NetZero 8.5 - ASP.NET Core 3.1 Jquery
We are using NWebSec to add Content Security Policy into ASP.NET Zero 8.5. We’re using nonces on all script tags in the application as such (so using the tag helper):
<script nws-csp-add-nonce="true">
We’re getting a CSP error on the administration pages where the modal window is being loaded.
[Report Only] Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'nonce-LxksDtd8QWExYudx431bw42g' 'unsafe-eval' www.google.com cse.google.com kendo.cdn.telerik.com cdnjs.cloudflare.com cdn.jsdelivr.net *.vimeo.com localhost". Either the 'unsafe-inline' keyword, a hash ('sha256-A89G9Jx+cHr6joI5m9XkZvnSPnz+jSxZZlJRNjwuHqc='), or a nonce ('nonce-...') is required to enable inline execution.
I assume we’re getting this error because the content of the modal (CreateOrEditModal) is loading content dynamically (through Ajax). We have added the following configuration in the Startup for NWebSec:
app.UseHsts(options => options.MaxAge(days: 30)); //app.UseNoCacheHttpHeaders(); //Registered after static files, to set headers only for dynamic content. app.UseRedirectValidation(); //Registered after static files, they don't redirect app.UseReferrerPolicy(options => options.StrictOriginWhenCrossOrigin()); //app.UseReferrerPolicy(opts => opts.NoReferrerWhenDowngrade()); app.UseXContentTypeOptions(); app.UseXDownloadOptions(); app.UseXfo(options => options.SameOrigin()); //app.UseXfo(options => options.Deny()); app.UseXRobotsTag(options => options .NoIndex() .NoFollow() .NoArchive() .NoImageIndex() .NoOdp() .NoSnippet() .NoTranslate() ); app.UseXXssProtection(options => options.EnabledWithBlockMode());
app.UseCspReportOnly(options => options
.UpgradeInsecureRequests()
.DefaultSources(s => s
.Self()
.CustomSources("data:")
.CustomSources("https:")
)
.FontSources(s => s
.Self()
.CustomSources("fonts.googleapis.com", "*.fontawesome.com", "kendo.cdn.telerik.com", "*.vimeo.com"))
.FormActions(s => s.Self())
.FrameAncestors(s => s.Self())
.FrameSources(s => s
.Self()
.CustomSources("*.youtube.com", "*.vimeo.com", "app.powerbi.com"))
.ImageSources(s => s
.Self()
.CustomSources("kendo.cdn.telerik.com", "*.youtube.com", "*.vimeo.com", "data:"))
.MediaSources(s => s
.Self()
.CustomSources("*.youtube.com", "*.vimeo.com"))
.ScriptSources(s => s
.Self()
.CustomSources("www.google.com", "cse.google.com", "kendo.cdn.telerik.com", "cdnjs.cloudflare.com", "cdn.jsdelivr.net", "*.vimeo.com", "localhost")
.UnsafeEval() //TODO Required for Kendo
)
.StyleSources(s => s
.Self()
.UnsafeInline()
.CustomSources("*.google.com", "fonts.googleapis.com", "kendo.cdn.telerik.com", "cdn.jsdelivr.net", "*.vimeo.com", "*.youtube.com", "shepherdjs.dev/dist/css/shepherd.css"))
);
Is there a way to get around these exceptions as basically, we can’t enable CSP on the application now since it’ll block all admin pages?
In following the documentation for Deleting a Theme for NetCore 3/Jquery I noticed that it is missing a step
In Areas -> AppAreaName-> Views-> Layout folder You should also Delete the \ThemeX folder that contains _Layout.cshtml
I have ported my NetZero 6.91 Net Core 2.2 jQuery app over to 8.1 Net Core 3.1 jQuery here are a few tips for getting Kendo UI to work. Hope this is helpful.
PROJECTNAME.Web.Mvc\Startup\Startup.cs
using Newtonsoft.Json.Serialization;
public IServiceProvider ConfigureServices(IServiceCollection services)
{
// MVC
services.AddControllersWithViews(options =>
{
options.Filters.Add(new AbpAutoValidateAntiforgeryTokenAttribute());
})
#if DEBUG .AddRazorRuntimeCompilation() #endif
//Added for Kendo Serialization
.AddNewtonsoftJson(options => options.SerializerSettings.ContractResolver = new DefaultContractResolver());
//Further down in file
services.AddKendo();
The Kendo JS files need to be loaded in the header - https://docs.telerik.com/kendo-ui/intro/installation/hosting-kendoui
Make changes to your _Layout.cshtml file Areas\Admin\Views\Layout__Layout.cshtml
HEADER - Add style sheets and javascript <link rel="stylesheet" type="text/css" href="~/lib/kendo-ui/styles/web/kendo.common-material.min.css" /> <link rel="stylesheet" type="text/css" href="~/lib/kendo-ui/styles/web/kendo.material.min.css" />
Take the entire NetZero Scripts section that is at the bottom of the page between the <!--begin::Base Scripts --> tags and move it up into the header
<!--begin::Base Scripts -->
ALL THE NETZERO SCRIPTS
<!-- Add the Kendo JS at the end of the scripts section so it is called after jQuery has loaded -->
<script src="~/lib/kendo-ui/js/kendo.all.min.js"></script>
<script src="~/lib/kendo-ui/js/kendo.aspnetmvc.min.js"></script>
<!--end::Base Scripts -->
~~
EDITED: NOT NECESSARY
Find the section for RenderSection("Scripts - it is right after <!--begin::Page Snippets -->
Change to true
~~ <!--begin::Page Snippets --> @RenderSection("Scripts", true) <!-- Change to true to handle scripts being placed in the header -->~~~~
We are moving from 6.9 to 8.1 ASP.NET Core 3.1 Jquery to take advantage of the new features of both ABP and NetCore 3.1. We have standard CRUD operations happening on the Web App that uses ABP Authentication. We also have built a Blazor Client App for CREATE ONLY operations for Anonymous Users (one ABP User Account that can be logged in to and accessed by multiple people simultaneously).
For the Web App security and the user license count we want to equire 2FA and prevent Concurrent Login, but we want to DISABLE this for the Anonymous User account since we want multiple people to be able to add data without bumping someone else off the system and, since they are Anonymous, we don't have either cellphone number or email and therefore can't use 2FA.
Currently it seems that Concurrent Login and 2FA configuration is only available to the SuperAdmin and applies universally to all Tenants.
How would you implement these at the User Level. Our goal would be the default setting from the Settings/Security screen would be the default and inherited by all Users (and be part of the Create/Edit User screen) so that it could be turned off at the User Account level.
I am working with ABP 7.0.0 Asp Net Core 2.2 & Jquery using NetZero as the Authentication layer to access several different databases that, for business purposes, must be kept separate from the ABP Database. Each of my other databases has all of the required ABP Fields to be fully IMustHaveTenant compatible. Once logged in TenantId, User, Role is in Session and should be able to be passed to the other databases.
I've looked at various forum posts and Github code for having multiple databases and more than one DbContext pointing to different connection strings but I haven't been able to get those approached to work in Net Core 2.2. Has anyone gotten this scenario to work in Net Core 2.2? I would appreciate seeing
One feature I would like to see in Subscriptions is
Number of Active Users
For my SaaS application I allow a client to purchase X number of licenses and then only allow them to have X number of Active Users at any one time. Only Active Users can log in. The client can have more than X users if additional Users beyond X are Inactive. Then they can turn off an Active User and turn on an Inactive User.
When I do a Security Scan of my site hosted on Azure using <a class="postlink" href="https://asafaweb.com">https://asafaweb.com</a> I get two warnings:
1. HTTP only cookies: Warning It looks like a cookie is being set without the "HttpOnly" flag being set (name : value):
Abp.Localization.CultureName : en
Unless the cookie legitimately needs to be read by JavaScript on the client, the "HttpOnly" flag should always be set to ensure it cannot be read by the client and used in an XSS attack.
Question: Is this cookie only being read by Javascript on the client? If not, how can it be changed to be HTTPS cookie?
2. Secure cookies: Warning It looks like 3 cookies are being served over HTTPS without the "secure" flag being set (name : value):
Abp.Localization.CultureName : en ASP.NET_SessionId : 0q ARRAffinity : 8*******************************f
Unless the cookie needs to be sent over an insecure connection, the "secure" flag should always be set to ensure it can only be sent with an HTTPS request.
Appreciate any guidance in securing the cookies.
I have a SaaS application that contains sensitive client data. If the client ever decides to cancel their contract I need to remove all of their data. To test this out in pre-production I have created a Cascade Delete from AbpTenant to the Client's data so that deleting a Tenant in AbpTenant from SSMS removes all the Client's data. It does leave the Tenant in all of the other Abp Tables (since it is a soft delete). What is the best way to remove all the other references to that Tenant? I don't want to disable the Tenant Soft Delete. Should this just be a SQL script I need to generate?
Is there a way to prevent concurrent logins by the same User? Under a subscription-based service my SaaS application is being sold with a specific number of user licenses based on the version they purchase. Users can get around this by simply sharing a login. Is there a way to prevent User2 from logging with User1's credentials if User1 is already logged in?
When creating a Tenant you can configure the default password requirements. All of the Security Features are handled on the Settings/Security Page. If you grant a Tenant access to that page, which may be important for them to control things like User Lockout and Two-Factor Authentication, you also give them the ability to change the password requirements. This means a Tenant could set up a 3 letter password requirement which compromises security for the entire application.
Is there a way to set or hardcode a minimum password requirement where the User cannot go below, for example 8 characters?
Another option would be to split off the Password Settings into a different Page Permission from Settings, that way the User still has access to the other parts of the Settings/Security but the Host could determine if Tenants can or cannot change the Password Complexity.