CSP: we’re not there, yet.

Reading Time: 3 minutes

CSP, or Content Security Policy, is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. In short, you can add this policy using either a <meta> tag or by setting additional headers in your HTTP response, and using the policy you’ll limit the origins for resources for that HTTP request. For example:

  • script-src ‘self’ allows loading scripts from the current domain
  • child-src https://youtube.com allows the use of <iframe> tags pointing towards YouTube
  • style-src ‘self’ https://maxcdn.bootstrapcdn.com allows loading CSS files from the current source and from a CDN.

If you want to read up on CSP, I suggest heading over to http://www.html5rocks.com/en/tutorials/security/content-security-policy/

Now, I was trying out some things concerning CSP and inline scripts. You could add ‘unsafe-inline’ to the script-src source list to allow all inline scripting (except eval and other bad stuff, you need ‘unsafe-eval’ in that case), but that is exactly what you would want to avoid. Instead, you can opt to do one of these things:

  1. Move all inline JavaScript into .js files and load them using <script src=””></script> tags, while adding ‘self’ to script-src if that wasn’t already the case. The easiest solution, but not always possible.
  2. Generate a nonce for each inline script. A nonce means: a unique and hard to predict stream of bytes, different for each script, each page and each request!
    A nonce could be base64 encoded and look like RJ6bGjm5EO/X8pImZjvjeAexFVei9IvzNFCGw5lQUa0=
    You would need to add that nonce to the script using the nonce attribute, and also to the script-src source list using ‘nonce-RJ6bGjm5EO/X8pImZjvjeAexFVei9IvzNFCGw5lQUa0=’
  3. Calculate the SHA256, SHA384 or SHA512 digest of each inline script (including all whitespace, but excluding the opening and closing script tags). Like the nonce, you’d need to add these digests to the script-src source list using ‘sha256-0ZMofb7eMqkB9IFHnGVZ6Z4chjplAavgi09shinNehs=’ for example.

Continue reading “CSP: we’re not there, yet.”

Writing a custom TagHelper in ASP.NET 5

Reading Time: 6 minutes

ASP.NET 5 brings some new features to MVC. One of these features is TagHelpers, which allow us to add new attributes to HTML tags (or create custom tags altogether) to add behavior to these tags. At this moment – beta8 – we receive the following TagHelpers out of the box:

– AnchorTagHelper: allows you to write <a asp-controller=”Home” asp-action=”Index”>Back to home</a> instead of @Html.ActionLink(“Back to home”, “Index”, “Home”)
– LabelTagHelper, InputTagHelper, TextAreaTagHelper, SelectTagHelper, etc.: instead of writing Razor like @Html.LabelFor(m => m.Property1, new { @class = “control-label col-md-2”}), you can use a syntax which is much cleaner: <label asp-for=”Property1″ class=”control-label col-md-2″></label>
– EnvironmentTagHelper: adds a new tag, <environment>, giving you the possibility to include <link> or <script> tags specific for Development or Production environments.
– LinkTagHelper, ScriptTagHelper: adds attributes to <link> and <script> to allow the use of CDN’s and fallback urls.

This list is incomplete, but you can head over to GitHub to see every available TagHelper class currently available.

You can also create your own TagHelper classes. I’ll show you an example which enables you to do this:

That img tag would load a users profile image using the ProfileImage action method in a UsersController class: userful for retrieving a profile image from a blob container on Azure, for example.

Continue reading “Writing a custom TagHelper in ASP.NET 5”

Global Azure Bootcamp – Aftermath

Reading Time: 2 minutes

It’s been almost a month now since the last edition of Global Azure Bootcamp, and I wanted to share with you some of the details of my involvement in this years edition. This year, we had two labs in which you could participate: a racing and a science lab. And I helped out with some aspects behind the workings of the science lab: the Elasticsearch cluster and the dashboard website.

For this lab, all you had to do was to deploy a cloud service to Azure and scale it up to as many instances as you could spare. These instances would then crunch a lot of data concerning breast cancer research. After the results from your cloud instances were uploaded, they would eventually end up in the Elasticsearch cluster.

Continue reading “Global Azure Bootcamp – Aftermath”

Cors.ConfigProfiles is here!

Reading Time: 1

After working on my previous blog post, where I had to use the EnableCorsAttribute, I thought: “Why can’t I make profiles for this in the web.config file, like you can for the OutputCacheAttribute?”

Enter my brand new, shiny NuGet package: Cors.ConfigProfiles! It enables you to use the EnableCorsAttribute just like you normally would, but you can also just give it one string parameter which then matches a profile inside the web.config file. So, for example, if you put this attribute on an API controller:

Then you can configure that profile in web.config like so:

And if you want to contribute or just inspect what I did (no unicorns involved though), the code is available on GitHub.


Adding an MVC layer on top of a Web API backend

Reading Time: 8 minutes

It might just be me, but I don’t seem to find a lot of examples out there showing how you can have an ASP.NET MVC website as a front end application using a Web API project as the backend service. Especially so when your front end is as basic as possible: I don’t want to end up storing user data twice because I need to request OAuth tokens and store refresh tokens and so on…

If you want to dive into the code that I’ve produced, you can head straight to GitHub and fetch it 🙂
For more explanation, read on.

Continue reading “Adding an MVC layer on top of a Web API backend”

Securing your Controllers with Attribute’s

Reading Time: 1

Today, while working on an ASP.NET MVC site, I wanted to do something special when securing a controller with the AuthorizeAttribute class:

Initially, Administrator and Management where static readonly instances of the Role class. The Or extension method would combine their internal names together in a new Role instance. Finally, because of the overridden ToString method, the Roles property would receive the correct end result. However, when compiling, attributes must know their exact value. Read: constant value. So I couldn’t assign Role instances at all.
Also, having to end with a ToString() call didn’t seem like a nice thing to do either.

So, back to the drawing board. This time, inside my Role class, I decided to declare my known roles as const string. But then I still can’t use that Or extension method, because that would – again – result in a non-constant expression. I can, however, do this:

Roles is a custom attribute, and is very simple indeed:

So now, you can specify as many roles as you like. And I’m quite happy with this.
But @chrissie pointed me towards www.fluentsecurity.net, which offers an entirely different approach. Also worth a look!