.Net Core 加入CSP

# .Net Core 加入CSP ###### tags: `.net core` `CSP` `OWASP` 建立Middleware，在專案中加入以下四個檔案。 #### CspDirective.cs ``` public class CspDirective { private readonly string _directive; internal CspDirective(string directive) { _directive = directive; } private List<string> sources { get; set; } = new List<string>(); public virtual CspDirective AllowAny() => Allow("*"); public virtual CspDirective Deny() => Allow("'none'"); public virtual CspDirective AllowSelf() => Allow("'self'"); public virtual CspDirective Allow(string sourceType) { sources.Add(sourceType); return this; } public override string ToString() => sources.Count > 0 ? $"{_directive} {string.Join(" ", sources)}; " : ""; } ``` #### CspMiddleware.cs ``` public class CspMiddleware { private readonly RequestDelegate _next; private readonly CspOptions _options; public CspMiddleware(RequestDelegate next, CspOptions options) { _next = next; _options = options; } private string Header => _options.ReadOnly ? "Content-Security-Policy-Report-Only" : "Content-Security-Policy"; private string HeaderValue { get { var stringBuilder = new StringBuilder(); stringBuilder.Append(_options.Defaults); stringBuilder.Append(_options.Connects); stringBuilder.Append(_options.Fonts); stringBuilder.Append(_options.Frames); stringBuilder.Append(_options.Images); stringBuilder.Append(_options.Media); stringBuilder.Append(_options.Objects); stringBuilder.Append(_options.Scripts); stringBuilder.Append(_options.Styles); if (!string.IsNullOrEmpty(_options.ReportURL)) { stringBuilder.Append($"report-uri {_options.ReportURL};"); } return stringBuilder.ToString(); } } public async Task Invoke(HttpContext context) { context.Response.Headers.Add(Header, HeaderValue); await _next(context); } } ``` #### CspMiddlewareExtensions.cs ``` public static class CspMiddlewareExtensions { public static IApplicationBuilder UseCsp(this IApplicationBuilder app, CspOptions options) { return app.UseMiddleware<CspMiddleware>(options); } public static IApplicationBuilder UseCsp(this IApplicationBuilder app, Action<CspOptions> optionsDelegate) { var options = new CspOptions(); optionsDelegate(options); return app.UseMiddleware<CspMiddleware>(options); } } ``` #### CspOptions.cs ``` public class CspOptions { public bool ReadOnly { get; set; } public CspDirective Defaults { get; set; } = new CspDirective("default-src"); public CspDirective Connects { get; set; } = new CspDirective("connect-src"); public CspDirective Fonts { get; set; } = new CspDirective("font-src"); public CspDirective Frames { get; set; } = new CspDirective("frame-src"); public CspDirective Images { get; set; } = new CspDirective("img-src"); public CspDirective Media { get; set; } = new CspDirective("media-src"); public CspDirective Objects { get; set; } = new CspDirective("object-src"); public CspDirective Scripts { get; set; } = new CspDirective("script-src"); public CspDirective Styles { get; set; } = new CspDirective("style-src"); public string ReportURL { get; set; } } ``` #### Startup 加入以下，啟用CSP服務 ``` app.UseCsp(options => { options.ReadOnly = true; //options.Defaults.Deny(); options.Connects.AllowSelf(); options.Fonts.Allow("https:"); options.Frames.AllowSelf(); options.Images.AllowSelf(); options.Media.AllowSelf(); options.Objects.AllowSelf(); options.Scripts.AllowSelf(); options.Styles.Allow("https:"); }); ```