diff --git a/bitwarden_license/src/Sso/Startup.cs b/bitwarden_license/src/Sso/Startup.cs index 4a824e8f9f..0abfeaf852 100644 --- a/bitwarden_license/src/Sso/Startup.cs +++ b/bitwarden_license/src/Sso/Startup.cs @@ -95,6 +95,9 @@ namespace Bit.Sso app.UseSerilog(env, appLifetime, globalSettings); + // Add general security headers + app.UseMiddleware(); + if (!env.IsDevelopment()) { var uri = new Uri(globalSettings.BaseServiceUri.Sso); diff --git a/src/Admin/Startup.cs b/src/Admin/Startup.cs index 69d88ad9de..285a35ad3b 100644 --- a/src/Admin/Startup.cs +++ b/src/Admin/Startup.cs @@ -115,6 +115,9 @@ namespace Bit.Admin { app.UseSerilog(env, appLifetime, globalSettings); + // Add general security headers + app.UseMiddleware(); + if (globalSettings.SelfHosted) { app.UsePathBase("/admin"); diff --git a/src/Api/Startup.cs b/src/Api/Startup.cs index 6e1b293c93..367152444a 100644 --- a/src/Api/Startup.cs +++ b/src/Api/Startup.cs @@ -169,6 +169,9 @@ namespace Bit.Api IdentityModelEventSource.ShowPII = true; app.UseSerilog(env, appLifetime, globalSettings); + // Add general security headers + app.UseMiddleware(); + // Default Middleware app.UseDefaultMiddleware(env, globalSettings); diff --git a/src/Billing/Startup.cs b/src/Billing/Startup.cs index f50c169af8..237b826a7b 100644 --- a/src/Billing/Startup.cs +++ b/src/Billing/Startup.cs @@ -82,6 +82,9 @@ namespace Bit.Billing { app.UseSerilog(env, appLifetime, globalSettings); + // Add general security headers + app.UseMiddleware(); + if (env.IsDevelopment()) { app.UseDeveloperExceptionPage(); diff --git a/src/Core/Utilities/SecurityHeadersMiddleware.cs b/src/Core/Utilities/SecurityHeadersMiddleware.cs new file mode 100644 index 0000000000..2f11ee3315 --- /dev/null +++ b/src/Core/Utilities/SecurityHeadersMiddleware.cs @@ -0,0 +1,30 @@ +using System.Threading.Tasks; +using Microsoft.AspNetCore.Http; +using Microsoft.Extensions.Primitives; + +namespace Bit.Core.Utilities +{ + public sealed class SecurityHeadersMiddleware + { + private readonly RequestDelegate _next; + + public SecurityHeadersMiddleware(RequestDelegate next) + { + _next = next; + } + + public Task Invoke(HttpContext context) + { + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options + context.Response.Headers.Add("x-frame-options", new StringValues("SAMEORIGIN")); + + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection + context.Response.Headers.Add("x-xss-protection", new StringValues("1; mode=block")); + + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options + context.Response.Headers.Add("x-content-type-options", new StringValues("nosniff")); + + return _next(context); + } + } +} diff --git a/src/Events/Startup.cs b/src/Events/Startup.cs index c4f07b8436..94d2d83d45 100644 --- a/src/Events/Startup.cs +++ b/src/Events/Startup.cs @@ -90,6 +90,9 @@ namespace Bit.Events { app.UseSerilog(env, appLifetime, globalSettings); + // Add general security headers + app.UseMiddleware(); + if (env.IsDevelopment()) { app.UseDeveloperExceptionPage(); diff --git a/src/EventsProcessor/Startup.cs b/src/EventsProcessor/Startup.cs index eeedd3b982..247192b897 100644 --- a/src/EventsProcessor/Startup.cs +++ b/src/EventsProcessor/Startup.cs @@ -43,6 +43,8 @@ namespace Bit.EventsProcessor { IdentityModelEventSource.ShowPII = true; app.UseSerilog(env, appLifetime, globalSettings); + // Add general security headers + app.UseMiddleware(); app.UseRouting(); app.UseEndpoints(endpoints => { diff --git a/src/Icons/Startup.cs b/src/Icons/Startup.cs index 27936d2c34..1d53d34c26 100644 --- a/src/Icons/Startup.cs +++ b/src/Icons/Startup.cs @@ -56,6 +56,9 @@ namespace Bit.Icons { app.UseSerilog(env, appLifetime, globalSettings); + // Add general security headers + app.UseMiddleware(); + if (env.IsDevelopment()) { app.UseDeveloperExceptionPage(); diff --git a/src/Identity/Startup.cs b/src/Identity/Startup.cs index a3d03b2957..1c27df6767 100644 --- a/src/Identity/Startup.cs +++ b/src/Identity/Startup.cs @@ -150,6 +150,9 @@ namespace Bit.Identity app.UseSerilog(env, appLifetime, globalSettings); + // Add general security headers + app.UseMiddleware(); + if (!env.IsDevelopment()) { var uri = new Uri(globalSettings.BaseServiceUri.Identity); diff --git a/src/Notifications/Startup.cs b/src/Notifications/Startup.cs index e6d82617ea..9cad57cd05 100644 --- a/src/Notifications/Startup.cs +++ b/src/Notifications/Startup.cs @@ -91,6 +91,9 @@ namespace Bit.Notifications IdentityModelEventSource.ShowPII = true; app.UseSerilog(env, appLifetime, globalSettings); + // Add general security headers + app.UseMiddleware(); + if (env.IsDevelopment()) { app.UseDeveloperExceptionPage();