feat: Implementierung von CSPMiddleware zur Hinzufügung von CSP-Headern mit Nonce für verbesserte Sicherheit.

DigitalData.Core.API/CSPMiddleware.cs

@@ -0,0 +1,47 @@
+namespace DigitalData.Core.API
+{
+    /// <summary>
+    /// Middleware to add Content Security Policy (CSP) headers to the HTTP response.
+    /// </summary>
+    public class CSPMiddleware
+    {
+        private readonly RequestDelegate _next;
+        private readonly string _policy;
+
+        /// <summary>
+        /// Initializes a new instance of the <see cref="CSPMiddleware"/> class.
+        /// </summary>
+        /// <param name="next">The next middleware in the request pipeline.</param>
+        /// <param name="policy">The CSP policy string with placeholders for nonces.</param>
+        public CSPMiddleware(RequestDelegate next, string policy)
+        {
+            _next = next;
+            _policy = policy;
+        }
+
+        /// <summary>
+        /// Invokes the middleware to add the CSP header to the response.
+        /// </summary>
+        /// <param name="context">The HTTP context.</param>
+        /// <returns>A task that represents the completion of request processing.</returns>
+        public async Task Invoke(HttpContext context)
+        {
+            // Generate a nonce (number used once) for inline scripts and styles
+            var nonce = Convert.ToBase64String(Guid.NewGuid().ToByteArray());
+
+            // Store the nonce in the context items for later use
+            context.Items["csp-nonce"] = nonce;
+
+            // Add the CSP header to the response
+            context.Response.OnStarting(() =>
+            {
+                context.Response.Headers.Add("Content-Security-Policy",
+                    string.Format(_policy, nonce));
+                return Task.CompletedTask;
+            });
+
+            // Call the next middleware in the pipeline
+            await _next(context);
+        }
+    }
+}

DigitalData.Core.API/DIExtensions.cs

@@ -0,0 +1,23 @@
+using Microsoft.AspNetCore.Builder;
+
+namespace DigitalData.Core.API
+{
+    /// <summary>
+    /// Provides extension methods for adding middleware to the application's request pipeline.
+    /// </summary>
+    public static class DIExtensions
+    {
+        /// <summary>
+        /// Adds the <see cref="CSPMiddleware"/> to the application's request pipeline to include 
+        /// Content Security Policy (CSP) headers in the HTTP response.
+        /// </summary>
+        /// <param name="app">The application builder.</param>
+        /// <param name="policy">
+        /// The CSP policy string with placeholders. The first format parameter {0} will be replaced 
+        /// by the nonce value.
+        /// </param>
+        /// <returns>The application builder with the CSP middleware added.</returns>
+        public static IApplicationBuilder UseCSPMiddleware(this IApplicationBuilder app, string policy)
+            => app.UseMiddleware<CSPMiddleware>(policy);
+    }
+}

DigitalData.Core.DTO/DTOExtensions.cs

@@ -1,5 +1,4 @@
 using Microsoft.Extensions.Logging;
-using System.Diagnostics;
 using System.Text;
 
 namespace DigitalData.Core.DTO
@@ -63,6 +62,10 @@ namespace DigitalData.Core.DTO
             return result;
         }
 
+        public static bool HasFlag(this IEnumerable<Notice> notices, Enum flag) => notices.Any(n => n.Flag?.ToString() == flag.ToString());
+
+        public static bool HasAnyFlag(this IEnumerable<Notice> notices, params Enum[] flags) => flags.Any(f => notices.HasFlag(f));
+
         public static I Then<I>(this Result result, Func<I> Success, Func<List<string>, List<Notice>, I> Fail)
         {
             return result.IsSuccess ? Success() : Fail(result.Messages, result.Notices);