From 558978162f1b5ddaed8d1b55c610e37458c0f732 Mon Sep 17 00:00:00 2001
From: damienbod <damien_bod@hotmail.com>
Date: Sun, 14 Jan 2024 11:06:38 +0100
Subject: [PATCH 1/4] Update security headers

---
 .../Server/SecurityHeadersDefinitions.cs            | 13 ++++++-------
 1 file changed, 6 insertions(+), 7 deletions(-)

diff --git a/BlazorBffOpenIdConnect/Server/SecurityHeadersDefinitions.cs b/BlazorBffOpenIdConnect/Server/SecurityHeadersDefinitions.cs
index a299ed1..7015494 100644
--- a/BlazorBffOpenIdConnect/Server/SecurityHeadersDefinitions.cs
+++ b/BlazorBffOpenIdConnect/Server/SecurityHeadersDefinitions.cs
@@ -2,15 +2,17 @@
 
 public static class SecurityHeadersDefinitions
 {
-    public static HeaderPolicyCollection GetHeaderPolicyCollection(bool isDev, string idpHost)
+    public static HeaderPolicyCollection GetHeaderPolicyCollection(bool isDev, string? idpHost)
     {
+        ArgumentNullException.ThrowIfNull(idpHost);
+
         var policy = new HeaderPolicyCollection()
             .AddFrameOptionsDeny()
             .AddContentTypeOptionsNoSniff()
             .AddReferrerPolicyStrictOriginWhenCrossOrigin()
             .AddCrossOriginOpenerPolicy(builder => builder.SameOrigin())
             .AddCrossOriginResourcePolicy(builder => builder.SameOrigin())
-            .AddCrossOriginEmbedderPolicy(builder => builder.RequireCorp()) // remove for dev if using hot reload
+            .AddCrossOriginEmbedderPolicy(builder => builder.RequireCorp())
             .AddContentSecurityPolicy(builder =>
             {
                 builder.AddObjectSrc().None();
@@ -24,12 +26,9 @@ public static HeaderPolicyCollection GetHeaderPolicyCollection(bool isDev, strin
 
                 // due to Blazor
                 builder.AddScriptSrc()
-                    .Self()
-                    .WithHash256("v8v3RKRPmN4odZ1CWM5gw80QKPCCWMcpNeOmimNL2AA=")
+                    // .Self() Add this if you want to use the visual studio debugging tools
+                    .WithNonce()
                     .UnsafeEval();
-
-                // disable script and style CSP protection if using Blazor hot reload
-                // if using hot reload, DO NOT deploy with an insecure CSP
             })
             .RemoveServerHeader()
             .AddPermissionsPolicy(builder =>

From e192369f1a9023847b2242201fd79ac079f04230 Mon Sep 17 00:00:00 2001
From: damienbod <damien_bod@hotmail.com>
Date: Sun, 14 Jan 2024 11:08:27 +0100
Subject: [PATCH 2/4] Updated packages

---
 .../Client/BlazorBffOpenIDConnect.Client.csproj             | 6 +++---
 .../Server/BlazorBffOpenIDConnect.Server.csproj             | 5 +++--
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/BlazorBffOpenIdConnect/Client/BlazorBffOpenIDConnect.Client.csproj b/BlazorBffOpenIdConnect/Client/BlazorBffOpenIDConnect.Client.csproj
index 3a871ad..e5d961c 100644
--- a/BlazorBffOpenIdConnect/Client/BlazorBffOpenIDConnect.Client.csproj
+++ b/BlazorBffOpenIdConnect/Client/BlazorBffOpenIDConnect.Client.csproj
@@ -8,10 +8,10 @@
 	</PropertyGroup>
 
 	<ItemGroup>
-		<PackageReference Include="Microsoft.AspNetCore.Components.WebAssembly" Version="8.0.0" />
-		<PackageReference Include="Microsoft.AspNetCore.Components.WebAssembly.DevServer" Version="8.0.0" PrivateAssets="all" />
+		<PackageReference Include="Microsoft.AspNetCore.Components.WebAssembly" Version="8.0.1" />
+		<PackageReference Include="Microsoft.AspNetCore.Components.WebAssembly.DevServer" Version="8.0.1" PrivateAssets="all" />
 		<PackageReference Include="Microsoft.Extensions.Http" Version="8.0.0" />
-		<PackageReference Include="Microsoft.AspNetCore.Components.WebAssembly.Authentication" Version="8.0.0" />
+		<PackageReference Include="Microsoft.AspNetCore.Components.WebAssembly.Authentication" Version="8.0.1" />
 	</ItemGroup>
 
 	<ItemGroup>
diff --git a/BlazorBffOpenIdConnect/Server/BlazorBffOpenIDConnect.Server.csproj b/BlazorBffOpenIdConnect/Server/BlazorBffOpenIDConnect.Server.csproj
index 10e71b7..5880d16 100644
--- a/BlazorBffOpenIdConnect/Server/BlazorBffOpenIDConnect.Server.csproj
+++ b/BlazorBffOpenIdConnect/Server/BlazorBffOpenIDConnect.Server.csproj
@@ -12,9 +12,10 @@
 	</ItemGroup>
 
 	<ItemGroup>
-		<PackageReference Include="Microsoft.AspNetCore.Components.WebAssembly.Server" Version="8.0.0" />
-		<PackageReference Include="Microsoft.AspNetCore.Authentication.OpenIdConnect" Version="8.0.0" NoWarn="NU1605" />
+		<PackageReference Include="Microsoft.AspNetCore.Components.WebAssembly.Server" Version="8.0.1" />
+		<PackageReference Include="Microsoft.AspNetCore.Authentication.OpenIdConnect" Version="8.0.1" NoWarn="NU1605" />
 		<PackageReference Include="NetEscapades.AspNetCore.SecurityHeaders" Version="0.21.0" />
+		<PackageReference Include="NetEscapades.AspNetCore.SecurityHeaders.TagHelpers" Version="0.21.0" />
 	</ItemGroup>
 
 </Project>

From 724ad1c0831c3616bbde477f78fe415aae47aa8d Mon Sep 17 00:00:00 2001
From: damienbod <damien_bod@hotmail.com>
Date: Sun, 14 Jan 2024 11:09:27 +0100
Subject: [PATCH 3/4] update a CSP nonce now

---
 BlazorBffOpenIdConnect/Server/Pages/_Host.cshtml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/BlazorBffOpenIdConnect/Server/Pages/_Host.cshtml b/BlazorBffOpenIdConnect/Server/Pages/_Host.cshtml
index d17a23e..9694c31 100644
--- a/BlazorBffOpenIdConnect/Server/Pages/_Host.cshtml
+++ b/BlazorBffOpenIdConnect/Server/Pages/_Host.cshtml
@@ -2,6 +2,7 @@
 @namespace BlazorBffOpenIDConnect.Pages
 @using BlazorBffOpenIDConnect.Client
 @addTagHelper *, Microsoft.AspNetCore.Mvc.TagHelpers
+@addTagHelper *, NetEscapades.AspNetCore.SecurityHeaders.TagHelpers
 @{
     Layout = null;
 }
@@ -40,8 +41,8 @@
         <a class="dismiss">🗙</a>
     </div>
 
-    <script src="_framework/blazor.webassembly.js" ></script>
-    <script src="antiForgeryToken.js" ></script>
+    <script asp-add-nonce src="_framework/blazor.webassembly.js"></script>
+    <script asp-add-nonce src="antiForgeryToken.js"></script>
     @Html.AntiForgeryToken()
 </body>
 </html>

From 6d755c2103e684aa5273fa3ab7219889ef88afe3 Mon Sep 17 00:00:00 2001
From: damienbod <damien_bod@hotmail.com>
Date: Sun, 14 Jan 2024 11:13:23 +0100
Subject: [PATCH 4/4] Improve CSP, using nonce

---
 Changelog.md | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/Changelog.md b/Changelog.md
index 4036dd3..e9d73d8 100644
--- a/Changelog.md
+++ b/Changelog.md
@@ -2,6 +2,12 @@
 
 [Readme](https://github.com/damienbod/Blazor.BFF.OpenIDConnect.Template/blob/main/README.md) 
 
+
+**2024-01-14** 3.0.2
+- Improve CSP, using nonce
+- updated packages
+
+
 **2023-12-31** 3.0.1
 - Open redirect protection on login