using System.Threading.Tasks; using Microsoft.AspNetCore.Builder; using Microsoft.AspNetCore.Hosting; using Microsoft.AspNetCore.Http; using Microsoft.Extensions.DependencyInjection; using System.IO; namespace grantsconnect_frontend { public class Startup { public void ConfigureServices(IServiceCollection services) { services.AddMvc(); services.AddCors(); } public void Configure(IApplicationBuilder app, IHostingEnvironment env) { app.Use(async (request, next) => { request.Response.OnStarting(() => { request.Response.Headers.Add("X-Frame-Options", "ALLOWALL"); request.Response.Headers.Add("X-Xss-Protection", "1; mode=block"); request.Response.Headers.Add("X-Content-Type-Options", "nosniff"); request.Response.Headers.Add("Referrer-Policy", "no-referrer-when-downgrade, strict-origin, strict-origin-when-cross-origin"); request.Response.Headers.Add("X-Permitted-Cross-Domain-Policies", "none"); request.Response.Headers.Add("Content-Security-Policy", "" + "default-src 'self' data: https://*.azurewebsites.net https://s3.amazonaws.com https://*.cloudinary.com https://*.blob.core.windows.net https://grantsconnectui.azureedge.net https://unpkg.com https://maxcdn.bootstrapcdn.com https://*.yourcause.com https://*.yourcausegrantsuat.com https://*.yourcausegrants.com https://*.yourcausegrantsqa.com *.zopim.com;" + "script-src 'self' data: 'unsafe-inline' 'unsafe-eval' https://*.azurewebsites.net https://unpkg.com https://grantsconnectui.azureedge.net https://cdnjs.cloudflare.com https://v2.zopim.com https://static.zdassets.com;" + "img-src 'self' data: blob: *;" + "style-src 'self' 'unsafe-inline' https://*.azurewebsites.net https://cdn.ckeditor.com/ https://unpkg.com https://grantsconnectui.azureedge.net https://fonts.googleapis.com;" + "font-src 'self' data: https://fonts.gstatic.com https://grantsconnectui.azureedge.net https://unpkg.com https://*.zopim.com;" + "connect-src 'self' https://*.azurewebsites.net https://localhost:44392 https://*.blob.core.windows.net https://yc-prod.azurefd.net https://yc-dev-qa.azurefd.net https://dc.services.visualstudio.com https://*.yourcausegrantsqa.com https://grantsconnectui.azureedge.net https://*.yourcausegrantsuat.com https://*.yourcausegrants.com https://ekr.zdassets.com wss://widget-mediator.zopim.com"); request.Response.Headers.Remove("X-Powered-By"); request.Response.Headers.Add("X-Powered-By", "YourCause"); request.Response.Headers.Add("Server", "YourCause"); request.Response.Headers.Add("strict-transport-security", "max-age=631138519"); return Task.FromResult(0); }); if (request.Request.Method != "GET" && request.Request.Method != "HEAD" && request.Request.Method != "POST" && request.Request.Method != "OPTIONS") { request.Response.StatusCode = 405; await request.Response.WriteAsync("Method Not Allowed"); } await next.Invoke(); }); var cachePeriod = "604800"; app.UseStaticFiles(new StaticFileOptions { OnPrepareResponse = ctx => { if (ctx.File.Name != "Index.cshtml") { ctx.Context.Response.Headers.Append("Cache-Control", $"public, max-age={cachePeriod}"); } else { ctx.Context.Response.Headers.Add("Cache-Control", "no-cache, no-store"); ctx.Context.Response.Headers.Add("Expires", "-1"); } } }); app.UseCors(builder => builder .SetIsOriginAllowedToAllowWildcardSubdomains() .AllowAnyHeader() .AllowAnyMethod() .WithOrigins( "https://localhost:51851", "https://apply.localhost:51851", "https://yourcausegrantsqa.com", "https://*.yourcausegrantsqa.com", "https://*.yourcausegrantsuat.com", "https://*.yourcausegrants.com" ) ); if (env.IsDevelopment()) { app.UseDeveloperExceptionPage(); app.UseHttpsRedirection(); } app.UseMvc(routes => { routes.MapSpaFallbackRoute( name: "spa-fallback", defaults: new { controller = "Home", action = "Index" }); }); } } }