Add a more strict default (#204)

* Add a more strict default

* Updated default headers

* remove from the defaults

* fix tests

* Add header

* Update tests

* improve tests, new headers in API defaults

* Update default settings for UI

src/NetEscapades.AspNetCore.SecurityHeaders/HeaderPolicyCollectionExtensions.cs

@@ -35,7 +35,7 @@ public static HeaderPolicyCollection Copy(this IReadOnlyHeaderPolicyCollection p
     /// <summary>
     /// Add default headers in accordance with the most secure approach
     /// </summary>
-    /// <param name="policies">The <see cref="HeaderPolicyCollection" /> to add the deafult security header policies too</param>
+    /// <param name="policies">The <see cref="HeaderPolicyCollection" /> to add the default security header policies too</param>
     /// <returns>The <see cref="HeaderPolicyCollection" /> for method chaining</returns>
     public static HeaderPolicyCollection AddDefaultSecurityHeaders(this HeaderPolicyCollection policies)
     {
@@ -51,6 +51,9 @@ public static HeaderPolicyCollection AddDefaultSecurityHeaders(this HeaderPolicy
             builder.AddFrameAncestors().None();
         });
         policies.AddCrossOriginOpenerPolicy(x => x.SameOrigin());
+        policies.AddCrossOriginEmbedderPolicy(builder => builder.Credentialless());
+        policies.AddCrossOriginResourcePolicy(builder => builder.SameSite());
+
         return policies;
     }
 
@@ -80,6 +83,11 @@ public static HeaderPolicyCollection AddDefaultApiSecurityHeaders(this HeaderPol
         // The following are generally not applicable, but still worth applying for safety
         policies.AddReferrerPolicyNoReferrer();
         policies.AddPermissionsPolicyWithDefaultSecureDirectives();
+
+        policies.AddCrossOriginOpenerPolicy(builder => builder.SameOrigin());
+        policies.AddCrossOriginEmbedderPolicy(builder => builder.RequireCorp());
+        policies.AddCrossOriginResourcePolicy(builder => builder.SameSite());
+
         return policies;
     }
 }

test/NetEscapades.AspNetCore.SecurityHeaders.Test/HeaderAssertionHelpers.cs

@@ -21,6 +21,8 @@ public static void AssertHttpRequestDefaultSecurityHeaders(this HttpResponseHead
         header.Should().Be("object-src 'none'; form-action 'self'; frame-ancestors 'none'");
         headers.Should().ContainKey("Cross-Origin-Opener-Policy")
             .WhoseValue.Should().ContainSingle("same-origin");
+        headers.Should().ContainKey("Cross-Origin-Resource-Policy")
+            .WhoseValue.Should().ContainSingle("same-origin");
 
         Assert.False(headers.Contains("Server"),
             "Should not contain server header");
@@ -42,6 +44,8 @@ public static void AssertSecureRequestDefaultSecurityHeaders(this HttpResponseHe
         header.Should().Be("object-src 'none'; form-action 'self'; frame-ancestors 'none'");
         headers.Should().ContainKey("Cross-Origin-Opener-Policy")
             .WhoseValue.Should().ContainSingle("same-origin");
+        headers.Should().ContainKey("Cross-Origin-Resource-Policy")
+            .WhoseValue.Should().ContainSingle("same-origin");
 
         Assert.False(headers.Contains("Server"),
             "Should not contain server header");
@@ -59,6 +63,12 @@ public static void AssertHttpRequestDefaultApiSecurityHeaders(this HttpResponseH
             .WhoseValue.Should().ContainSingle("no-referrer");
         headers.Should().ContainKey("Permissions-Policy")
             .WhoseValue.Should().ContainSingle(PermissionsPolicyHeaderExtensions.DefaultSecurePolicy);
+        headers.Should().ContainKey("Cross-Origin-Opener-Policy")
+           .WhoseValue.Should().ContainSingle("same-origin");
+        headers.Should().ContainKey("Cross-Origin-Embedder-Policy")
+           .WhoseValue.Should().ContainSingle("require-corp");
+        headers.Should().ContainKey("Cross-Origin-Resource-Policy")
+            .WhoseValue.Should().ContainSingle("same-site");
 
         Assert.False(headers.Contains("Server"),
             "Should not contain server header");