Custom CSP | AdminUI Documentation

Introduction

AdminUI has a default conifguration for its content security policy that has its own exception to enable pieces of functionality. But sometimes you may need to modify these settings or rewrite them yourself. AdminUI has the ability when using the NuGet package to either completly override this, or optionally modify the custom configuration.

Configure Content Security Policy

AdminUI takes the ContentSecurityPolicyOptions configured in the DI and uses that to generate the Content-Security-Policy headers needed. So all you need to do to modify this configuration is to register your own IOptionsConfigure in the DI container to run after the AdminUI one. Here is an example of how you would add sources.


builder.Services.AddAdminUI();

// It's important to do this after .AddAdminUI() otherewise your configuration will be overriden
builder.Services.Configure<ContentSecurityPolicyOptions>(options =>
{
    options.ConnectSources(src => src.AppendSources("https://localhost:5001"));
    options.FrameSources(src => src.AppendSources("https://localhost:5001"));
});

There are many options when configuring your content security policy, here is an example of how this would look if you were to fully configure the CSP for AdminUI that you can tweak to suit your purpouses.


builder.Services.AddAdminUI();

// It's important to do this after .AddAdminUI() otherewise your configuration will be overriden
builder.Services.Configure<ContentSecurityPolicyOptions>(options =>
{
    // Script Sources
    var sources = new[]
    {
        "sha256-m7vYZMioFjSZkBJ624LmmpHUkpOVeuunnlbXQ1LB0Mk=",
        "sha256-Fp+pb/v+yuZCJgkm+swqlbikr47TxdSV0Xrlogi5FIA=",
        "sha256-1VJjjKMY+X1Fyrp0kbWYQOQaEhz3c88e4r7rp2G580E=",
        "sha256-Oe8bRaRSDq7Hj6XSvQDp87/mm5/wflOsW2zUorSRRh8=",
        "sha256-qvXZB7r452onLl++wIonI3lmPV+QeDx3zyjVyboZGVA=",
        "sha256-o4ANp0BtRtNUf4xg0UT9IcWf4ropIGXmSLXPPHsmV8U=",
        "sha256-GBLm9DsOMe2OK7kvFZUpURBKSL6NInxJHuphx7oYeXc=",
        "sha256-92oNc6FnRLeC7OVaOOD46fU/AjMcJibr9XIFcoOq9K4=",
        "sha256-4aTp6nNi+md1utmsRVHog0Y7RfhnHobeQEqOWxdIb10="
    };


    // each s is IContentSecurityPolicyHeaderDirective
    options.DefaultSources(src => src.Self());
    options.ScriptSources(src => src.Self().CustomSources(sources));
    options.StyleSources(src => src.Self().UnsafeInline());
    options.FontSources(src => src.Self());
    options.ImageSources(src => src.Self().CustomSources("data:"));
    options.FrameSources(src => src.CustomSources(authUrl, uiUrl));
    options.ObjectSources(src => src.None());
    options.FrameAncestorSources(src => src.Self());
    options.BaseUriSources(src => src.Self());
    options.ConnectSources(src => src.CustomSources(authUrl, uiUrl, $"https://www.identityserver.com/rss"));
});

Extention Methods on IContentSecurityPolicyHeaderDirective

To be used in the configurer Action of IFluentCspHeaderOptions methods.

.None() Specifies None Source
.Self() Specifys Self Source
.CustomSources(string[]) Sets List of Custom Sources
.UnsafeInline() Sets UnsafeInline
.UnsafeEval() Sets UnsafeEval
.UnsafeEvalIfDevelopment(IHostEnvironment) Sets UnsafeEval if provided IHostEnvironment is development
.WebsocketsIfDevelopment(IHostEnvironment) Adds 'ws:' to Custom Sources if provided IHostEnvironment is development
.AppendSources(string[]) Appens provide list of sources to already configured list

Previous Next