Update packages and security headers

damienbod · damienbod · commit 5f17d1a9f4f0 · 2024-10-17T21:40:21.000+02:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,21 +1,21 @@
 ## ASP.NET Core, Vue.js BFF using Microsoft Entra ID Changelog
 
+### 2024-10-17 0.0.15
+- Updated packages
+- Updated security headers
+- 
 ### 2024-10-05 0.0.14
-
 - Updated packages
 - Updated security headers
 
 ### 2023-11-17 0.0.3
-
 - .NET 8
 
 ### 2023-09-30 0.0.2
-
 - Update packages
 - Fixed dynamic CSP nonce injection
 
 ### 2023-09-26 0.0.1
-
 - Initial version using Vue.js (Typescript & Vite) and ASP.NET Core
   - ASP.NET Core version 7.x
   - Vue.js (typescript & vite)
diff --git a/server/BffMicrosoftEntraID.Server.csproj b/server/BffMicrosoftEntraID.Server.csproj
@@ -8,11 +8,11 @@
 	</PropertyGroup>
 
 	<ItemGroup>
-		<PackageReference Include="Microsoft.AspNetCore.Authentication.OpenIdConnect" Version="8.0.8" NoWarn="NU1605" />
-		<PackageReference Include="Microsoft.AspNetCore.Components.WebAssembly.Server" Version="8.0.8" />
-		<PackageReference Include="Microsoft.Identity.Web.GraphServiceClient" Version="3.2.1" />
-		<PackageReference Include="Microsoft.Identity.Web" Version="3.2.1" />
-		<PackageReference Include="Microsoft.Identity.Web.UI" Version="3.2.1" />
+		<PackageReference Include="Microsoft.AspNetCore.Authentication.OpenIdConnect" Version="8.0.10" NoWarn="NU1605" />
+		<PackageReference Include="Microsoft.AspNetCore.Components.WebAssembly.Server" Version="8.0.10" />
+		<PackageReference Include="Microsoft.Identity.Web.GraphServiceClient" Version="3.2.2" />
+		<PackageReference Include="Microsoft.Identity.Web" Version="3.2.2" />
+		<PackageReference Include="Microsoft.Identity.Web.UI" Version="3.2.2" />
 		<PackageReference Include="NetEscapades.AspNetCore.SecurityHeaders" Version="1.0.0-preview.1" />
 		<PackageReference Include="NetEscapades.AspNetCore.SecurityHeaders.TagHelpers" Version="1.0.0-preview.1" />
 		<PackageReference Include="Yarp.ReverseProxy" Version="2.2.0" />
diff --git a/server/Program.cs b/server/Program.cs
@@ -16,12 +16,11 @@
 
 var services = builder.Services;
 var configuration = builder.Configuration;
-var env = builder.Environment;
 
 services.AddSecurityHeaderPolicies()
   .SetPolicySelector((PolicySelectorContext ctx) =>
   {
-      return SecurityHeadersDefinitions.GetHeaderPolicyCollection(env.IsDevelopment(),
+      return SecurityHeadersDefinitions.GetHeaderPolicyCollection(builder.Environment.IsDevelopment(),
         configuration["MicrosoftEntraID:Instance"]);
   });
 
@@ -72,7 +71,7 @@
 
 IdentityModelEventSource.ShowPII = true;
 
-if (env.IsDevelopment())
+if (app.Environment.IsDevelopment())
 {
     app.UseDeveloperExceptionPage();
     app.UseWebAssemblyDebugging();
diff --git a/server/SecurityHeadersDefinitions.cs b/server/SecurityHeadersDefinitions.cs
@@ -2,14 +2,17 @@
 
 public static class SecurityHeadersDefinitions
 {
+    private static HeaderPolicyCollection? policy;
+
     public static HeaderPolicyCollection GetHeaderPolicyCollection(bool isDev, string? idpHost)
     {
-        if (idpHost == null)
-        {
-            throw new ArgumentNullException(nameof(idpHost));
-        }
+        ArgumentNullException.ThrowIfNull(idpHost);
+
+        // Avoid building a new HeaderPolicyCollection on every request for performance reasons.
+        // Where possible, cache and reuse HeaderPolicyCollection instances.
+        if (policy != null) return policy;
 
-        var policy = new HeaderPolicyCollection()
+        policy = new HeaderPolicyCollection()
             .AddFrameOptionsDeny()
             .AddContentTypeOptionsNoSniff()
             .AddReferrerPolicyStrictOriginWhenCrossOrigin()
