From 8f1cefdbeb44435e66b685d1ac7cd6f676aa9bd9 Mon Sep 17 00:00:00 2001
From: damienbod <damien_bod@hotmail.com>
Date: Sat, 26 Oct 2024 11:07:50 +0200
Subject: [PATCH] Updated security headers

---
 .../AspNetCoreSelectTenant.csproj             |  4 +--
 AspNetCoreSelectTenant/Program.cs             | 11 ++++++--
 .../SecurityHeadersDefinitions.cs             | 28 ++++++-------------
 3 files changed, 19 insertions(+), 24 deletions(-)

diff --git a/AspNetCoreSelectTenant/AspNetCoreSelectTenant.csproj b/AspNetCoreSelectTenant/AspNetCoreSelectTenant.csproj
index da8d632..7a62021 100644
--- a/AspNetCoreSelectTenant/AspNetCoreSelectTenant.csproj
+++ b/AspNetCoreSelectTenant/AspNetCoreSelectTenant.csproj
@@ -12,8 +12,8 @@
     <PackageReference Include="Microsoft.AspNetCore.Authentication.OpenIdConnect" Version="8.0.10" NoWarn="NU1605" />
     <PackageReference Include="Microsoft.Identity.Web" Version="3.2.2" />
     <PackageReference Include="Microsoft.Identity.Web.UI" Version="3.2.2" />
-    <PackageReference Include="NetEscapades.AspNetCore.SecurityHeaders" Version="0.24.0" />
-    <PackageReference Include="NetEscapades.AspNetCore.SecurityHeaders.TagHelpers" Version="0.24.0" />
+    <PackageReference Include="NetEscapades.AspNetCore.SecurityHeaders" Version="1.0.0-preview.1" />
+    <PackageReference Include="NetEscapades.AspNetCore.SecurityHeaders.TagHelpers" Version="1.0.0-preview.1" />
 
     <PackageReference Include="Microsoft.EntityFrameworkCore.SqlServer" Version="8.0.10" />
     <PackageReference Include="Microsoft.EntityFrameworkCore.Tools" Version="8.0.10" PrivateAssets="All" />
diff --git a/AspNetCoreSelectTenant/Program.cs b/AspNetCoreSelectTenant/Program.cs
index a631d2d..d3374b5 100644
--- a/AspNetCoreSelectTenant/Program.cs
+++ b/AspNetCoreSelectTenant/Program.cs
@@ -6,6 +6,7 @@
 using Microsoft.EntityFrameworkCore;
 using Microsoft.Identity.Web;
 using Microsoft.Identity.Web.UI;
+using NetEscapades.AspNetCore.SecurityHeaders.Infrastructure;
 
 var builder = WebApplication.CreateBuilder(args);
 
@@ -17,6 +18,13 @@
 var services = builder.Services;
 var configuration = builder.Configuration;
 
+services.AddSecurityHeaderPolicies()
+  .SetPolicySelector((PolicySelectorContext ctx) =>
+  {
+      return SecurityHeadersDefinitions
+        .GetHeaderPolicyCollection(builder.Environment.IsDevelopment());
+  });
+
 services.AddDistributedMemoryCache();
 
 var connection = configuration.GetConnectionString("DefaultConnection");
@@ -101,8 +109,7 @@
     app.UseHsts();
 }
 
-app.UseSecurityHeaders(SecurityHeadersDefinitions
-    .GetHeaderPolicyCollection(app.Environment.IsDevelopment()));
+app.UseSecurityHeaders();
 
 app.UseHttpsRedirection();
 app.UseStaticFiles();
diff --git a/AspNetCoreSelectTenant/SecurityHeadersDefinitions.cs b/AspNetCoreSelectTenant/SecurityHeadersDefinitions.cs
index b7251ae..d1f28e1 100644
--- a/AspNetCoreSelectTenant/SecurityHeadersDefinitions.cs
+++ b/AspNetCoreSelectTenant/SecurityHeadersDefinitions.cs
@@ -2,9 +2,15 @@
 
 public static class SecurityHeadersDefinitions
 {
+    private static HeaderPolicyCollection? policy;
+
     public static HeaderPolicyCollection GetHeaderPolicyCollection(bool isDev)
     {
-        var policy = new HeaderPolicyCollection()
+        // Avoid building a new HeaderPolicyCollection on every request for performance reasons.
+        // Where possible, cache and reuse HeaderPolicyCollection instances.
+        if (policy != null) return policy;
+
+        policy = policy = new HeaderPolicyCollection()
             .AddFrameOptionsDeny()
             .AddContentTypeOptionsNoSniff()
             .AddReferrerPolicyStrictOriginWhenCrossOrigin()
@@ -25,23 +31,7 @@ public static HeaderPolicyCollection GetHeaderPolicyCollection(bool isDev)
                 // builder.AddCustomDirective("require-trusted-types-for", "'script'");
             })
             .RemoveServerHeader()
-            .AddPermissionsPolicy(builder =>
-            {
-                builder.AddAccelerometer().None();
-                builder.AddAutoplay().None();
-                builder.AddCamera().None();
-                builder.AddEncryptedMedia().None();
-                builder.AddFullscreen().All();
-                builder.AddGeolocation().None();
-                builder.AddGyroscope().None();
-                builder.AddMagnetometer().None();
-                builder.AddMicrophone().None();
-                builder.AddMidi().None();
-                builder.AddPayment().None();
-                builder.AddPictureInPicture().None();
-                builder.AddSyncXHR().None();
-                builder.AddUsb().None();
-            });
+            .AddPermissionsPolicyWithDefaultSecureDirectives();
 
         if (!isDev)
         {
@@ -49,8 +39,6 @@ public static HeaderPolicyCollection GetHeaderPolicyCollection(bool isDev)
             policy.AddStrictTransportSecurityMaxAgeIncludeSubDomains(maxAgeInSeconds: 60 * 60 * 24 * 365);
         }
 
-        policy.ApplyDocumentHeadersToAllResponses();
-
         return policy;
     }
 }
\ No newline at end of file