How do I make Umbraco play nice with NWebSec's built in CSP Report event handler?

Question

I'm working on a website which uses the Umbraco CMS version 7. I'm using NWebSec to implement a CSP header on the website. NWebSec has built in functionality to raise a .Net event when there's a CSP violation. Normally you'd catch that event with something like this:

protected void NWebSecHttpHeaderSecurityModule_CspViolationReported(object sender, CspViolationReportEventArgs e)
    {
        var report = e.ViolationReport;
        var serializedReport = JsonConvert.SerializeObject(report.Details);

        // Do a thing with the report
    }

in the Global.asax.cs file. But so far as I can tell, Umbraco preempts the Global.asax.cs file, and it eats any event that's thrown. I have a file with a few custom event handlers like:

public void OnApplicationStarted(UmbracoApplicationBase umbracoApplication, ApplicationContext applicationContext)

to handle the standard pieces of application startup code that would normally be in the Global.asax.cs file, but putting the NWebSec event handler in that same file doens't work. Presumably it's because it's using the .Net event handler syntax rather than whatever Umbraco replaces it with.

How do I access the events thrown by NWebSec?

Robert Foster · Accepted Answer · 2015-10-23T05:34:02.353

the Global.asax class inherits from UmbracoApplication so no, you can't use that. There are a number of reasons for this including enabling the ability to "run" Umbraco outside of the web context - i.e. in a console application).

After reviewing the available documentation on the NWebSec documentation website, I don't think you can just place your NWebSecHttpHeaderSecurityModule_CspViolationReported event handler method in the class, you will need to wire it up as well. It should probably look something like this:

public class MyGlobalEventHandler : ApplicationEventHandler {

    protected override void ApplicationStarted(UmbracoApplicationBase umbracoApplication, ApplicationContext applicationContext)
    {
        var nWebSecHttpHeaderSecurityModule = umbracoApplication.Modules["NWebSecHttpHeaderSecurityModule"] as HttpHeaderSecurityModule;
        if (nWebSecHttpHeaderSecurityModule != null) {
            nWebSecHttpHeaderSecurityModule.CspViolationReported += NWebSecHttpHeaderSecurityModule_CspViolationReported;
        }

        base.ApplicationStarted(umbracoApplication, applicationContext);
    }

    protected void NWebSecHttpHeaderSecurityModule_CspViolationReported(object sender, CspViolationReportEventArgs e)
    {
        var report = e.ViolationReport;
        var serializedReport = JsonConvert.SerializeObject(report.Details);

        // Do a thing with the report
    }
}

If you're using a newer version of Umbraco that supports OWIN (7.3.0), you could use the NWebsec.Owin library which may give you a better result and more flexibility perhaps.

I ended up going a different route and using the more standard CSP reporting structure with a custom route and handling it with an mvc controller. But it looks like your answer regarding wiring up nwebsec as an umbraco application was the piece I was missing to make this work. Thanks. — Necoras, Oct 23 '15 at 14:36

How do I make Umbraco play nice with NWebSec's built in CSP Report event handler?

1 Answers1