added security header middleware. closes #7752

framework/src/Volo.Abp.AspNetCore/Microsoft/AspNetCore/Builder/AbpApplicationBuilderExtensions.cs

@@ -6,6 +6,7 @@ using Microsoft.Extensions.Hosting;
 using Volo.Abp;
 using Volo.Abp.AspNetCore.Auditing;
 using Volo.Abp.AspNetCore.ExceptionHandling;
+using Volo.Abp.AspNetCore.Security;
 using Volo.Abp.AspNetCore.Security.Claims;
 using Volo.Abp.AspNetCore.Tracing;
 using Volo.Abp.AspNetCore.Uow;
@@ -82,5 +83,10 @@ namespace Microsoft.AspNetCore.Builder
         {
             return app.UseMiddleware<AbpClaimsMapMiddleware>();
         }
+
+        public static void UseAbpSecurityHeaders(this IApplicationBuilder app)
+        {
+            app.UseMiddleware<AbpSecurityHeadersMiddleware>();
+        }
     }
 }

framework/src/Volo.Abp.AspNetCore/Volo.Abp.AspNetCore.csproj

@@ -25,6 +25,7 @@
     <ProjectReference Include="..\Volo.Abp.Uow\Volo.Abp.Uow.csproj" />
     <ProjectReference Include="..\Volo.Abp.Validation\Volo.Abp.Validation.csproj" />
     <ProjectReference Include="..\Volo.Abp.VirtualFileSystem\Volo.Abp.VirtualFileSystem.csproj" />
+    <PackageReference Include="Microsoft.AspNetCore.Http.Abstractions" Version="2.0.0" />
   </ItemGroup>
 
 </Project>

framework/src/Volo.Abp.AspNetCore/Volo/Abp/AspNetCore/Security/AbpSecurityHeadersMiddleware.cs

@@ -0,0 +1,37 @@
+using System.Threading.Tasks;
+using Microsoft.AspNetCore.Http;
+
+namespace Volo.Abp.AspNetCore.Security
+{
+    public class AbpSecurityHeadersMiddleware
+    {
+        private readonly RequestDelegate _next;
+
+        public AbpSecurityHeadersMiddleware(RequestDelegate next)
+        {
+            _next = next;
+        }
+
+        public async Task Invoke(HttpContext httpContext)
+        {
+            /*X-Content-Type-Options header tells the browser to not try and “guess” what a mimetype of a resource might be, and to just take what mimetype the server has returned as fact.*/
+            AddHeaderIfNotExists(httpContext, "X-Content-Type-Options", "nosniff");
+
+            /*X-XSS-Protection is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks*/
+            AddHeaderIfNotExists(httpContext, "X-XSS-Protection", "1; mode=block");
+
+            /*The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe> or <object>. SAMEORIGIN makes it being displayed in a frame on the same origin as the page itself. The spec leaves it up to browser vendors to decide whether this option applies to the top level, the parent, or the whole chain*/
+            AddHeaderIfNotExists(httpContext, "X-Frame-Options", "SAMEORIGIN");
+
+            await _next.Invoke(httpContext);
+        }
+
+        private static void AddHeaderIfNotExists(HttpContext context, string key, string value)
+        {
+            if (!context.Response.Headers.ContainsKey(key))
+            {
+                context.Response.Headers.Add(key, value);
+            }
+        }
+    }
+}

framework/test/Volo.Abp.AspNetCore.Mvc.Tests/Volo/Abp/AspNetCore/Mvc/AbpAspNetCoreMvcTestModule.cs

@@ -110,6 +110,7 @@ namespace Volo.Abp.AspNetCore.Mvc
             app.UseCorrelationId();
             app.UseVirtualFiles();
             app.UseAbpRequestLocalization();
+            app.UseAbpSecurityHeaders();
             app.UseRouting();
             app.UseMiddleware<FakeAuthenticationMiddleware>();
             app.UseAbpClaimsMap();

modules/docs/app/VoloDocs.Web/VoloDocsWebModule.cs

@@ -152,12 +152,10 @@ namespace VoloDocs.Web
 
             app.UseVirtualFiles();
             app.UseRouting();
-
             app.UseAuthentication();
             app.UseAuthorization();
-
             app.UseAbpRequestLocalization();
-
+			app.UseAbpSecurityHeaders();
             app.UseSwagger();
             app.UseSwaggerUI(options =>
             {

templates/app/aspnet-core/src/MyCompanyName.MyProjectName.HttpApi.Host/MyProjectNameHttpApiHostModule.cs

@@ -188,6 +188,7 @@ namespace MyCompanyName.MyProjectName
             }
 
             app.UseAbpRequestLocalization();
+            app.UseAbpSecurityHeaders();
 
             if (!env.IsDevelopment())
             {

templates/app/aspnet-core/src/MyCompanyName.MyProjectName.HttpApi.HostWithIds/MyProjectNameHttpApiHostModule.cs

@@ -197,6 +197,7 @@ namespace MyCompanyName.MyProjectName
             }
 
             app.UseAbpRequestLocalization();
+            app.UseAbpSecurityHeaders();
 
             if (!env.IsDevelopment())
             {

templates/app/aspnet-core/src/MyCompanyName.MyProjectName.IdentityServer/MyProjectNameIdentityServerModule.cs

@@ -165,6 +165,7 @@ namespace MyCompanyName.MyProjectName
             }
 
             app.UseAbpRequestLocalization();
+            app.UseAbpSecurityHeaders();
 
             if (!env.IsDevelopment())
             {

templates/app/aspnet-core/src/MyCompanyName.MyProjectName.Web.Host/MyProjectNameWebModule.cs

@@ -240,6 +240,7 @@ namespace MyCompanyName.MyProjectName.Web
             }
 
             app.UseAbpRequestLocalization();
+            app.UseAbpSecurityHeaders();
 
             if (!env.IsDevelopment())
             {

templates/app/aspnet-core/src/MyCompanyName.MyProjectName.Web/MyProjectNameWebModule.cs

@@ -215,6 +215,7 @@ namespace MyCompanyName.MyProjectName.Web
             }
 
             app.UseAbpRequestLocalization();
+            app.UseAbpSecurityHeaders();
 
             if (!env.IsDevelopment())
             {