Security Headers

6 years ago · 68026ccf22
parent 550125a5f5
commit 68026ccf22
29 changed files with 20 additions and 9 deletions
--- a/GCI.PortalCondomino/Web.config
+++ b/GCI.PortalCondomino/Web.config
@ -44,8 +44,8 @@
  -->
  <system.web>
    <authentication mode="None" />
-    <compilation targetFramework="4.6.1" />
-    <httpRuntime targetFramework="4.5" />
+    <compilation targetFramework="4.7.2" />
+    <httpRuntime targetFramework="4.5" enableVersionHeader="false" />
    <httpCookies httpOnlyCookies="true" requireSSL="true" />
  </system.web>
  <system.webServer>
@ -58,6 +58,17 @@
      <remove name="TRACEVerbHandler" />
      <add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="*" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" />
    </handlers>
+    <httpProtocol>
+      <customHeaders>
+        <remove name="X-Powered-By" />
+        <add name="X-Content-Type-Options" value="nosniff" />
+        <add name="X-Xss-Protection" value="1; mode=block" />
+        <add name="Referrer-Policy" value="no-referrer" />
+        <add name="X-Permitted-Cross-Domain-Policies" value="none" />
+        <add name="Feature-Policy" value="accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none'" />
+        <add name="Content-Security-Policy" value="default-src 'self'; style-src 'self' 'unsafe-inline'; style-src-elem 'self' 'unsafe-inline' *.googleapis.com; script-src-elem 'self' 'unsafe-inline' *.google.com *.gstatic.com; font-src 'self' fonts.gstatic.com; img-src 'self' data:; frame-src 'self' *.google.com" />
+      </customHeaders>
+    </httpProtocol>
  </system.webServer>
  <runtime>
    <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
--- a/GCI.PortalCondomino/bin/GCI.Controllers.dll
+++ b/GCI.PortalCondomino/bin/GCI.Controllers.dll
--- a/GCI.PortalCondomino/bin/GCI.Controllers.pdb
+++ b/GCI.PortalCondomino/bin/GCI.Controllers.pdb
--- a/GCI.PortalCondomino/bin/GCI.DAL.dll
+++ b/GCI.PortalCondomino/bin/GCI.DAL.dll
--- a/GCI.PortalCondomino/bin/GCI.DAL.pdb
+++ b/GCI.PortalCondomino/bin/GCI.DAL.pdb
--- a/GCI.PortalCondomino/bin/GCI.DTO.dll
+++ b/GCI.PortalCondomino/bin/GCI.DTO.dll
--- a/GCI.PortalCondomino/bin/GCI.DTO.pdb
+++ b/GCI.PortalCondomino/bin/GCI.DTO.pdb
--- a/GCI.PortalCondomino/bin/GCI.Documents.dll
+++ b/GCI.PortalCondomino/bin/GCI.Documents.dll
--- a/GCI.PortalCondomino/bin/GCI.Documents.pdb
+++ b/GCI.PortalCondomino/bin/GCI.Documents.pdb
--- a/GCI.PortalCondomino/bin/GCI.Entities.dll
+++ b/GCI.PortalCondomino/bin/GCI.Entities.dll
--- a/GCI.PortalCondomino/bin/GCI.Entities.pdb
+++ b/GCI.PortalCondomino/bin/GCI.Entities.pdb
--- a/GCI.PortalCondomino/bin/GCI.PortalCondominio.DAL.dll
+++ b/GCI.PortalCondomino/bin/GCI.PortalCondominio.DAL.dll
--- a/GCI.PortalCondomino/bin/GCI.PortalCondominio.DAL.pdb
+++ b/GCI.PortalCondomino/bin/GCI.PortalCondominio.DAL.pdb
--- a/GCI.PortalCondomino/bin/GCI.PortalCondominio.Services.dll
+++ b/GCI.PortalCondomino/bin/GCI.PortalCondominio.Services.dll
--- a/GCI.PortalCondomino/bin/GCI.PortalCondominio.Services.pdb
+++ b/GCI.PortalCondomino/bin/GCI.PortalCondominio.Services.pdb
--- a/GCI.PortalCondomino/bin/GCI.PortalCondomino.Entities.dll
+++ b/GCI.PortalCondomino/bin/GCI.PortalCondomino.Entities.dll
--- a/GCI.PortalCondomino/bin/GCI.PortalCondomino.Entities.pdb
+++ b/GCI.PortalCondomino/bin/GCI.PortalCondomino.Entities.pdb
--- a/GCI.PortalCondomino/bin/GCI.PortalCondomino.dll
+++ b/GCI.PortalCondomino/bin/GCI.PortalCondomino.dll
--- a/GCI.PortalCondomino/bin/GCI.PortalCondomino.pdb
+++ b/GCI.PortalCondomino/bin/GCI.PortalCondomino.pdb
--- a/GCI.PortalCondomino/bin/GCI.UTL.dll
+++ b/GCI.PortalCondomino/bin/GCI.UTL.dll
--- a/GCI.PortalCondomino/bin/GCI.UTL.pdb
+++ b/GCI.PortalCondomino/bin/GCI.UTL.pdb
--- a/GCI.PortalCondomino/bin/Microsoft.IdentityModel.Logging.dll
+++ b/GCI.PortalCondomino/bin/Microsoft.IdentityModel.Logging.dll
--- a/GCI.PortalCondomino/bin/Microsoft.IdentityModel.Tokens.dll
+++ b/GCI.PortalCondomino/bin/Microsoft.IdentityModel.Tokens.dll
--- a/GCI.PortalCondomino/bin/NWebsec.Core.dll
+++ b/GCI.PortalCondomino/bin/NWebsec.Core.dll
--- a/GCI.PortalCondomino/bin/SimpleInjector.Integration.Web.Mvc.dll
+++ b/GCI.PortalCondomino/bin/SimpleInjector.Integration.Web.Mvc.dll
--- a/GCI.PortalCondomino/bin/SimpleInjector.Integration.Web.dll
+++ b/GCI.PortalCondomino/bin/SimpleInjector.Integration.Web.dll
--- a/GCI.PortalCondomino/bin/SimpleInjector.Integration.WebApi.dll
+++ b/GCI.PortalCondomino/bin/SimpleInjector.Integration.WebApi.dll
--- a/GCI.PortalCondomino/bin/SimpleInjector.dll
+++ b/GCI.PortalCondomino/bin/SimpleInjector.dll
--- a/GCI.PortalCondomino/packages.config
+++ b/GCI.PortalCondomino/packages.config
@ -17,8 +17,8 @@
  <package id="Microsoft.CodeAnalysis.VersionCheckAnalyzer" version="2.9.8" targetFramework="net461" developmentDependency="true" />
  <package id="Microsoft.CodeDom.Providers.DotNetCompilerPlatform" version="2.0.1" targetFramework="net461" />
  <package id="Microsoft.CodeQuality.Analyzers" version="2.9.8" targetFramework="net461" developmentDependency="true" />
-  <package id="Microsoft.IdentityModel.Logging" version="5.6.0" targetFramework="net461" />
-  <package id="Microsoft.IdentityModel.Tokens" version="5.6.0" targetFramework="net461" />
+  <package id="Microsoft.IdentityModel.Logging" version="6.5.0" targetFramework="net461" />
+  <package id="Microsoft.IdentityModel.Tokens" version="6.5.0" targetFramework="net461" />
  <package id="Microsoft.jQuery.Unobtrusive.Validation" version="3.2.11" targetFramework="net461" />
  <package id="Microsoft.NetCore.Analyzers" version="2.9.8" targetFramework="net461" developmentDependency="true" />
  <package id="Microsoft.NetFramework.Analyzers" version="2.9.8" targetFramework="net461" developmentDependency="true" />
@ -30,7 +30,7 @@
  <package id="Microsoft.Web.Infrastructure" version="1.0.0.0" targetFramework="net452" />
  <package id="Modernizr" version="2.8.3" targetFramework="net452" />
  <package id="Newtonsoft.Json" version="12.0.3" targetFramework="net461" />
-  <package id="NWebsec.Core" version="3.0.0" targetFramework="net461" />
+  <package id="NWebsec.Core" version="3.0.1" targetFramework="net461" />
  <package id="NWebsec.Owin" version="4.0.0" targetFramework="net461" />
  <package id="Owin" version="1.0" targetFramework="net452" />
  <package id="Respond" version="1.4.2" targetFramework="net452" />
@ -38,10 +38,10 @@
  <package id="Serilog.Settings.AppSettings" version="2.2.2" targetFramework="net461" />
  <package id="Serilog.Sinks.File" version="4.1.0" targetFramework="net461" />
  <package id="SerilogAnalyzer" version="0.15.0.0" targetFramework="net461" />
-  <package id="SimpleInjector" version="4.9.0" targetFramework="net461" />
-  <package id="SimpleInjector.Integration.Web" version="4.9.0" targetFramework="net461" />
-  <package id="SimpleInjector.Integration.Web.Mvc" version="4.9.0" targetFramework="net461" />
-  <package id="SimpleInjector.Integration.WebApi" version="4.9.0" targetFramework="net461" />
+  <package id="SimpleInjector" version="4.9.2" targetFramework="net461" />
+  <package id="SimpleInjector.Integration.Web" version="4.9.2" targetFramework="net461" />
+  <package id="SimpleInjector.Integration.Web.Mvc" version="4.9.2" targetFramework="net461" />
+  <package id="SimpleInjector.Integration.WebApi" version="4.9.2" targetFramework="net461" />
  <package id="toastr" version="2.1.1" targetFramework="net452" />
  <package id="WebGrease" version="1.6.0" targetFramework="net452" />
 </packages>