-
-
Notifications
You must be signed in to change notification settings - Fork 558
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Piranha middleware breaks response headers. #1899
Labels
Comments
My guess is that the problem is within
that calls the static file middleware at the beginning of the pipeline, so it runs before your own middleware. piranha.core/core/Piranha.AspNetCore/Hosting/PiranhaStartupFilter.cs Lines 32 to 37 in 32fb288
May be you could try and implement you own var builder = WebApplication.CreateBuilder(args);
builder.Services.AddTransient<IStartupFilter, MySecurityStartupFilter>();
builder.AddPiranha(options =>
{
options.UseCms();
... Where class MySecurityStartupFilter : IStartupFilter
{
public Action<IApplicationBuilder> Configure(Action<IApplicationBuilder> next)
{
return builder =>
{
builder.Use(async (context, next) =>
{
context.Response.Headers.Add("Content-Security-Policy", "default-src 'self';");
context.Response.Headers.Add("X-XSS-Protection", "1; mode=block");
context.Response.Headers.Add("X-Content-Type-Options", "nosniff");
context.Response.Headers.Add("X-Frame-Options", "SAMEORIGIN");
await next.Invoke();
});
next(builder);
};
}
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This initialization code correctly adds the specified security headers to all responses.
This same code with minimal Piranha initialization code does not work. The security headers are correctly added for page requests, but for all other requests (e.g. css, scripts, images and all other resources) the headers are not added.
Seems like a bug to me.
Full working repo here
The text was updated successfully, but these errors were encountered: