You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
CSP headers are set for every HTTP response via an action filter in file SecurityHeadersAttribute.cs. The filter is applied via annotations, like in class file Error.cshtml.cs.
This should works seamlessly but will entitle the class SecurityHeadersAttribute to receive configuration data from Dependency Injection via its constructor.
CSP headers are set for every HTTP response via an action filter in file SecurityHeadersAttribute.cs. The filter is applied via annotations, like in class file Error.cshtml.cs.
However, it is impossible to adapt your CSP headers to your needs. It would be very helpful to provide a means to make it configurable. Unfortunately, filters applied that way are excluded from utilizing Dependency Injection to get some application configuration. see Microsoft documentation on that: https://docs.microsoft.com/en-us/aspnet/core/mvc/controllers/filters?view=aspnetcore-2.2#dependency-injection
As a solution, the filter could be applied differently like in this example at StackOverflow: https://stackoverflow.com/questions/42423194/how-can-i-access-appsettings-from-an-actionfilterattribute-in-asp-net-core.
So basically, this needs to be replaced:
This should works seamlessly but will entitle the class
SecurityHeadersAttributeto receive configuration data from Dependency Injection via its constructor.By using
ServiceFilter, the filter will be used as a singleton, so every request uses the same instance and not a separate one. This may be beneficial as no new filter instance is created for every request and then dropped, especially if accessing the configuration is time consuming.see https://stackoverflow.com/questions/43658066/servicefilter-and-typefilter-what-is-the-difference-in-injection-those-filters
The text was updated successfully, but these errors were encountered: