Date: 2023-09-05
Accepted
Up until now, we have been setting static response security headers in a custom middleware. We encountered some scenarios where we need to use inline <script> tags:
- The GOV.UK design system requires the use of inline script tags (to add the
js-enabledclass name). - We may also need to use inline script to initialise the accessible-autocomplete component, which we will be using for search.
These uses of inline script should be secured with nonces.
We will use NetEscapades.AspNetCore.SecurityHeaders nuget package to secure our inline scripts. This package is widely used across RSD products and is recommended by the SDD technical documentation repo.
In order to keep our security header configuration consistent, we will also use this package to configure our other security headers.
We have added nonce attributes to inline scripts using the NetEscapades.AspNetCore.SecurityHeaders nuget package.
We have made further use of NetEscapade security header methods to replace the majority of security headers previously set in our middleware—so that all of the security headers are set in one place.
We still need to manually set the X-Robots-Tag using the custom middleware, to define our desired search engine behaviour.