iris
a79d8282dc
- 15 Controller-Klassen ersetzen Minimal APIs in Program.cs - Repository Pattern mit Interfaces + Implementierungen (Project, Task, Activity, User) - AuthService verwendet jetzt IUserRepository statt direktem DbContext-Zugriff - SecurityHeadersMiddleware als eigenständige Middleware-Klasse - PathSecurityHelper als gemeinsamer Helper für Pfadvalidierung - DTOs in eigenem Namespace Nexus.Api.DTOs - EF-Entities in Nexus.Api.Data (vorher Nexus.Api.Domain) - Program.cs auf DI-Registrierung + Middleware reduziert - Alle 43 Endpoints unverändert erhalten - Build + 3/3 Tests erfolgreich
28 lines
984 B
C#
28 lines
984 B
C#
namespace Nexus.Api.Middleware;
|
|
|
|
public sealed class SecurityHeadersMiddleware(RequestDelegate next)
|
|
{
|
|
public async Task InvokeAsync(HttpContext context)
|
|
{
|
|
var headers = context.Response.Headers;
|
|
var env = context.RequestServices.GetRequiredService<IHostEnvironment>();
|
|
|
|
if (!env.IsDevelopment())
|
|
{
|
|
headers["Strict-Transport-Security"] = "max-age=31536000; includeSubDomains";
|
|
}
|
|
headers["X-Content-Type-Options"] = "nosniff";
|
|
headers["Content-Security-Policy"] = "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'";
|
|
headers["X-Frame-Options"] = "DENY";
|
|
headers["Referrer-Policy"] = "strict-origin-when-cross-origin";
|
|
|
|
await next(context);
|
|
}
|
|
}
|
|
|
|
public static class SecurityHeadersMiddlewareExtensions
|
|
{
|
|
public static IApplicationBuilder UseSecurityHeaders(this IApplicationBuilder builder)
|
|
=> builder.UseMiddleware<SecurityHeadersMiddleware>();
|
|
}
|