Merge 7feffa2 into bfc20a0

ssc-sp · Feb 24, 2025 · 8fb3a05 · 8fb3a05
2 parents bfc20a0 + 7feffa2
commit 8fb3a05
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 2 deletions.
diff --git a/Portal/src/Datahub.Infrastructure/Services/ReverseProxy/ReverseProxyConfigService.cs b/Portal/src/Datahub.Infrastructure/Services/ReverseProxy/ReverseProxyConfigService.cs
@@ -75,6 +75,7 @@ RouteConfig BuildRoute(string acronym, bool urlRewritingEnabled)
         };
 
         var finalRoute = route.
+            WithTransformResponseHeader("X-Frame-Options", "SAMEORIGIN", append: false).
             WithTransformForwarded().
             WithTransformXForwarded().
             WithTransform(transform => {

diff --git a/Portal/src/Datahub.Portal/Startup.cs b/Portal/src/Datahub.Portal/Startup.cs
@@ -108,11 +108,21 @@ public void ConfigureServices(IServiceCollection services)
         {
             // This lambda determines whether user consent for non-essential cookies is needed for a given request.
             options.CheckConsentNeeded = context => true;
-            options.MinimumSameSitePolicy = SameSiteMode.Unspecified;
+            options.MinimumSameSitePolicy = SameSiteMode.Strict;
+            options.HttpOnly = Microsoft.AspNetCore.CookiePolicy.HttpOnlyPolicy.Always;
             // Handling SameSite cookie according to https://docs.microsoft.com/en-us/aspnet/core/security/samesite?view=aspnetcore-3.1
             options.HandleSameSiteCookieCompatibility();
         });
 
+        services.AddSession(options =>
+        {
+            options.Cookie.HttpOnly = true;
+            options.Cookie.IsEssential = true;
+            options.Cookie.SameSite = SameSiteMode.Strict;
+            options.Cookie.Name = ".FSDH.Session";
+            options.IdleTimeout = TimeSpan.FromMinutes(30);
+        });
+
         //required to access existing headers
         services.AddHttpContextAccessor();
         services.AddOptions();
@@ -292,7 +302,8 @@ public void Configure(IApplicationBuilder app, IWebHostEnvironment env, ILogger<
 
         app.Use(async (context, next) =>
         {
-            context.Response.Headers.Append("X-Frame-Options", "SAMEORIGIN");
+            context.Response.Headers.Append("X-Frame-Options", "DENY");
+            //context.Response.Headers.Append("Content-Security-Policy", "frame-ancestors 'self';");
             await next();
         });