Merge pull request #2 from swiss-ssi-group/net9

.NET 9

.github/workflows/azure-deploy-issuer.yml

@@ -4,7 +4,7 @@ name: Build and deploy Issue Door unlocked
 env:
   AZURE_WEBAPP_NAME: issueunlockdoor   # set this to the name of your Azure Web App
   AZURE_WEBAPP_PACKAGE_PATH: '.'       # set this to the path to your web app project, defaults to the repository root
-  DOTNET_VERSION: '8.0'                # set this to the .NET Core version to use
+  DOTNET_VERSION: '9.0'                # set this to the .NET Core version to use
 
 on:
   push:
@@ -19,10 +19,10 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: Set up .NET Core
-        uses: actions/setup-dotnet@v2
+        uses: actions/setup-dotnet@v4
         with:
           dotnet-version: ${{ env.DOTNET_VERSION }}
 
@@ -41,7 +41,7 @@ jobs:
         run: dotnet publish ./IssueUnlockDoor/IssueUnlockDoor.csproj -c Release -o ${{env.DOTNET_ROOT}}/issuerpackage
 
       - name: Upload artifact for deployment job
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: .net-app
           path: ${{env.DOTNET_ROOT}}/issuerpackage
@@ -57,7 +57,7 @@ jobs:
 
     steps:
       - name: Download artifact from build job
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
         with:
           name: .net-app
 

.github/workflows/azure-deploy-verifier.yml

@@ -4,7 +4,7 @@ name: Build and deploy EmployeeUnlockDoor
 env:
   AZURE_WEBAPP_NAME: employeeunlockdoor      # set this to the name of your Azure Web App
   AZURE_WEBAPP_PACKAGE_PATH: '.'             # set this to the path to your web app project, defaults to the repository root
-  DOTNET_VERSION: '8.0'                      # set this to the .NET Core version to use
+  DOTNET_VERSION: '9.0'                      # set this to the .NET Core version to use
 
 on:
   push:
@@ -19,10 +19,10 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: Set up .NET Core
-        uses: actions/setup-dotnet@v2
+        uses: actions/setup-dotnet@v4
         with:
           dotnet-version: ${{ env.DOTNET_VERSION }}
 
@@ -41,7 +41,7 @@ jobs:
         run: dotnet publish ./EmployeeUnlockDoor/EmployeeUnlockDoor.csproj -c Release -o ${{env.DOTNET_ROOT}}/verifierpackage
 
       - name: Upload artifact for deployment job
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: .net-app
           path: ${{env.DOTNET_ROOT}}/verifierpackage
@@ -57,7 +57,7 @@ jobs:
 
     steps:
       - name: Download artifact from build job
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
         with:
           name: .net-app
 

.github/workflows/dotnet.yml

@@ -12,11 +12,11 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
     - name: Setup .NET
-      uses: actions/setup-dotnet@v2
+      uses: actions/setup-dotnet@v4
       with:
-        dotnet-version: '8.0'
+        dotnet-version: '9.0'
         include-prerelease: True
     - name: Restore dependencies
       run: dotnet restore

EmployeeUnlockDoor.sln

@@ -7,6 +7,8 @@ Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "EmployeeUnlockDoor", "Emplo
 EndProject
 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "_solutionItems", "_solutionItems", "{EFC835A5-75F8-4C74-AD33-A69CEF4E899F}"
 	ProjectSection(SolutionItems) = preProject
+		.github\workflows\azure-deploy-issuer.yml = .github\workflows\azure-deploy-issuer.yml
+		.github\workflows\azure-deploy-verifier.yml = .github\workflows\azure-deploy-verifier.yml
 		.github\workflows\dotnet.yml = .github\workflows\dotnet.yml
 		README.md = README.md
 	EndProjectSection

EmployeeUnlockDoor/EmployeeUnlockDoor.csproj

@@ -1,19 +1,19 @@
 <Project Sdk="Microsoft.NET.Sdk.Web">
 
   <PropertyGroup>
-    <TargetFramework>net8.0</TargetFramework>
+    <TargetFramework>net9.0</TargetFramework>
     <Nullable>enable</Nullable>
     <ImplicitUsings>enable</ImplicitUsings>
     <UserSecretsId>0efc5792-61a5-4f74-b474-6fbc2bb5c1f4</UserSecretsId>
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.Identity.Web" Version="2.17.1" />
-    <PackageReference Include="Microsoft.Identity.Web.UI" Version="2.17.1" />
-    <PackageReference Include="Microsoft.Extensions.Localization" Version="8.0.2" />
-    <PackageReference Include="Microsoft.AspNetCore.Authentication.OpenIdConnect" Version="8.0.2" />
-    <PackageReference Include="NetEscapades.AspNetCore.SecurityHeaders" Version="0.21.0" />
-    <PackageReference Include="NetEscapades.AspNetCore.SecurityHeaders.TagHelpers" Version="0.21.0" />
+    <PackageReference Include="Microsoft.Identity.Web" Version="3.5.0" />
+    <PackageReference Include="Microsoft.Identity.Web.UI" Version="3.5.0" />
+    <PackageReference Include="Microsoft.Extensions.Localization" Version="9.0.0" />
+    <PackageReference Include="Microsoft.AspNetCore.Authentication.OpenIdConnect" Version="9.0.0" />
+    <PackageReference Include="NetEscapades.AspNetCore.SecurityHeaders" Version="1.0.0-preview.2" />
+    <PackageReference Include="NetEscapades.AspNetCore.SecurityHeaders.TagHelpers" Version="1.0.0-preview.2" />
   </ItemGroup>
 
 </Project>

EmployeeUnlockDoor/Program.cs

@@ -9,6 +9,10 @@ public static void Main(string[] args)
     {
         var builder = WebApplication.CreateBuilder(args);
 
+        builder.Services.AddSecurityHeaderPolicies()
+         .SetPolicySelector(ctx => SecurityHeadersDefinitions
+             .GetHeaderPolicyCollection(builder.Environment.IsDevelopment()));
+
         builder.Services.AddScoped<VerifierService>();
         builder.Services.AddScoped<ValidateUserAndDoorCodeService>();
 
@@ -29,9 +33,7 @@ public static void Main(string[] args)
 
         var app = builder.Build();
 
-        app.UseSecurityHeaders(
-            SecurityHeadersDefinitions.GetHeaderPolicyCollection(
-                app.Environment.IsDevelopment()));
+        app.UseSecurityHeaders();
 
         if (!app.Environment.IsDevelopment())
         {

EmployeeUnlockDoor/SecurityHeadersDefinitions.cs

@@ -2,11 +2,19 @@ namespace EmployeeUnlockDoor;
 
 public static class SecurityHeadersDefinitions
 {
+    private static HeaderPolicyCollection? policy;
+
     public static HeaderPolicyCollection GetHeaderPolicyCollection(bool isDev)
     {
-        var policy = new HeaderPolicyCollection()
+        // Avoid building a new HeaderPolicyCollection on every request for performance reasons.
+        // Where possible, cache and reuse HeaderPolicyCollection instances.
+        if (policy != null)
+        {
+            return policy;
+        }
+
+        policy = new HeaderPolicyCollection()
             .AddFrameOptionsDeny()
-            .AddXssProtectionBlock()
             .AddContentTypeOptionsNoSniff()
             .AddReferrerPolicyStrictOriginWhenCrossOrigin()
             .RemoveServerHeader()
@@ -24,23 +32,7 @@ public static HeaderPolicyCollection GetHeaderPolicyCollection(bool isDev)
                 builder.AddScriptSrc().UnsafeInline().WithNonce();
                 builder.AddFrameAncestors().None();
             })
-            .AddPermissionsPolicy(builder =>
-            {
-                builder.AddAccelerometer().None();
-                builder.AddAutoplay().None();
-                builder.AddCamera().None();
-                builder.AddEncryptedMedia().None();
-                builder.AddFullscreen().All();
-                builder.AddGeolocation().None();
-                builder.AddGyroscope().None();
-                builder.AddMagnetometer().None();
-                builder.AddMicrophone().None();
-                builder.AddMidi().None();
-                builder.AddPayment().None();
-                builder.AddPictureInPicture().None();
-                builder.AddSyncXHR().None();
-                builder.AddUsb().None();
-            });
+            .AddPermissionsPolicyWithDefaultSecureDirectives();
 
         if (!isDev)
         {

IssueUnlockDoor/IssueUnlockDoor.csproj

@@ -1,20 +1,20 @@
 <Project Sdk="Microsoft.NET.Sdk.Web">
 
   <PropertyGroup>
-    <TargetFramework>net8.0</TargetFramework>
+    <TargetFramework>net9.0</TargetFramework>
     <Nullable>enable</Nullable>
     <ImplicitUsings>enable</ImplicitUsings>
     <UserSecretsId>6bdc7153-3b09-4a32-82f2-a8dd84db7e88</UserSecretsId>
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="8.0.2" NoWarn="NU1605" />
-    <PackageReference Include="Microsoft.AspNetCore.Authentication.OpenIdConnect" Version="8.0.2" NoWarn="NU1605" />
-    <PackageReference Include="Microsoft.Identity.Web" Version="2.17.1" />
-    <PackageReference Include="Microsoft.Identity.Web.GraphServiceClient" Version="2.17.1" />
-    <PackageReference Include="System.Configuration.ConfigurationManager" Version="8.0.0" />
-    <PackageReference Include="NetEscapades.AspNetCore.SecurityHeaders" Version="0.21.0" />
-    <PackageReference Include="NetEscapades.AspNetCore.SecurityHeaders.TagHelpers" Version="0.21.0" />
+    <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="9.0.0" NoWarn="NU1605" />
+    <PackageReference Include="Microsoft.AspNetCore.Authentication.OpenIdConnect" Version="9.0.0" NoWarn="NU1605" />
+    <PackageReference Include="Microsoft.Identity.Web" Version="3.5.0" />
+    <PackageReference Include="Microsoft.Identity.Web.GraphServiceClient" Version="3.5.0" />
+    <PackageReference Include="System.Configuration.ConfigurationManager" Version="9.0.0" />
+    <PackageReference Include="NetEscapades.AspNetCore.SecurityHeaders" Version="1.0.0-preview.2" />
+    <PackageReference Include="NetEscapades.AspNetCore.SecurityHeaders.TagHelpers" Version="1.0.0-preview.2" />
   </ItemGroup>
 
 </Project>

IssueUnlockDoor/Program.cs

@@ -9,7 +9,11 @@ public static void Main(string[] args)
         var builder = WebApplication.CreateBuilder(args);
         var services = builder.Services;
         var configuration = builder.Configuration;
-        var env = builder.Environment;
+
+        services.AddSecurityHeaderPolicies()
+         .SetPolicySelector(ctx => SecurityHeadersDefinitions
+             .GetHeaderPolicyCollection(builder.Environment.IsDevelopment()));
+
 
         services.Configure<CredentialSettings>(configuration.GetSection("CredentialSettings"));
         services.AddHttpClient();
@@ -26,11 +30,10 @@ public static void Main(string[] args)
 
         var app = builder.Build();
 
-        app.UseSecurityHeaders(SecurityHeadersDefinitions
-           .GetHeaderPolicyCollection(env.IsDevelopment()));
+        app.UseSecurityHeaders();
 
 
-        if (env.IsDevelopment())
+        if (app.Environment.IsDevelopment())
         {
             app.UseDeveloperExceptionPage();
         }

IssueUnlockDoor/SecurityHeadersDefinitions.cs

@@ -2,13 +2,22 @@ namespace IssueUnlockDoor;
 
 public static class SecurityHeadersDefinitions
 {
+    private static HeaderPolicyCollection? policy;
+
     public static HeaderPolicyCollection GetHeaderPolicyCollection(bool isDev)
     {
-        var policy = new HeaderPolicyCollection()
+        // Avoid building a new HeaderPolicyCollection on every request for performance reasons.
+        // Where possible, cache and reuse HeaderPolicyCollection instances.
+        if (policy != null)
+        {
+            return policy;
+        }
+
+        policy = new HeaderPolicyCollection()
             .AddFrameOptionsDeny()
-            .AddXssProtectionBlock()
             .AddContentTypeOptionsNoSniff()
             .AddReferrerPolicyStrictOriginWhenCrossOrigin()
+            .RemoveServerHeader()
             .AddCrossOriginOpenerPolicy(builder => builder.SameOrigin())
             .AddCrossOriginEmbedderPolicy(builder => builder.RequireCorp())
             .AddCrossOriginResourcePolicy(builder => builder.SameOrigin())
@@ -17,41 +26,21 @@ public static HeaderPolicyCollection GetHeaderPolicyCollection(bool isDev)
                 builder.AddObjectSrc().None();
                 builder.AddBlockAllMixedContent();
                 builder.AddImgSrc().Self().From("data:");
-                builder.AddFormAction().Self();
                 builder.AddFontSrc().Self();
-                builder.AddBaseUri().Self();
+                builder.AddFormAction().Self();
                 builder.AddStyleSrc().Self().UnsafeInline();
-                builder.AddScriptSrc().Self().UnsafeInline().WithNonce();
+                builder.AddBaseUri().Self();
+                builder.AddScriptSrc().UnsafeInline().WithNonce();
                 builder.AddFrameAncestors().None();
-                //builder.AddCustomDirective("require-trusted-types-for", "'script'");
             })
-            .RemoveServerHeader()
-            .AddPermissionsPolicy(builder =>
-            {
-                builder.AddAccelerometer().None();
-                builder.AddAutoplay().None();
-                builder.AddCamera().None();
-                builder.AddEncryptedMedia().None();
-                builder.AddFullscreen().All();
-                builder.AddGeolocation().None();
-                builder.AddGyroscope().None();
-                builder.AddMagnetometer().None();
-                builder.AddMicrophone().None();
-                builder.AddMidi().None();
-                builder.AddPayment().None();
-                builder.AddPictureInPicture().None();
-                builder.AddSyncXHR().None();
-                builder.AddUsb().None();
-            });
+            .AddPermissionsPolicyWithDefaultSecureDirectives();
 
         if (!isDev)
         {
             // maxage = one year in seconds
             policy.AddStrictTransportSecurityMaxAgeIncludeSubDomains(maxAgeInSeconds: 60 * 60 * 24 * 365);
         }
 
-        policy.ApplyDocumentHeadersToAllResponses();
-
         return policy;
     }
 }

README.md

@@ -24,7 +24,7 @@ https://employeeunlockdoor.azurewebsites.net
 
 ## History
 
-
+- 2024-12-15 .NET 9, Updated packages
 - 2024-03-09 Updated packages
 - 2023-07-27 Updated packages
 - 2023-07-08 Initial version