Update security headers

Author: damienbod

server/BffMicrosoftEntraID.Server.csproj

@@ -13,8 +13,8 @@
 		<PackageReference Include="Microsoft.Identity.Web.GraphServiceClient" Version="3.2.1" />
 		<PackageReference Include="Microsoft.Identity.Web" Version="3.2.1" />
 		<PackageReference Include="Microsoft.Identity.Web.UI" Version="3.2.1" />
-		<PackageReference Include="NetEscapades.AspNetCore.SecurityHeaders" Version="0.24.0" />
-		<PackageReference Include="NetEscapades.AspNetCore.SecurityHeaders.TagHelpers" Version="0.24.0" />
+		<PackageReference Include="NetEscapades.AspNetCore.SecurityHeaders" Version="1.0.0-preview.1" />
+		<PackageReference Include="NetEscapades.AspNetCore.SecurityHeaders.TagHelpers" Version="1.0.0-preview.1" />
 		<PackageReference Include="Yarp.ReverseProxy" Version="2.2.0" />
 	</ItemGroup>
 

server/Program.cs

@@ -5,6 +5,7 @@
 using Microsoft.Identity.Web;
 using Microsoft.Identity.Web.UI;
 using Microsoft.IdentityModel.Logging;
+using NetEscapades.AspNetCore.SecurityHeaders.Infrastructure;
 
 var builder = WebApplication.CreateBuilder(args);
 
@@ -17,6 +18,13 @@
 var configuration = builder.Configuration;
 var env = builder.Environment;
 
+services.AddSecurityHeaderPolicies()
+  .SetPolicySelector((PolicySelectorContext ctx) =>
+  {
+      return SecurityHeadersDefinitions.GetHeaderPolicyCollection(env.IsDevelopment(),
+        configuration["MicrosoftEntraID:Instance"]);
+  });
+
 services.AddScoped<MsGraphService>();
 services.AddScoped<CaeClaimsChallengeService>();
 
@@ -74,9 +82,7 @@
     app.UseExceptionHandler("/Error");
 }
 
-app.UseSecurityHeaders(
-    SecurityHeadersDefinitions.GetHeaderPolicyCollection(env.IsDevelopment(),
-        configuration["MicrosoftEntraID:Instance"]));
+app.UseSecurityHeaders();
 
 app.UseHttpsRedirection();
 

server/SecurityHeadersDefinitions.cs

@@ -34,37 +34,19 @@ public static HeaderPolicyCollection GetHeaderPolicyCollection(bool isDev, strin
                 {
                     builder.AddStyleSrc().WithNonce().UnsafeInline();
                 }
-                
+
 
                 builder.AddScriptSrc().WithNonce().UnsafeInline();
             })
             .RemoveServerHeader()
-            .AddPermissionsPolicy(builder =>
-            {
-                builder.AddAccelerometer().None();
-                builder.AddAutoplay().None();
-                builder.AddCamera().None();
-                builder.AddEncryptedMedia().None();
-                builder.AddFullscreen().All();
-                builder.AddGeolocation().None();
-                builder.AddGyroscope().None();
-                builder.AddMagnetometer().None();
-                builder.AddMicrophone().None();
-                builder.AddMidi().None();
-                builder.AddPayment().None();
-                builder.AddPictureInPicture().None();
-                builder.AddSyncXHR().None();
-                builder.AddUsb().None();
-            });
+            .AddPermissionsPolicyWithDefaultSecureDirectives();
 
         if (!isDev)
         {
             // maxage = one year in seconds
             policy.AddStrictTransportSecurityMaxAgeIncludeSubDomains(maxAgeInSeconds: 60 * 60 * 24 * 365);
         }
 
-        policy.ApplyDocumentHeadersToAllResponses();
-
         return policy;
     }
 }