GCS-28: Changes for Pen Test (#652)

* GCS-28: Update session timout to 15mins * GCS-28: Update session timout to 15mins and add cookie max age * GCS-28: add Strict-T Strict-Transport-Security headers * GCS-28: add secure policy for all cookies
nhsconnect · Nov 18, 2024 · 1fc6f16 · 1fc6f16
1 parent 01c0d87
commit 1fc6f16
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 6 deletions.
diff --git a/...ect-appointment-checker/Core/Configuration/Infrastructure/ApplicationBuilderExtensions.cs b/...ect-appointment-checker/Core/Configuration/Infrastructure/ApplicationBuilderExtensions.cs
@@ -1,9 +1,11 @@
 using System;
+using Microsoft.AspNetCore.Antiforgery;
 using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.Diagnostics.HealthChecks;
 using Microsoft.AspNetCore.Hosting;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.HttpOverrides;
+using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Diagnostics.HealthChecks;
 using Microsoft.Extensions.Hosting;
 using Microsoft.Net.Http.Headers;
@@ -36,11 +38,25 @@ public static void ConfigureApplicationBuilderServices(this IApplicationBuilder
                     context.Context.Response.Headers[HeaderNames.CacheControl] = $"public, max-age={TimeSpan.FromSeconds(60 * 60 * 24)}";
                 }
             });
-            app.UseSession();
+
             app.UseCookiePolicy();            
             app.UseRouting();
+            app.UseSession();
             app.UseResponseCaching();
 
+            app.Use(async (context, next) =>
+            {
+                var antiforgery = context.RequestServices.GetRequiredService<IAntiforgery>();
+                antiforgery.SetCookieTokenAndHeader(context);
+                await next(context);
+            });
+
+            app.Use(async (context, next) =>
+            {
+                context.Session.SetString("SessionKey", "Session");
+                await next();
+            });
+
             app.Use(async (context, next) =>
             {
                 context.Response.GetTypedHeaders().CacheControl = new CacheControlHeaderValue()

diff --git a/...nect-appointment-checker/Core/Configuration/Infrastructure/ServiceCollectionExtensions.cs b/...nect-appointment-checker/Core/Configuration/Infrastructure/ServiceCollectionExtensions.cs
@@ -22,16 +22,19 @@ public static IServiceCollection ConfigureApplicationServices(this IServiceColle
         services.AddSession(s =>
         {
             s.Cookie.Name = ".GpConnectAppointmentChecker.Session";
-            s.IdleTimeout = new TimeSpan(0, 30, 0);
+            s.IdleTimeout = new TimeSpan(0, 15, 0);
+            s.Cookie.MaxAge = TimeSpan.FromMinutes(15);
             s.Cookie.HttpOnly = true;
             s.Cookie.IsEssential = true;
+            s.Cookie.SecurePolicy = CookieSecurePolicy.Always;
         });
 
         services.Configure<CookiePolicyOptions>(options =>
         {
             options.ConsentCookie.Name = ".GpConnectAppointmentChecker.ConsentCookie";
             options.CheckConsentNeeded = context => true;
-            options.MinimumSameSitePolicy = SameSiteMode.None;
+            options.ConsentCookie.SecurePolicy = CookieSecurePolicy.Always;
+            options.MinimumSameSitePolicy = SameSiteMode.Strict;
         });
 
         services.Configure<FormOptions>(x => x.ValueCountLimit = 100000);
@@ -45,6 +48,7 @@ public static IServiceCollection ConfigureApplicationServices(this IServiceColle
         {
             options.IncludeSubDomains = true;
             options.MaxAge = TimeSpan.FromDays(730);
+            options.Preload = true;
         });        
 
         services.AddResponseCaching();
@@ -109,8 +113,8 @@ public static IServiceCollection ConfigureApplicationServices(this IServiceColle
         { 
             options.SuppressXFrameOptionsHeader = true;
             options.Cookie.HttpOnly = true;
-            options.Cookie.SecurePolicy = CookieSecurePolicy.SameAsRequest;
-            options.Cookie.SameSite = SameSiteMode.Lax;
+            options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
+            options.Cookie.SameSite = SameSiteMode.Strict;
         });
 
         services

diff --git a/modules/end-user/src/gpconnect-appointment-checker/Startup.cs b/modules/end-user/src/gpconnect-appointment-checker/Startup.cs
@@ -33,7 +33,7 @@ public void ConfigureServices(IServiceCollection services)
             authenticationExtensions.ConfigureAuthenticationServices(services);
 
             services.ConfigureLoggingServices(_configuration);
-            services.ConfigureApplicationServices(_configuration, _webHostEnvironment);            
+            services.ConfigureApplicationServices(_configuration, _webHostEnvironment);
         }
 
         public void ConfigureContainer(ContainerBuilder builder)