Implement security hardening with CSP and localized assets

Implements a Content Security Policy (CSP) and localizes the vis-network dependency to ensure compliance. Additionally, this adds anti-forgery token validation to page models and forces the HTTPS scheme in middleware.

Author: carlsixsmith-moj

src/Visualiser/Pages/Index.cshtml

@@ -132,6 +132,6 @@
 @Html.AntiForgeryToken()
 
 @section Scripts {
-    <script type="text/javascript" src="https://unpkg.com/vis-network/standalone/umd/vis-network.min.js"></script>
+    <script type="text/javascript" src="~/js/vis-network.min.js"></script>
     <script type="text/javascript" src="~/js/network.js" asp-append-version="true"></script>
 }

src/Visualiser/Pages/Index.cshtml.cs

@@ -7,7 +7,7 @@
 using System.Text;
 using System.Text.Json;
 namespace Visualiser.Pages;
-
+[ValidateAntiForgeryToken]
 public class IndexModel(IDownstreamApi api) : PageModel
 {
     public void OnGet() { }

src/Visualiser/Pages/ProcessedFiles.cshtml.cs

@@ -10,6 +10,7 @@
 
 namespace Visualiser.Pages
 {
+    [ValidateAntiForgeryToken]
     public class ProcessedFilesModel(IDownstreamApi api) : PageModel
     {
 

src/Visualiser/Program.cs

@@ -56,6 +56,23 @@
 app.UseAuthentication();
 app.UseAuthorization();
 
+app.Use((context, next) =>
+{
+   context.Request.Scheme = "https";
+   return next(); 
+});
+
+app.Use(async (context, next) =>
+{
+    if(context.Response.Headers.IsReadOnly == false)
+    {
+        string csp = app.Configuration["Content-Security-Policy"]
+                            ??  "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; object-src 'self' data:; frame-src 'self' data:;";   
+        context.Response.Headers.Append("Content-Security-Policy", csp);
+    }
+    await next();
+});
+
 app.MapStaticAssets();
 app.MapRazorPages()
    .WithStaticAssets();