aspnetcore-security-headers icon indicating copy to clipboard operation
aspnetcore-security-headers copied to clipboard
verified publisher icon juunas11

Add a tag helper to automatically put SHA hash into CSP - alternative to nonce

Open shand-obs opened this issue 6 years ago • 2 comments

It would be great if any inline script tag could be annotate with an attribute something like "asp-csp-hash". This could be implemented as a tag helper that automatically calculates the SHA hash of the script contents and adds to the CSP response header.

I don't know if it's too late to update the response header by this point in the middleware. I was thinking it could be done when the middleware stack unwinds if the response hasn't been sent yet.

shand-obs avatar Oct 11 '19 19:10 shand-obs

Yeah, it might be :) I'm not really sure how you'd implement that though since you'd have to somehow resolve the script content about to be sent, calculate the hash, and add it.

juunas11 avatar Oct 24 '19 18:10 juunas11

I am not expert but look like https://github.com/jrestall/BasicMiddleware/tree/jrestall/csp/src/Microsoft.AspNetCore.Mvc.Csp might help. Please check TagHelper folder.

iamrahul127 avatar Jan 17 '20 06:01 iamrahul127