From 25c815985d0ef953fbae7baedbce9b12c666fb3f Mon Sep 17 00:00:00 2001
From: maliming <malimings@gmail.com>
Date: Tue, 1 Jul 2025 09:36:36 +0800
Subject: [PATCH] Refactor security headers middleware to reintroduce essential
 security headers and improve code organization.

---
 ...etCoreAuthenticationOpenIdConnectModule.cs |  6 ++++++
 .../Security/AbpSecurityHeadersMiddleware.cs  | 20 +++++++++----------
 2 files changed, 15 insertions(+), 11 deletions(-)

diff --git a/framework/src/Volo.Abp.AspNetCore.Authentication.OpenIdConnect/Volo/Abp/AspNetCore/Authentication/OpenIdConnect/AbpAspNetCoreAuthenticationOpenIdConnectModule.cs b/framework/src/Volo.Abp.AspNetCore.Authentication.OpenIdConnect/Volo/Abp/AspNetCore/Authentication/OpenIdConnect/AbpAspNetCoreAuthenticationOpenIdConnectModule.cs
index ba21ef11fd..4fc7c4ca75 100644
--- a/framework/src/Volo.Abp.AspNetCore.Authentication.OpenIdConnect/Volo/Abp/AspNetCore/Authentication/OpenIdConnect/AbpAspNetCoreAuthenticationOpenIdConnectModule.cs
+++ b/framework/src/Volo.Abp.AspNetCore.Authentication.OpenIdConnect/Volo/Abp/AspNetCore/Authentication/OpenIdConnect/AbpAspNetCoreAuthenticationOpenIdConnectModule.cs
@@ -1,5 +1,6 @@
 using Microsoft.Extensions.DependencyInjection;
 using Volo.Abp.AspNetCore.Authentication.OAuth;
+using Volo.Abp.AspNetCore.Security;
 using Volo.Abp.Modularity;
 using Volo.Abp.MultiTenancy;
 using Volo.Abp.RemoteServices;
@@ -16,5 +17,10 @@ public class AbpAspNetCoreAuthenticationOpenIdConnectModule : AbpModule
     public override void ConfigureServices(ServiceConfigurationContext context)
     {
         context.Services.AddHttpClient();
+
+        Configure<AbpSecurityHeadersOptions>(options =>
+        {
+            options.IgnoredScriptNoncePaths.Add("/signout-oidc");
+        });
     }
 }
diff --git a/framework/src/Volo.Abp.AspNetCore/Volo/Abp/AspNetCore/Security/AbpSecurityHeadersMiddleware.cs b/framework/src/Volo.Abp.AspNetCore/Volo/Abp/AspNetCore/Security/AbpSecurityHeadersMiddleware.cs
index 2d231c46ee..5a1da8e3d3 100644
--- a/framework/src/Volo.Abp.AspNetCore/Volo/Abp/AspNetCore/Security/AbpSecurityHeadersMiddleware.cs
+++ b/framework/src/Volo.Abp.AspNetCore/Volo/Abp/AspNetCore/Security/AbpSecurityHeadersMiddleware.cs
@@ -30,16 +30,6 @@ public class AbpSecurityHeadersMiddleware : AbpMiddlewareBase, ITransientDepende
             await next.Invoke(context);
             return;
         }
-
-        /*X-Content-Type-Options header tells the browser to not try and “guess” what a mimetype of a resource might be, and to just take what mimetype the server has returned as fact.*/
-        AddHeader(context, "X-Content-Type-Options", "nosniff");
-
-        /*X-XSS-Protection is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks*/
-        AddHeader(context, "X-XSS-Protection", "1; mode=block");
-
-        /*The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe> or <object>. SAMEORIGIN makes it being displayed in a frame on the same origin as the page itself. The spec leaves it up to browser vendors to decide whether this option applies to the top level, the parent, or the whole chain*/
-        AddHeader(context, "X-Frame-Options", "SAMEORIGIN");
-
         var requestAcceptTypeHtml = context.Request.Headers["Accept"].Any(x =>
             x!.Contains("text/html") || x.Contains("*/*") || x.Contains("application/xhtml+xml"));
 
@@ -54,13 +44,21 @@ public class AbpSecurityHeadersMiddleware : AbpMiddlewareBase, ITransientDepende
             return;
         }
 
+        /*X-Content-Type-Options header tells the browser to not try and “guess” what a mimetype of a resource might be, and to just take what mimetype the server has returned as fact.*/
+        AddHeader(context, "X-Content-Type-Options", "nosniff");
+
+        /*X-XSS-Protection is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks*/
+        AddHeader(context, "X-XSS-Protection", "1; mode=block");
+
+        /*The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe> or <object>. SAMEORIGIN makes it being displayed in a frame on the same origin as the page itself. The spec leaves it up to browser vendors to decide whether this option applies to the top level, the parent, or the whole chain*/
+        AddHeader(context, "X-Frame-Options", "SAMEORIGIN");
+
         if (Options.Value.UseContentSecurityPolicyScriptNonce)
         {
             var randomValue = Guid.NewGuid().ToString("N");
             context.Items.Add(AbpAspNetCoreConsts.ScriptNonceKey, randomValue);
         }
 
-
         context.Response.OnStarting(() =>
         {
             if (context.Response.Headers.ContainsKey("Content-Security-Policy"))