Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • utilityLA 7 posts 96 karma points
    Apr 19, 2024 @ 11:00
    utilityLA
    0

    Separate content security policies for the frontend and back office in Umbraco 12

    Hi all,

    I'm stumped. I've seen folks with similar issues on the forum, but I've had trouble leveraging those threads for my own case. I'm really new to Umbraco. Here's the middleware class we are using to implement our content security policy. Is there a way to have some kind of conditional that allows us to set different response headers for the frontend and back office. Currently, our back office is unavailable because it violates the csp, so we'd like it to have it's own csp so we can access it again.

    namespace FakeNamespace {
    public sealed class CustomHeaders
    {
        private readonly RequestDelegate _next;
    
        public CustomHeaders(RequestDelegate next)
        {
            _next = next;
        }
    
        public async Task InvokeAsync(HttpContext context)
        {
            context.Response.Headers.Add("Access-Control-Allow-Origin", "domain");
            context.Response.Headers.Add("Cache-Control", "stuff");
            context.Response.Headers.Add("X-Content-Type-Options", "stuff");
            context.Response.Headers.Add("X-Frame-Options", "stuff");
            context.Response.Headers.Add("X-Xss-Protection", "stuff");
            context.Response.Headers.Add("Content-Security-Policy", "stuff");
    
            await _next(context);
        }
    }}
    

    This is added to startup.cs like so:

    app.UseMiddleware<CustomHeaders>();
    app.UseUmbraco()
    ....
    
  • Marc Goodson 2149 posts 14354 karma points MVP 9x c-trib
    Apr 19, 2024 @ 19:03
    Marc Goodson
    100

    Hi utilityLA

    I fear I'm sending you a link you might have already seen.

    https://our.umbraco.com/forum/using-umbraco-and-getting-started/110495-backoffice-specific-csp-in-v9plus

    But in dot net core you can use 'UseWhen' to set a condition for when to action some middleware, so if the request is not beginning with /umbraco you can use your front end csp and otherwise apply your backoffice csp..

    Regards

    Marc

  • utilityLA 7 posts 96 karma points
    Apr 24, 2024 @ 05:05
    utilityLA
    0

    Thank you for directing me to this Marc. This was helpful.

Please Sign in or register to post replies

Write your reply to:

Draft