From ee757a671849f6f2b5a33e9d3b92e799805006a6 Mon Sep 17 00:00:00 2001
From: Ash Davies <3853061+DrizzlyOwl@users.noreply.github.com>
Date: Wed, 3 Jul 2024 10:14:26 +0100
Subject: [PATCH] Set minimum security headers for all requests (#527)

---
 TramsDataApi/Startup.cs          | 29 +++++++++++++++++++++++++++++
 TramsDataApi/TramsDataApi.csproj |  1 +
 2 files changed, 30 insertions(+)

diff --git a/TramsDataApi/Startup.cs b/TramsDataApi/Startup.cs
index 1aea3b82f..694a19fb3 100644
--- a/TramsDataApi/Startup.cs
+++ b/TramsDataApi/Startup.cs
@@ -116,6 +116,35 @@ public void ConfigureServices(IServiceCollection services)
         // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
         public void Configure(IApplicationBuilder app, IWebHostEnvironment env, IApiVersionDescriptionProvider provider)
         {
+            app.UseSecurityHeaders(options =>
+            {
+                options.AddFrameOptionsDeny()
+                    .AddXssProtectionDisabled()
+                    .AddContentTypeOptionsNoSniff()
+                    .RemoveServerHeader()
+                    .AddContentSecurityPolicy(builder =>
+                    {
+                        builder.AddDefaultSrc().None();
+                    })
+                    .AddPermissionsPolicy(builder =>
+                    {
+                        builder.AddAccelerometer().None();
+                        builder.AddAutoplay().None();
+                        builder.AddCamera().None();
+                        builder.AddEncryptedMedia().None();
+                        builder.AddFullscreen().None();
+                        builder.AddGeolocation().None();
+                        builder.AddGyroscope().None();
+                        builder.AddMagnetometer().None();
+                        builder.AddMicrophone().None();
+                        builder.AddMidi().None();
+                        builder.AddPayment().None();
+                        builder.AddPictureInPicture().None();
+                        builder.AddSyncXHR().None();
+                        builder.AddUsb().None();
+                    });
+            });
+
             app.UseSwagger();
             app.UseSwaggerUI(c =>
             {
diff --git a/TramsDataApi/TramsDataApi.csproj b/TramsDataApi/TramsDataApi.csproj
index dae2154b2..218dfe494 100644
--- a/TramsDataApi/TramsDataApi.csproj
+++ b/TramsDataApi/TramsDataApi.csproj
@@ -34,6 +34,7 @@
         </PackageReference>
         <PackageReference Include="Microsoft.EntityFrameworkCore.SqlServer" Version="8.0.6" />
         <PackageReference Include="Microsoft.FeatureManagement.AspNetCore" Version="3.4.0" />
+        <PackageReference Include="NetEscapades.AspNetCore.SecurityHeaders" Version="0.22.0" />
         <PackageReference Include="Serilog.AspNetCore" Version="8.0.1" />
         <PackageReference Include="Serilog.Sinks.ApplicationInsights" Version="4.0.0" />
         <PackageReference Include="Swashbuckle.AspNetCore" Version="6.6.2" />