Security headers recommended in Health Checks should be enabled by default

[JasonElkin]

I've been looking at the following health checks:

Clickjacking Protection
Content Sniffing Protection

XSS Protection
Now obsolete, see #13341

It would be good if Umbraco was secure by default. These headers should probably be enabled OOTB and toggled/configured in configuration.

It would also be nice to move HSTS setup into config (and allow for per-domain settings).

[bergmania]

Hi @JasonElkin

Do you have suggestions to how to add those by default, while stille being easily configurable/removable.

[JasonElkin]

I was envisaging having a simple corresponding middleware, as outlined in the docs, for each header with a flag in config:

{
    "Umbraco": {
        "CMS": {
            "Security": {
                "UseHsts" : <false,true>
                "XFrameOptions": < "SAMEORIGIN" | "DENY" | "">
            }
        }
    }
}

Turns out that the HSTS middleware in ASP.NET already includes an IOptions<HstsOptions> so it just needs turning on.

[bergmania]

Configuration wise im really in doubt.. This has nothing with the CMS to do and is pure ASP.NET Core. So putting it inside the Umbraco:CMS: seems a bit weird to me.

Personally im not sure I would ever configure it in app-settings. Are these configuration something that will ever be different per environment. I just wonder why Microsoft did not provide bindings from IConfiguration.

[JasonElkin]

That's a fair point and config could go elsewhere.

It does seem a little weird that these options are not in ASP.NET Core (like UseHsts) is but...

• They're in the health checks
• They're easily fixed
• OOTB Umbraco serves content for which these headers should really be set (/umbraco)

So I think they should really be set in Umbraco by default.

My main thinking about appsettings/config was really just to provide an easy way to configure or turn the middleware(s) off and/or configure them without devs having faff with Startup.cs for minor changes.

[lassefredslund]

I've just added an update/removal of the XSS Protection check as a sprint candidate: #13341