summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--projecttemplates/MvcRelyingParty/Code/HttpHeaderAttribute.cs39
-rw-r--r--projecttemplates/MvcRelyingParty/Controllers/AccountController.cs1
-rw-r--r--projecttemplates/MvcRelyingParty/MvcRelyingParty.csproj1
-rw-r--r--samples/OAuthAuthorizationServer/Code/HttpHeaderAttribute.cs39
-rw-r--r--samples/OAuthAuthorizationServer/Controllers/OAuthController.cs1
-rw-r--r--samples/OAuthAuthorizationServer/OAuthAuthorizationServer.csproj1
6 files changed, 82 insertions, 0 deletions
diff --git a/projecttemplates/MvcRelyingParty/Code/HttpHeaderAttribute.cs b/projecttemplates/MvcRelyingParty/Code/HttpHeaderAttribute.cs
new file mode 100644
index 0000000..f5aaef5
--- /dev/null
+++ b/projecttemplates/MvcRelyingParty/Code/HttpHeaderAttribute.cs
@@ -0,0 +1,39 @@
+namespace MvcRelyingParty {
+ using System;
+ using System.Collections.Generic;
+ using System.Linq;
+ using System.Web;
+ using System.Web.Mvc;
+
+ /// <summary>
+ /// Represents an attribute that is used to add HTTP Headers to a Controller Action response.
+ /// </summary>
+ public class HttpHeaderAttribute : ActionFilterAttribute {
+ /// <summary>
+ /// Gets or sets the name of the HTTP Header.
+ /// </summary>
+ public string Name { get; set; }
+
+ /// <summary>
+ /// Gets or sets the value of the HTTP Header.
+ /// </summary>
+ public string Value { get; set; }
+
+ /// <summary>
+ /// Initializes a new instance of the <see cref="HttpHeaderAttribute"/> class.
+ /// </summary>
+ public HttpHeaderAttribute(string name, string value) {
+ Name = name;
+ Value = value;
+ }
+
+ /// <summary>
+ /// Called by the MVC framework after the action result executes.
+ /// </summary>
+ /// <param name="filterContext">The filter context.</param>
+ public override void OnResultExecuted(ResultExecutedContext filterContext) {
+ filterContext.HttpContext.Response.AppendHeader(Name, Value);
+ base.OnResultExecuted(filterContext);
+ }
+ }
+} \ No newline at end of file
diff --git a/projecttemplates/MvcRelyingParty/Controllers/AccountController.cs b/projecttemplates/MvcRelyingParty/Controllers/AccountController.cs
index 0b5e0b6..4ce8592 100644
--- a/projecttemplates/MvcRelyingParty/Controllers/AccountController.cs
+++ b/projecttemplates/MvcRelyingParty/Controllers/AccountController.cs
@@ -49,6 +49,7 @@
}
[Authorize, AcceptVerbs(HttpVerbs.Get | HttpVerbs.Post)]
+ [HttpHeader("x-frame-options", "SAMEORIGIN")] // mitigates clickjacking
public ActionResult Authorize() {
var pendingRequest = OAuthServiceProvider.AuthorizationServer.ReadAuthorizationRequest();
if (pendingRequest == null) {
diff --git a/projecttemplates/MvcRelyingParty/MvcRelyingParty.csproj b/projecttemplates/MvcRelyingParty/MvcRelyingParty.csproj
index 40e96b8..2b0be9a 100644
--- a/projecttemplates/MvcRelyingParty/MvcRelyingParty.csproj
+++ b/projecttemplates/MvcRelyingParty/MvcRelyingParty.csproj
@@ -72,6 +72,7 @@
<ItemGroup>
<Compile Include="Code\Extensions.cs" />
<Compile Include="Code\FormsAuthenticationService.cs" />
+ <Compile Include="Code\HttpHeaderAttribute.cs" />
<Compile Include="Code\OpenIdRelyingPartyService.cs" />
<Compile Include="Controllers\AccountController.cs" />
<Compile Include="Controllers\AuthController.cs" />
diff --git a/samples/OAuthAuthorizationServer/Code/HttpHeaderAttribute.cs b/samples/OAuthAuthorizationServer/Code/HttpHeaderAttribute.cs
new file mode 100644
index 0000000..49649eb
--- /dev/null
+++ b/samples/OAuthAuthorizationServer/Code/HttpHeaderAttribute.cs
@@ -0,0 +1,39 @@
+namespace OAuthAuthorizationServer.Code {
+ using System;
+ using System.Collections.Generic;
+ using System.Linq;
+ using System.Web;
+ using System.Web.Mvc;
+
+ /// <summary>
+ /// Represents an attribute that is used to add HTTP Headers to a Controller Action response.
+ /// </summary>
+ public class HttpHeaderAttribute : ActionFilterAttribute {
+ /// <summary>
+ /// Gets or sets the name of the HTTP Header.
+ /// </summary>
+ public string Name { get; set; }
+
+ /// <summary>
+ /// Gets or sets the value of the HTTP Header.
+ /// </summary>
+ public string Value { get; set; }
+
+ /// <summary>
+ /// Initializes a new instance of the <see cref="HttpHeaderAttribute"/> class.
+ /// </summary>
+ public HttpHeaderAttribute(string name, string value) {
+ Name = name;
+ Value = value;
+ }
+
+ /// <summary>
+ /// Called by the MVC framework after the action result executes.
+ /// </summary>
+ /// <param name="filterContext">The filter context.</param>
+ public override void OnResultExecuted(ResultExecutedContext filterContext) {
+ filterContext.HttpContext.Response.AppendHeader(Name, Value);
+ base.OnResultExecuted(filterContext);
+ }
+ }
+} \ No newline at end of file
diff --git a/samples/OAuthAuthorizationServer/Controllers/OAuthController.cs b/samples/OAuthAuthorizationServer/Controllers/OAuthController.cs
index a67c57b..9d2f6e9 100644
--- a/samples/OAuthAuthorizationServer/Controllers/OAuthController.cs
+++ b/samples/OAuthAuthorizationServer/Controllers/OAuthController.cs
@@ -36,6 +36,7 @@
/// </summary>
/// <returns>The browser HTML response that prompts the user to authorize the client.</returns>
[Authorize, AcceptVerbs(HttpVerbs.Get | HttpVerbs.Post)]
+ [HttpHeader("x-frame-options", "SAMEORIGIN")] // mitigates clickjacking
public ActionResult Authorize() {
var pendingRequest = this.authorizationServer.ReadAuthorizationRequest();
if (pendingRequest == null) {
diff --git a/samples/OAuthAuthorizationServer/OAuthAuthorizationServer.csproj b/samples/OAuthAuthorizationServer/OAuthAuthorizationServer.csproj
index 8dff7d5..ffb0828 100644
--- a/samples/OAuthAuthorizationServer/OAuthAuthorizationServer.csproj
+++ b/samples/OAuthAuthorizationServer/OAuthAuthorizationServer.csproj
@@ -78,6 +78,7 @@
<DesignTime>True</DesignTime>
<AutoGen>True</AutoGen>
</Compile>
+ <Compile Include="Code\HttpHeaderAttribute.cs" />
<Compile Include="Code\OAuth2AuthorizationServer.cs" />
<Compile Include="Code\Utilities.cs" />
<Compile Include="Controllers\AccountController.cs" />
generated by cgit v1.1 at 2025-06-10 16:55:33 +0000