Abp.AspNetCore 8.4.0 .Net 7 Detect vulnerabilities when scanning using Snyk

[frogerdevs]

Hi every one,

I have vulnerability issues when scanning using snyk,
one of the issues is adding X-Frame-Options to global.asax.cs, because this project uses .net 7, I don't have this file anymore
here is the screenshot:

I have tried to add the configuration
<system.webServer> <httpProtocol> <customHeaders> <add name="X-Frame-Options" value="SAMEORIGIN" /> </customHeaders> </httpProtocol> </system.webServer>
in the app.config file, but it makes an error when running the application.
here is the error:

ERROR Exception while reading ConfigurationSettings. Check your .config file is well formed XML.
System.Configuration.ConfigurationErrorsException: Configuration system failed to initialize

but the vulnerability issue is gone.

can anybody help me how to fix this?

• Abp package version : Abp.AspNetCore 8.4.0.

• Your base framework: .Net Core 7.

• Steps needed to reproduce the problem.

  • create new project using aaspnetboilerplate
  • scan using snyk

[ismcagdas]

You may create a custom middleware and add this header. You can take a look at https://stackoverflow.com/a/37395430

[frogerdevs]

You may create a custom middleware and add this header. You can take a look at https://stackoverflow.com/a/37395430

I have added middleware in my code but still didn't work.

here is my middleware:

app.Use(async (context, next) =>
{
    context.Response.GetTypedHeaders().CacheControl =
        new Microsoft.Net.Http.Headers.CacheControlHeaderValue()
        {
            NoStore = true,
            NoCache = true,
        };
    context.Response.Headers["Expires"] = "0";
    context.Response.Headers["Pragma"] = "no-cache";
    context.Response.Headers["Content-Security-Policy"] = "default-src 'self'; " +
    "script-src 'self' 'unsafe-inline' ; " +
    "style-src 'self' 'unsafe-inline' fonts.googleapis.com fonts.gstatic.com ;" +
    "font-src 'self' fonts.googleapis.com fonts.gstatic.com ; " +
    "img-src 'self' validator.swagger.io data:;" +
    "connect-src 'self' ws: wss:;";
    context.Response.Headers["Referrer-Policy"] = "no-referrer";
    context.Response.Headers["Permissions-Policy"] = "geolocation=(), camera=(), microphone=(), display-capture=(), fullscreen=(), web-share=()";
    context.Response.Headers["X-Frame-Options"] = "SAMEORIGIN";
    context.Response.Headers["X-Content-Type-Options"] = "nosniff";
    context.Response.Headers["Strict-Transport-Security"] = "max-age=31536000; includeSubDomains";
    await next();
});

[ismcagdas]

Does this work on a raw ASP.NET Core project ?

[frogerdevs]

Does this work on a raw ASP.NET Core project ?

Yes, When I create a new Project, from ASP.Net Core 7 no issue detected on snyk.

What makes me wonder is why this solution/project reads as ASP.NET Web API

[ismcagdas]

Could you share the website URL of the tool you used ? I mean snyk.

[frogerdevs]

Could you share the website URL of the tool you used ? I mean snyk.

Here's is the link https://snyk.io/
You can register and use for free,
And download and install extension for your IDE (in my case VS 2022) or use extension manager form VS 2022.

[frogerdevs]

I think I have a Solution for this issue, but didn't know what the impacts are for the existing application.

Just Delete the file "app.config" on the ".Web.Host" Project.

Hope it's Help

[ismcagdas]

@frogerdevs you are right, this file is not used anymore.