damienbod / aspnetcoreexperiments Goto Github PK

2024-01-14 Updated .NET 8, Blazor uses CSP nonce
2023-11-03 Updated packages, fixed security headers, removed XSS block
2023-06-24 Updated packages, fixed CSP
2023-03-11 Updated .NET 7, updates security headers, Update Microsoft.Identity.web
2022-06-12 Updated nullables, implicit usings, bootstrap 5, packages
2022-06-10 Updated nuget packages and BFF project
2022-02-11 Updated nuget packages and namespaces
2022-01-16 Updated nuget packages, code clean up
2022-01-05 Updated nuget packages
2021-11-21 Updated packages, improved Blazor CSP, removed inline style
2021-11-08 Updated .NET 6 release
2021-10-29 Updated packages
2021-10-02 Updated packages
2021-09-17 Updated .NET 6 packages added mixed auth Blazor & API example
2021-09-15 Updated .NET 6
2021-08-13 Added security headers
2021-08-09 Updated nuget packages

Links

https://github.com/AzureAD/microsoft-identity-web/wiki/multiple-authentication-schemes

https://github.com/AzureAD/microsoft-identity-web/wiki/customization#openidconnectoptions

https://github.com/AzureAD/microsoft-identity-web

https://docs.microsoft.com/en-us/aspnet/core/security/authentication

Security header links

https://securityheaders.com/

https://csp-evaluator.withgoogle.com/

https://www.snigel.com/blog/a-simple-guide-to-coop-coep-corp-and-cors/

https://www.youtube.com/watch?v=J6BZ9IQELNA

https://github.com/andrewlock/NetEscapades.AspNetCore.SecurityHeaders

dotnet/aspnetcore#34428

https://w3c.github.io/webappsec-trusted-types/dist/spec/

https://web.dev/trusted-types/

https://developer.mozilla.org/en-US/docs/Web/HTTP/Cross-Origin_Resource_Policy_(CORP)

https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS

https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies

https://docs.google.com/document/d/1zDlfvfTJ_9e8Jdc8ehuV4zMEu9ySMCiTGMS9y0GU92k/edit

https://scotthelme.co.uk/coop-and-coep/

https://github.com/OWASP/ASVS

aspnetcoreexperiments's People

Contributors

Stargazers

Watchers

Forkers

poppywood shiv799 anantjaiswal339 wlouwster acheddir robertoborges

aspnetcoreexperiments's Issues

Feature Request: Please add an AngularBffAzureAD example

Please add an AngularBffAzureAD example

thanks

Broken CSP Blazor due to auto generated javascript

I have this problem as well and due to the Javascript created / required by Blazor, the CSP can not be implemented in a good way. The following script is generated:

<script>
var Module; window.__wasmmodulecallback__(); delete window.__wasmmodulecallback__;
</script>

Can the Javascript not be improved? Due to the Blazor Javascript, the CSP for the script-src is defined with

script-src 'self' 'unsafe-inline' 'unsafe-eval'

It would be really cool if this could be improved.

Greetings Damien

Fix Blazor Logout CSP Form needs to allow OIDC redirect URI

Broken CSP in dev due to aspnetcore-browser-refresh.js

Combine JWT and Cookie APIs

Isn't one of the major benefits of using a SPA/Blazor WASM is that you consume the same API as everyone else?

Wouldn't this lead to lots of code duplication? IE: ProductController.cs, JwtProductController.cs?

I think it would be smart if you could use the same controller for JWT and Cookie, and toggle the Antiforgery requirement on and off depending on the caller.

In reference to: https://github.com/damienbod/AspNetCoreExperiments/blob/main/BlazorBffAzureADWithApi/Server/Controllers/MyApiJwtProtectedController.cs

Can you use this.jSRuntime.InvokeAsync inside DelegatingHandler?

I want to add a typed client here https://github.com/damienbod/AspNetCoreExperiments/blob/main/BlazorBffAzureADWithApi/Client/Program.cs#L25

But I cant because my clients must be created with IAntiforgeryHttpClientFactory so that IJSRuntime can work.

Would it work to use DelegatingHandler instead and that way any typed clients inherit that ability?

IE:

builder.Services
  .AddHttpClient("authorizedClient", client =>
  {
      client.BaseAddress = new Uri(builder.HostEnvironment.BaseAddress);
      client.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
  })
  .AddTypedClient<IGitHubAPIClient>() // Will not pass antiforgery token!!! Must be created with IAntiforgeryHttpClientFactory!!! <---------
  .AddHttpMessageHandler<AuthorizedHandler>();

builder.Services.AddTransient(sp => sp.GetRequiredService<IHttpClientFactory>().CreateClient("default"));
builder.Services.AddTransient<IAntiforgeryHttpClientFactory, AntiforgeryHttpClientFactory>();

damienbod / aspnetcoreexperiments Goto Github PK

aspnetcoreexperiments's Introduction

ASP.NET Core

Blazor .NET 8 BFF WASM & server(BlazorHosted.Server to start)

ASP.NET Core 8 Razor (AspNetCoreRazor)

ASP.NET Core 8 Razor mutliple tenants (AspNetCoreRazorMultiClients)

Blazor .NET 8 BFF WASM & server(BlazorHosted.Server to start) & API secured with JWT

History

Links

Security header links

aspnetcoreexperiments's People

Contributors

Stargazers

Watchers

Forkers

aspnetcoreexperiments's Issues

Recommend Projects

Recommend Topics

Recommend Org

Jobs