Performance & Security Optimizations for CSP Module (2025 Best Practices)

[Scarmonit]

Overview

After analyzing the codebase, I've identified several optimization opportunities based on 2025 CSP best practices and modern ASP.NET performance patterns. This package is a solid foundation but could benefit from performance improvements, security enhancements, and maintainability updates.

🚀 Performance Optimizations

1. Header Size Management (Critical)

Issue: Current implementation doesn't manage header size limits. Cloudflare drops responses with headers >16KB, and best practice is <8KB per header.

Solution:

• Implement header size monitoring before sending
• Split large CSP headers into multiple headers when approaching 8KB
• Add warning logs when headers exceed recommended sizes
• Consolidate directives (merge script-src-elem/script-src-attr → script-src) when size critical

Reference: https://world.optimizely.com/blogs/mark-stott/dates/2025/8/optimizing-content-security-policies-to-stay-within-http-header-limits/

2. Cache Optimization

Current Issue in SecurityPoliciesCollectionManager.cs:

HttpContext.Current.Cache.Insert("ContentSecurityPolicyConfig", file, ConfigDocDependency, 
    DateTime.MaxValue, TimeSpan.Zero, CacheItemPriority.High, null);

Problems:

• XML deserialization happens on every request if cache expires
• No cache warming on startup
• File dependency might cause frequent cache invalidation

Optimizations:

• Pre-parse CSP headers at startup and cache the final header strings (not just the object)
• Use MemoryCache instead of legacy HttpContext.Current.Cache
• Implement lazy initialization with thread-safe singleton pattern
• Add cache hit/miss metrics

3. String Building Performance

Current Issue in HttpHelpers.cs:

var sourceList = new List<string>();
// ... loop creates multiple intermediate strings
return string.Join(" ", sourceList);

Optimization:

• Use StringBuilder with capacity estimation
• Pre-calculate approximate header size
• Avoid multiple string concatenations in loops

🔒 Security Enhancements

4. Remove Internet Explorer Support (X-Content-Security-Policy)

Current:

response.AddHeader("Content-Security-Policy", policyHeader);
response.AddHeader("X-Content-Security-Policy", policyHeader); // IE support

Issue: IE is no longer supported (EOL 2022). This doubles header size unnecessarily.

Action: Remove X-Content-Security-Policy header, add migration note in docs.

5. Add Report-Only Mode Support

Missing Feature: No support for Content-Security-Policy-Report-Only header for testing.

Implementation:

• Add <Policy reportOnly="true"> attribute
• Essential for safely rolling out new policies
• Best practice per latest CSP guidelines

6. Nonce/Hash Support

Current: Config only supports 'unsafe-inline' - major security weakness.

Add:

• Runtime nonce generation support
• Hash-based CSP for static inline scripts
• Helper methods for ASP.NET views to inject nonces

// Proposed API
@Html.ScriptNonce() // generates and includes nonce

🛠️ Code Quality Improvements

7. Async/Await Pattern

Current: BeginRequest event handler is synchronous, blocks request thread.

Optimization:

• Use async initialization for cache warming
• Consider middleware pattern instead of HttpModule for modern ASP.NET

8. Duplicate Header Removal Logic

Issue in ContentSecurityPolicyModule.cs (lines 47-54, 61-68, 74-81):
Same Remove/AddHeader pattern repeated 3 times.

Refactor:

private void SetCspHeaders(HttpResponse response, string policyHeader)
{
    if (!string.IsNullOrEmpty(response.Headers["Content-Security-Policy"]))
    {
        response.Headers.Remove("Content-Security-Policy");
    }
    response.AddHeader("Content-Security-Policy", policyHeader);
}

9. Null Safety

Current: Multiple HttpContext.Current != null checks.

Better:

• Use null-conditional operators
• Early returns for cleaner flow
• Consider dependency injection for testability

📊 Monitoring & Observability

10. Add CSP Violation Reporting

Missing: No built-in support for CSP violation reports.

Add:

• report-uri directive support
• Built-in endpoint to receive CSP violations
• Structured logging of violations
• Integration with Application Insights/Serilog

11. Performance Metrics

Add:

• Header generation time tracking
• Cache hit/miss rates
• Policy evaluation count per request
• Header size monitoring

🧪 Modern CSP3 Features

12. CSP Level 3 Directives

Missing modern directives:

• script-src-elem / script-src-attr (already in spec but not well documented)
• trusted-types (prevents DOM XSS)
• require-trusted-types-for
• upgrade-insecure-requests
• block-all-mixed-content

🔄 Architecture Improvements

13. Migrate to ASP.NET Core Middleware

Current: Uses legacy HttpModule pattern.

Proposed: Create ASP.NET Core version with middleware:

app.UseContentSecurityPolicy(options => {
    options.ConfigPath = "~/config/csp.config";
    options.EnableReportOnly = false;
});

14. Fluent Configuration API

In addition to XML, provide fluent API:

services.AddContentSecurityPolicy()
    .AddPolicy(policy => policy
        .ForLocation("/umbraco")
        .WithDefaultSrc(src => src.Self().Data())
        .WithScriptSrc(src => src.Self().UnsafeInline()));

📝 Documentation Enhancements

15. Missing Documentation

Add:

• Header size limit warnings
• Migration guide from v1
• Common CSP patterns (React, Angular, Vue)
• Troubleshooting guide
• Performance benchmarks

Implementation Priority

High Priority (Security/Performance):

1. Header size management (Use OWIN instead of HttpModule #1)
2. Cache optimization (Add a flag to use report only header #2)
3. Remove IE support (NuGet #4)
4. Add report-only mode (Error when installing on Umbraco v8.18 #5)

Medium Priority (Features):
5. Nonce support (#6)
6. CSP violation reporting (#10)
7. String building performance (#3)

Low Priority (Nice to Have):
8. Fluent API (#14)
9. Metrics (#11)
10. Code refactoring (#8, #9)

Testing Recommendations

Add:

• Unit tests for header generation
• Integration tests for policy matching
• Performance benchmarks
• CSP violation simulation tests
• Header size limit tests

---

Would you like me to create separate issues for specific optimization areas, or provide implementation examples for any of these improvements?