https://umbraco.com logo
Powered by
Healthchecks Failing
a

Ambert

05/25/2023, 9:24 AM
Any Umbracian has a idea for this ? πŸ˜„
j

Jason

05/25/2023, 9:31 AM
How are your headers configured for this?
i.e. do you have actual code that's setting the X-Frame-Options header? If so, can you share it?
a

Ambert

05/25/2023, 9:32 AM
simple using the builder: 
public static IApplicationBuilder ConfigureSecurityHeaders(this IApplicationBuilder app, IWebHostEnvironment env, IConfiguration config)
    {
        app.UseReferrerPolicy(opts => opts.StrictOrigin());
        app.UseXfo(options => options.SameOrigin());
        app.UseXXssProtection(options => options.EnabledWithBlockMode());
        app.UseXContentTypeOptions();

        return app;
    }
And it's not in a conditional statement to only run on development πŸ˜‰
j

Jason

05/25/2023, 9:37 AM
Interesting.
Does it work if you take the manual approach (i.e. not NWebSec)?
https://docs.umbraco.com/umbraco-cms/extending/health-check/guides/clickjackingprotection#adding-click-jacking-protection-using-manual-middleware
Hmm, I've just tested this and it doesn't work. I was adding the middleware configuration too late. The manual approach in the docs is working for me.
a

Ambert

05/25/2023, 11:19 AM
Just to be sure, your also running on cloud ?
And it seems like the headers are set though when I inspect the traffic..
j

Jason

05/25/2023, 11:20 AM
Yep, just pushed to cloud to check.
a

Ambert

05/25/2023, 11:21 AM
hmm let me check
j

Jason

05/25/2023, 11:27 AM
I'm not using NWebsec, which looks like a dead project now, as security moves quickly and adding headers is trivial. (on a related note, take a look at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection)
a

Ambert

05/25/2023, 11:29 AM
It's just one example

https://cdn.discordapp.com/attachments/1111223258126225468/1111254772952092792/image.pngβ–Ύ

none of these work
currently deploying the code your provided as a test
Still failing on cloud πŸ˜„
Locally it adds the header nicely. hah
j

Jason

05/25/2023, 11:34 AM
That's weird.
a

Ambert

05/25/2023, 11:36 AM
IM doubting if its even deployed atm..
restarting the environment
yea no difference at all
this is odd
not even my commented out items
ah it seems I had selected an image in both windows, which were cached.. πŸ™‚
I atleast see a difference in headers on the document itself
howver, Umbraco security healthcheck still says : no
Original:

https://cdn.discordapp.com/attachments/1111223258126225468/1111257915081375784/image.pngβ–Ύ

Current:

https://cdn.discordapp.com/attachments/1111223258126225468/1111257945720762459/image.pngβ–Ύ

@Jason did you test on a live URL, or on a dev environment url ?
(ea dev-projectname.euwest01.umbraco.io)
(not sure if theres a difference)
j

Jason

05/25/2023, 11:43 AM
I tested on an umbraco.io URL
(and the underlying Azure Web App just to be sure)
What URL is your healthcheck targetting?
a

Ambert

05/25/2023, 11:45 AM
The Application URL configuration ?
dev-projectname.euwest01.umbraco.io
j

Jason

05/25/2023, 11:47 AM
And is that the URL you're using the backoffice from?
a

Ambert

05/25/2023, 11:51 AM
its the same yes
j

Jason

05/25/2023, 11:57 AM
Crazy
a

Ambert

05/25/2023, 11:57 AM
yep πŸ˜› haha
Do you perhaps have the order different in the Configure() ?
We basically have it first though, so that also shouldnt be it..
j

Jason

05/25/2023, 12:02 PM
Yeah, first in mine too.
a

Ambert

05/25/2023, 2:08 PM
Been trying some more stuff, no luck 😦
#umbraco-cloudJoin Discord
Powered by