From 393f86babf42b4d1af6ba22684cabafb3a068d30 Mon Sep 17 00:00:00 2001
From: Alper Ebicoglu <alper.ebicoglu@volosoft.com>
Date: Tue, 16 Feb 2021 23:33:51 +0300
Subject: [PATCH 1/3] added security header middleware. closes #7752

---
 .../AbpApplicationBuilderExtensions.cs        |  6 +++
 .../Volo.Abp.AspNetCore.csproj                |  1 +
 .../Security/AbpSecurityHeadersMiddleware.cs  | 37 +++++++++++++++++++
 .../Mvc/AbpAspNetCoreMvcTestModule.cs         |  1 +
 .../app/VoloDocs.Web/VoloDocsWebModule.cs     |  4 +-
 .../MyProjectNameHttpApiHostModule.cs         |  1 +
 .../MyProjectNameHttpApiHostModule.cs         |  1 +
 .../MyProjectNameIdentityServerModule.cs      |  1 +
 .../MyProjectNameWebModule.cs                 |  1 +
 .../MyProjectNameWebModule.cs                 |  1 +
 10 files changed, 51 insertions(+), 3 deletions(-)
 create mode 100644 framework/src/Volo.Abp.AspNetCore/Volo/Abp/AspNetCore/Security/AbpSecurityHeadersMiddleware.cs

diff --git a/framework/src/Volo.Abp.AspNetCore/Microsoft/AspNetCore/Builder/AbpApplicationBuilderExtensions.cs b/framework/src/Volo.Abp.AspNetCore/Microsoft/AspNetCore/Builder/AbpApplicationBuilderExtensions.cs
index 568ecfef7b..fab4a4bb80 100644
--- a/framework/src/Volo.Abp.AspNetCore/Microsoft/AspNetCore/Builder/AbpApplicationBuilderExtensions.cs
+++ b/framework/src/Volo.Abp.AspNetCore/Microsoft/AspNetCore/Builder/AbpApplicationBuilderExtensions.cs
@@ -6,6 +6,7 @@ using Microsoft.Extensions.Hosting;
 using Volo.Abp;
 using Volo.Abp.AspNetCore.Auditing;
 using Volo.Abp.AspNetCore.ExceptionHandling;
+using Volo.Abp.AspNetCore.Security;
 using Volo.Abp.AspNetCore.Security.Claims;
 using Volo.Abp.AspNetCore.Tracing;
 using Volo.Abp.AspNetCore.Uow;
@@ -82,5 +83,10 @@ namespace Microsoft.AspNetCore.Builder
         {
             return app.UseMiddleware<AbpClaimsMapMiddleware>();
         }
+
+        public static void UseAbpSecurityHeaders(this IApplicationBuilder app)
+        {
+            app.UseMiddleware<AbpSecurityHeadersMiddleware>();
+        }
     }
 }
diff --git a/framework/src/Volo.Abp.AspNetCore/Volo.Abp.AspNetCore.csproj b/framework/src/Volo.Abp.AspNetCore/Volo.Abp.AspNetCore.csproj
index b191872339..eaa053c91a 100644
--- a/framework/src/Volo.Abp.AspNetCore/Volo.Abp.AspNetCore.csproj
+++ b/framework/src/Volo.Abp.AspNetCore/Volo.Abp.AspNetCore.csproj
@@ -25,6 +25,7 @@
     <ProjectReference Include="..\Volo.Abp.Uow\Volo.Abp.Uow.csproj" />
     <ProjectReference Include="..\Volo.Abp.Validation\Volo.Abp.Validation.csproj" />
     <ProjectReference Include="..\Volo.Abp.VirtualFileSystem\Volo.Abp.VirtualFileSystem.csproj" />
+    <PackageReference Include="Microsoft.AspNetCore.Http.Abstractions" Version="2.0.0" />
   </ItemGroup>
 
 </Project>
diff --git a/framework/src/Volo.Abp.AspNetCore/Volo/Abp/AspNetCore/Security/AbpSecurityHeadersMiddleware.cs b/framework/src/Volo.Abp.AspNetCore/Volo/Abp/AspNetCore/Security/AbpSecurityHeadersMiddleware.cs
new file mode 100644
index 0000000000..09dddfabe7
--- /dev/null
+++ b/framework/src/Volo.Abp.AspNetCore/Volo/Abp/AspNetCore/Security/AbpSecurityHeadersMiddleware.cs
@@ -0,0 +1,37 @@
+using System.Threading.Tasks;
+using Microsoft.AspNetCore.Http;
+
+namespace Volo.Abp.AspNetCore.Security
+{
+    public class AbpSecurityHeadersMiddleware
+    {
+        private readonly RequestDelegate _next;
+
+        public AbpSecurityHeadersMiddleware(RequestDelegate next)
+        {
+            _next = next;
+        }
+
+        public async Task Invoke(HttpContext httpContext)
+        {
+            /*X-Content-Type-Options header tells the browser to not try and “guess” what a mimetype of a resource might be, and to just take what mimetype the server has returned as fact.*/
+            AddHeaderIfNotExists(httpContext, "X-Content-Type-Options", "nosniff");
+
+            /*X-XSS-Protection is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks*/
+            AddHeaderIfNotExists(httpContext, "X-XSS-Protection", "1; mode=block");
+
+            /*The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe> or <object>. SAMEORIGIN makes it being displayed in a frame on the same origin as the page itself. The spec leaves it up to browser vendors to decide whether this option applies to the top level, the parent, or the whole chain*/
+            AddHeaderIfNotExists(httpContext, "X-Frame-Options", "SAMEORIGIN");
+
+            await _next.Invoke(httpContext);
+        }
+
+        private static void AddHeaderIfNotExists(HttpContext context, string key, string value)
+        {
+            if (!context.Response.Headers.ContainsKey(key))
+            {
+                context.Response.Headers.Add(key, value);
+            }
+        }
+    }
+}
\ No newline at end of file
diff --git a/framework/test/Volo.Abp.AspNetCore.Mvc.Tests/Volo/Abp/AspNetCore/Mvc/AbpAspNetCoreMvcTestModule.cs b/framework/test/Volo.Abp.AspNetCore.Mvc.Tests/Volo/Abp/AspNetCore/Mvc/AbpAspNetCoreMvcTestModule.cs
index f569283415..686a7aa792 100644
--- a/framework/test/Volo.Abp.AspNetCore.Mvc.Tests/Volo/Abp/AspNetCore/Mvc/AbpAspNetCoreMvcTestModule.cs
+++ b/framework/test/Volo.Abp.AspNetCore.Mvc.Tests/Volo/Abp/AspNetCore/Mvc/AbpAspNetCoreMvcTestModule.cs
@@ -110,6 +110,7 @@ namespace Volo.Abp.AspNetCore.Mvc
             app.UseCorrelationId();
             app.UseVirtualFiles();
             app.UseAbpRequestLocalization();
+            app.UseAbpSecurityHeaders();
             app.UseRouting();
             app.UseMiddleware<FakeAuthenticationMiddleware>();
             app.UseAbpClaimsMap();
diff --git a/modules/docs/app/VoloDocs.Web/VoloDocsWebModule.cs b/modules/docs/app/VoloDocs.Web/VoloDocsWebModule.cs
index fcbb5331aa..b878113599 100644
--- a/modules/docs/app/VoloDocs.Web/VoloDocsWebModule.cs
+++ b/modules/docs/app/VoloDocs.Web/VoloDocsWebModule.cs
@@ -152,12 +152,10 @@ namespace VoloDocs.Web
 
             app.UseVirtualFiles();
             app.UseRouting();
-
             app.UseAuthentication();
             app.UseAuthorization();
-
             app.UseAbpRequestLocalization();
-
+			app.UseAbpSecurityHeaders();
             app.UseSwagger();
             app.UseSwaggerUI(options =>
             {
diff --git a/templates/app/aspnet-core/src/MyCompanyName.MyProjectName.HttpApi.Host/MyProjectNameHttpApiHostModule.cs b/templates/app/aspnet-core/src/MyCompanyName.MyProjectName.HttpApi.Host/MyProjectNameHttpApiHostModule.cs
index 5cf421b265..d51bc33730 100644
--- a/templates/app/aspnet-core/src/MyCompanyName.MyProjectName.HttpApi.Host/MyProjectNameHttpApiHostModule.cs
+++ b/templates/app/aspnet-core/src/MyCompanyName.MyProjectName.HttpApi.Host/MyProjectNameHttpApiHostModule.cs
@@ -188,6 +188,7 @@ namespace MyCompanyName.MyProjectName
             }
 
             app.UseAbpRequestLocalization();
+            app.UseAbpSecurityHeaders();
 
             if (!env.IsDevelopment())
             {
diff --git a/templates/app/aspnet-core/src/MyCompanyName.MyProjectName.HttpApi.HostWithIds/MyProjectNameHttpApiHostModule.cs b/templates/app/aspnet-core/src/MyCompanyName.MyProjectName.HttpApi.HostWithIds/MyProjectNameHttpApiHostModule.cs
index 9a50940341..cbbeb700ae 100644
--- a/templates/app/aspnet-core/src/MyCompanyName.MyProjectName.HttpApi.HostWithIds/MyProjectNameHttpApiHostModule.cs
+++ b/templates/app/aspnet-core/src/MyCompanyName.MyProjectName.HttpApi.HostWithIds/MyProjectNameHttpApiHostModule.cs
@@ -197,6 +197,7 @@ namespace MyCompanyName.MyProjectName
             }
 
             app.UseAbpRequestLocalization();
+            app.UseAbpSecurityHeaders();
 
             if (!env.IsDevelopment())
             {
diff --git a/templates/app/aspnet-core/src/MyCompanyName.MyProjectName.IdentityServer/MyProjectNameIdentityServerModule.cs b/templates/app/aspnet-core/src/MyCompanyName.MyProjectName.IdentityServer/MyProjectNameIdentityServerModule.cs
index 133b656ca8..1e1d29f3d0 100644
--- a/templates/app/aspnet-core/src/MyCompanyName.MyProjectName.IdentityServer/MyProjectNameIdentityServerModule.cs
+++ b/templates/app/aspnet-core/src/MyCompanyName.MyProjectName.IdentityServer/MyProjectNameIdentityServerModule.cs
@@ -165,6 +165,7 @@ namespace MyCompanyName.MyProjectName
             }
 
             app.UseAbpRequestLocalization();
+            app.UseAbpSecurityHeaders();
 
             if (!env.IsDevelopment())
             {
diff --git a/templates/app/aspnet-core/src/MyCompanyName.MyProjectName.Web.Host/MyProjectNameWebModule.cs b/templates/app/aspnet-core/src/MyCompanyName.MyProjectName.Web.Host/MyProjectNameWebModule.cs
index 93e5b89df1..fe0db4478a 100644
--- a/templates/app/aspnet-core/src/MyCompanyName.MyProjectName.Web.Host/MyProjectNameWebModule.cs
+++ b/templates/app/aspnet-core/src/MyCompanyName.MyProjectName.Web.Host/MyProjectNameWebModule.cs
@@ -240,6 +240,7 @@ namespace MyCompanyName.MyProjectName.Web
             }
 
             app.UseAbpRequestLocalization();
+            app.UseAbpSecurityHeaders();
 
             if (!env.IsDevelopment())
             {
diff --git a/templates/app/aspnet-core/src/MyCompanyName.MyProjectName.Web/MyProjectNameWebModule.cs b/templates/app/aspnet-core/src/MyCompanyName.MyProjectName.Web/MyProjectNameWebModule.cs
index 0111f868f6..d73a34b033 100644
--- a/templates/app/aspnet-core/src/MyCompanyName.MyProjectName.Web/MyProjectNameWebModule.cs
+++ b/templates/app/aspnet-core/src/MyCompanyName.MyProjectName.Web/MyProjectNameWebModule.cs
@@ -215,6 +215,7 @@ namespace MyCompanyName.MyProjectName.Web
             }
 
             app.UseAbpRequestLocalization();
+            app.UseAbpSecurityHeaders();
 
             if (!env.IsDevelopment())
             {

From 88bef292fe5310aa3e514c658ed18346a3ce0331 Mon Sep 17 00:00:00 2001
From: maliming <liming.ma@volosoft.com>
Date: Wed, 17 Feb 2021 09:07:51 +0800
Subject: [PATCH 2/3] Update VoloDocsWebModule.cs

---
 modules/docs/app/VoloDocs.Web/VoloDocsWebModule.cs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/docs/app/VoloDocs.Web/VoloDocsWebModule.cs b/modules/docs/app/VoloDocs.Web/VoloDocsWebModule.cs
index b878113599..c07ae2a15e 100644
--- a/modules/docs/app/VoloDocs.Web/VoloDocsWebModule.cs
+++ b/modules/docs/app/VoloDocs.Web/VoloDocsWebModule.cs
@@ -155,7 +155,7 @@ namespace VoloDocs.Web
             app.UseAuthentication();
             app.UseAuthorization();
             app.UseAbpRequestLocalization();
-			app.UseAbpSecurityHeaders();
+            app.UseAbpSecurityHeaders();
             app.UseSwagger();
             app.UseSwaggerUI(options =>
             {

From 32d72195806b807d15cb202b83b9b4258b00f8f3 Mon Sep 17 00:00:00 2001
From: maliming <malimings@gmail.com>
Date: Wed, 17 Feb 2021 09:32:03 +0800
Subject: [PATCH 3/3] Add unit test for AbpSecurityHeadersMiddleware.

---
 .../AbpApplicationBuilderExtensions.cs        |  4 +--
 .../Volo.Abp.AspNetCore.csproj                |  1 -
 .../Security/AbpSecurityHeadersMiddleware.cs  | 31 +++++++------------
 .../Authorization/AuthTestController_Tests.cs | 10 ------
 .../Claims/ClaimsMapTestController_Tests.cs   | 10 ------
 .../Headers/SecurityHeadersTestController.cs  | 12 +++++++
 .../SecurityHeadersTestController_Tests.cs    | 19 ++++++++++++
 7 files changed, 45 insertions(+), 42 deletions(-)
 create mode 100644 framework/test/Volo.Abp.AspNetCore.Mvc.Tests/Volo/Abp/AspNetCore/Mvc/Security/Headers/SecurityHeadersTestController.cs
 create mode 100644 framework/test/Volo.Abp.AspNetCore.Mvc.Tests/Volo/Abp/AspNetCore/Mvc/Security/Headers/SecurityHeadersTestController_Tests.cs

diff --git a/framework/src/Volo.Abp.AspNetCore/Microsoft/AspNetCore/Builder/AbpApplicationBuilderExtensions.cs b/framework/src/Volo.Abp.AspNetCore/Microsoft/AspNetCore/Builder/AbpApplicationBuilderExtensions.cs
index fab4a4bb80..a409355ef0 100644
--- a/framework/src/Volo.Abp.AspNetCore/Microsoft/AspNetCore/Builder/AbpApplicationBuilderExtensions.cs
+++ b/framework/src/Volo.Abp.AspNetCore/Microsoft/AspNetCore/Builder/AbpApplicationBuilderExtensions.cs
@@ -84,9 +84,9 @@ namespace Microsoft.AspNetCore.Builder
             return app.UseMiddleware<AbpClaimsMapMiddleware>();
         }
 
-        public static void UseAbpSecurityHeaders(this IApplicationBuilder app)
+        public static IApplicationBuilder UseAbpSecurityHeaders(this IApplicationBuilder app)
         {
-            app.UseMiddleware<AbpSecurityHeadersMiddleware>();
+            return app.UseMiddleware<AbpSecurityHeadersMiddleware>();
         }
     }
 }
diff --git a/framework/src/Volo.Abp.AspNetCore/Volo.Abp.AspNetCore.csproj b/framework/src/Volo.Abp.AspNetCore/Volo.Abp.AspNetCore.csproj
index eaa053c91a..b191872339 100644
--- a/framework/src/Volo.Abp.AspNetCore/Volo.Abp.AspNetCore.csproj
+++ b/framework/src/Volo.Abp.AspNetCore/Volo.Abp.AspNetCore.csproj
@@ -25,7 +25,6 @@
     <ProjectReference Include="..\Volo.Abp.Uow\Volo.Abp.Uow.csproj" />
     <ProjectReference Include="..\Volo.Abp.Validation\Volo.Abp.Validation.csproj" />
     <ProjectReference Include="..\Volo.Abp.VirtualFileSystem\Volo.Abp.VirtualFileSystem.csproj" />
-    <PackageReference Include="Microsoft.AspNetCore.Http.Abstractions" Version="2.0.0" />
   </ItemGroup>
 
 </Project>
diff --git a/framework/src/Volo.Abp.AspNetCore/Volo/Abp/AspNetCore/Security/AbpSecurityHeadersMiddleware.cs b/framework/src/Volo.Abp.AspNetCore/Volo/Abp/AspNetCore/Security/AbpSecurityHeadersMiddleware.cs
index 09dddfabe7..28b0f3a48e 100644
--- a/framework/src/Volo.Abp.AspNetCore/Volo/Abp/AspNetCore/Security/AbpSecurityHeadersMiddleware.cs
+++ b/framework/src/Volo.Abp.AspNetCore/Volo/Abp/AspNetCore/Security/AbpSecurityHeadersMiddleware.cs
@@ -1,37 +1,30 @@
+using System.Collections.Generic;
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Http;
+using Microsoft.Extensions.Primitives;
+using Volo.Abp.DependencyInjection;
 
 namespace Volo.Abp.AspNetCore.Security
 {
-    public class AbpSecurityHeadersMiddleware
+    public class AbpSecurityHeadersMiddleware : IMiddleware, ITransientDependency
     {
-        private readonly RequestDelegate _next;
-
-        public AbpSecurityHeadersMiddleware(RequestDelegate next)
-        {
-            _next = next;
-        }
-
-        public async Task Invoke(HttpContext httpContext)
+        public async Task InvokeAsync(HttpContext context, RequestDelegate next)
         {
             /*X-Content-Type-Options header tells the browser to not try and “guess” what a mimetype of a resource might be, and to just take what mimetype the server has returned as fact.*/
-            AddHeaderIfNotExists(httpContext, "X-Content-Type-Options", "nosniff");
+            AddHeaderIfNotExists(context, "X-Content-Type-Options", "nosniff");
 
             /*X-XSS-Protection is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks*/
-            AddHeaderIfNotExists(httpContext, "X-XSS-Protection", "1; mode=block");
+            AddHeaderIfNotExists(context, "X-XSS-Protection", "1; mode=block");
 
             /*The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe> or <object>. SAMEORIGIN makes it being displayed in a frame on the same origin as the page itself. The spec leaves it up to browser vendors to decide whether this option applies to the top level, the parent, or the whole chain*/
-            AddHeaderIfNotExists(httpContext, "X-Frame-Options", "SAMEORIGIN");
+            AddHeaderIfNotExists(context, "X-Frame-Options", "SAMEORIGIN");
 
-            await _next.Invoke(httpContext);
+            await next.Invoke(context);
         }
 
-        private static void AddHeaderIfNotExists(HttpContext context, string key, string value)
+        protected virtual void AddHeaderIfNotExists(HttpContext context, string key, string value)
         {
-            if (!context.Response.Headers.ContainsKey(key))
-            {
-                context.Response.Headers.Add(key, value);
-            }
+            context.Response.Headers.AddIfNotContains(new KeyValuePair<string, StringValues>(key, value));
         }
     }
-}
\ No newline at end of file
+}
diff --git a/framework/test/Volo.Abp.AspNetCore.Mvc.Tests/Volo/Abp/AspNetCore/Mvc/Authorization/AuthTestController_Tests.cs b/framework/test/Volo.Abp.AspNetCore.Mvc.Tests/Volo/Abp/AspNetCore/Mvc/Authorization/AuthTestController_Tests.cs
index 8caf59d0c0..749f3cb12b 100644
--- a/framework/test/Volo.Abp.AspNetCore.Mvc.Tests/Volo/Abp/AspNetCore/Mvc/Authorization/AuthTestController_Tests.cs
+++ b/framework/test/Volo.Abp.AspNetCore.Mvc.Tests/Volo/Abp/AspNetCore/Mvc/Authorization/AuthTestController_Tests.cs
@@ -2,21 +2,11 @@
 using System.Security.Claims;
 using System.Threading.Tasks;
 using Shouldly;
-using Volo.Abp.AspNetCore.TestBase;
-using Volo.Abp.Autofac;
-using Volo.Abp.MemoryDb;
-using Volo.Abp.Modularity;
 using Volo.Abp.Security.Claims;
 using Xunit;
 
 namespace Volo.Abp.AspNetCore.Mvc.Authorization
 {
-    [DependsOn(
-        typeof(AbpAspNetCoreTestBaseModule),
-        typeof(AbpMemoryDbTestModule),
-        typeof(AbpAspNetCoreMvcModule),
-        typeof(AbpAutofacModule)
-    )]
     public class AuthTestController_Tests : AspNetCoreMvcTestBase
     {
         private readonly FakeUserClaims _fakeRequiredService;
diff --git a/framework/test/Volo.Abp.AspNetCore.Mvc.Tests/Volo/Abp/AspNetCore/Mvc/Security/Claims/ClaimsMapTestController_Tests.cs b/framework/test/Volo.Abp.AspNetCore.Mvc.Tests/Volo/Abp/AspNetCore/Mvc/Security/Claims/ClaimsMapTestController_Tests.cs
index 154956afdf..146e920d20 100644
--- a/framework/test/Volo.Abp.AspNetCore.Mvc.Tests/Volo/Abp/AspNetCore/Mvc/Security/Claims/ClaimsMapTestController_Tests.cs
+++ b/framework/test/Volo.Abp.AspNetCore.Mvc.Tests/Volo/Abp/AspNetCore/Mvc/Security/Claims/ClaimsMapTestController_Tests.cs
@@ -2,20 +2,10 @@
 using System.Threading.Tasks;
 using Shouldly;
 using Volo.Abp.AspNetCore.Mvc.Authorization;
-using Volo.Abp.AspNetCore.TestBase;
-using Volo.Abp.Autofac;
-using Volo.Abp.MemoryDb;
-using Volo.Abp.Modularity;
 using Xunit;
 
 namespace Volo.Abp.AspNetCore.Mvc.Security.Claims
 {
-    [DependsOn(
-        typeof(AbpAspNetCoreTestBaseModule),
-        typeof(AbpMemoryDbTestModule),
-        typeof(AbpAspNetCoreMvcModule),
-        typeof(AbpAutofacModule)
-    )]
     public class ClaimsMapTestController_Tests : AspNetCoreMvcTestBase
     {
         private readonly FakeUserClaims _fakeRequiredService;
diff --git a/framework/test/Volo.Abp.AspNetCore.Mvc.Tests/Volo/Abp/AspNetCore/Mvc/Security/Headers/SecurityHeadersTestController.cs b/framework/test/Volo.Abp.AspNetCore.Mvc.Tests/Volo/Abp/AspNetCore/Mvc/Security/Headers/SecurityHeadersTestController.cs
new file mode 100644
index 0000000000..034d11440b
--- /dev/null
+++ b/framework/test/Volo.Abp.AspNetCore.Mvc.Tests/Volo/Abp/AspNetCore/Mvc/Security/Headers/SecurityHeadersTestController.cs
@@ -0,0 +1,12 @@
+using Microsoft.AspNetCore.Mvc;
+
+namespace Volo.Abp.AspNetCore.Mvc.Security.Headers
+{
+    public class SecurityHeadersTestController : AbpController
+    {
+        public ActionResult Get()
+        {
+            return Content("OK");
+        }
+    }
+}
diff --git a/framework/test/Volo.Abp.AspNetCore.Mvc.Tests/Volo/Abp/AspNetCore/Mvc/Security/Headers/SecurityHeadersTestController_Tests.cs b/framework/test/Volo.Abp.AspNetCore.Mvc.Tests/Volo/Abp/AspNetCore/Mvc/Security/Headers/SecurityHeadersTestController_Tests.cs
new file mode 100644
index 0000000000..5902d7cbbe
--- /dev/null
+++ b/framework/test/Volo.Abp.AspNetCore.Mvc.Tests/Volo/Abp/AspNetCore/Mvc/Security/Headers/SecurityHeadersTestController_Tests.cs
@@ -0,0 +1,19 @@
+using System.Linq;
+using System.Threading.Tasks;
+using Shouldly;
+using Xunit;
+
+namespace Volo.Abp.AspNetCore.Mvc.Security.Headers
+{
+    public class SecurityHeadersTestController_Tests : AspNetCoreMvcTestBase
+    {
+        [Fact]
+        public async Task SecurityHeaders_Should_Be_Added()
+        {
+            var responseMessage = await GetResponseAsync("/SecurityHeadersTest/Get");
+            responseMessage.Headers.ShouldContain(x => x.Key == "X-Content-Type-Options" & x.Value.First().ToString() == "nosniff");
+            responseMessage.Headers.ShouldContain(x => x.Key == "X-XSS-Protection" & x.Value.First().ToString() == "1; mode=block");
+            responseMessage.Headers.ShouldContain(x => x.Key == "X-Frame-Options" & x.Value.First().ToString() == "SAMEORIGIN");
+        }
+    }
+}