general security headers
app.UseMiddleware<SecurityHeadersMiddleware>();
if (globalSettings.SelfHosted)
{
app.UsePathBase("/admin");

3
src/Api/Startup.cs
View File

@ -169,6 +169,9 @@ namespace Bit.Api
IdentityModelEventSource.ShowPII = true;
app.UseSerilog(env, appLifetime, globalSettings);
// Add general security headers
app.UseMiddleware<SecurityHeadersMiddleware>();
// Default Middleware
app.UseDefaultMiddleware(env, globalSettings);

3
src/Billing/Startup.cs
View File

@ -82,6 +82,9 @@ namespace Bit.Billing
{
app.UseSerilog(env, appLifetime, globalSettings);
// Add general security headers
app.UseMiddleware<SecurityHeadersMiddleware>();
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();

30
src/Core/Utilities/SecurityHeadersMiddleware.cs Normal file
View File

@ -0,0 +1,30 @@
using System.Threading.Tasks;
using Microsoft.AspNetCore.Http;
using Microsoft.Extensions.Primitives;
namespace Bit.Core.Utilities
{
public sealed class SecurityHeadersMiddleware
{
private readonly RequestDelegate _next;
public SecurityHeadersMiddleware(RequestDelegate next)
{
_next = next;
}
public Task Invoke(HttpContext context)
{
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
context.Response.Headers.Add("x-frame-options", new StringValues("SAMEORIGIN"));
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
context.Response.Headers.Add("x-xss-protection", new StringValues("1; mode=block"));
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
context.Response.Headers.Add("x-content-type-options", new StringValues("nosniff"));
return _next(context);
}
}
}

3
src/Events/Startup.cs
View File

@ -90,6 +90,9 @@ namespace Bit.Events
{
app.UseSerilog(env, appLifetime, globalSettings);
// Add general security headers
app.UseMiddleware<SecurityHeadersMiddleware>();
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();

2
src/EventsProcessor/Startup.cs
View File

@ -43,6 +43,8 @@ namespace Bit.EventsProcessor
{
IdentityModelEventSource.ShowPII = true;
app.UseSerilog(env, appLifetime, globalSettings);
// Add general security headers
app.UseMiddleware<SecurityHeadersMiddleware>();
app.UseRouting();
app.UseEndpoints(endpoints =>
{

3
src/Icons/Startup.cs
View File

@ -56,6 +56,9 @@ namespace Bit.Icons
{
app.UseSerilog(env, appLifetime, globalSettings);
// Add general security headers
app.UseMiddleware<SecurityHeadersMiddleware>();
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();

3
src/Identity/Startup.cs
View File

@ -150,6 +150,9 @@ namespace Bit.Identity
app.UseSerilog(env, appLifetime, globalSettings);
// Add general security headers
app.UseMiddleware<SecurityHeadersMiddleware>();
if (!env.IsDevelopment())
{
var uri = new Uri(globalSettings.BaseServiceUri.Identity);

3
src/Notifications/Startup.cs
View File

@ -91,6 +91,9 @@ namespace Bit.Notifications
IdentityModelEventSource.ShowPII = true;
app.UseSerilog(env, appLifetime, globalSettings);
// Add general security headers
app.UseMiddleware<SecurityHeadersMiddleware>();
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();