secure-web-apps · damienbod · Mar 19, 2026 · Mar 18, 2026 · Mar 18, 2026 · Mar 18, 2026
diff --git a/.github/workflows/deploy-to-azure.yml b/.github/workflows/deploy-to-azure.yml
@@ -9,10 +9,6 @@ concurrency:
   group: deploy-to-azure
   cancel-in-progress: false
 
-permissions:
-  id-token: write
-  contents: read
-
 env:
   AZURE_WEBAPP_NAME: e2e-security-web-appsrv-dev # set this to the name of your Azure App Service
   AZURE_WEBAPP_PACKAGE_PATH: "."
@@ -24,6 +20,10 @@ jobs:
   build:
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: read
+      id-token: write
+
     steps:
       - uses: actions/checkout@v4
 

diff --git a/Bff.AppHost/AppHost.cs b/Bff.AppHost/AppHost.cs
@@ -4,7 +4,7 @@
 
 if (builder.Environment.IsDevelopment())
 {
-    var angularFrontend = builder.AddNpmApp("angular", "../ui", "start")
+    var angularFrontend = builder.AddJavaScriptApp("angular", "../ui", "start")
         .WithHttpsEndpoint(port: 3000, 4201, env: "BASE_URL");
 
     builder.AddProject<Projects.BffMicrosoftEntraID_Server>("bffmicrosoftentraid-server")

diff --git a/Bff.AppHost/Bff.AppHost.csproj b/Bff.AppHost/Bff.AppHost.csproj
@@ -1,4 +1,4 @@
-<Project Sdk="Aspire.AppHost.Sdk/13.0.0">
+<Project Sdk="Aspire.AppHost.Sdk/13.1.2">
 
   <PropertyGroup>
     <OutputType>Exe</OutputType>
@@ -9,7 +9,7 @@
   </PropertyGroup>
 
   <ItemGroup>
-	<PackageReference Include="Aspire.Hosting.NodeJs" Version="9.5.2" />
+	<PackageReference Include="Aspire.Hosting.JavaScript" Version="13.1.2" />
   </ItemGroup>
 
   <ItemGroup>

diff --git a/README.md b/README.md
@@ -88,6 +88,7 @@ ng update @angular/cli @angular/core
 
 ## History
 
+- 2026-03-18 Updated .NET Aspire to 13.1.2, updated xunit to xunit.v3, moved permissions from workflow level to job level, updated npm packages
 - 2026-03-14 Updated Nuget packages
 - 2026-02-24 Updated Nuget packages, Angular 21
 - 2025-12-07 Updated to .NET 10 and Angular 21

diff --git a/server/Security/DefaultSecurityHeadersDefinitions.cs b/server/Security/DefaultSecurityHeadersDefinitions.cs
@@ -34,14 +34,20 @@ public static HeaderPolicyCollection GetHeaderPolicyCollection(bool isDev, strin
 
                 if (isDev)
                 {
-                    builder.AddStyleSrc().Self().UnsafeInline();
+                    builder.AddStyleSrc()
+                        .Self()
+                        .UnsafeInline();
                 }
                 else
                 {
-                    builder.AddStyleSrc().WithNonce().UnsafeInline();
+                    builder.AddStyleSrc()
+                        .WithNonce()
+                        .UnsafeInline();
                 }
 
-                builder.AddScriptSrc().WithNonce().UnsafeInline();
+                builder.AddScriptSrc()
+                    .WithNonce()
+                    .UnsafeInline(); // for browser backward compatibility
             })
             .RemoveServerHeader()
             .AddPermissionsPolicyWithDefaultSecureDirectives();

diff --git a/tests/BffMicrosoftEntraID.Server.IntegrationTests.csproj b/tests/BffMicrosoftEntraID.Server.IntegrationTests.csproj
@@ -8,13 +8,13 @@
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="coverlet.collector" Version="8.0.0">
+    <PackageReference Include="coverlet.collector" Version="8.0.1">
       <PrivateAssets>all</PrivateAssets>
       <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
     </PackageReference>
     <PackageReference Include="Microsoft.AspNetCore.Mvc.Testing" Version="10.0.5" />
     <PackageReference Include="Microsoft.NET.Test.Sdk" Version="18.3.0" />
-    <PackageReference Include="xunit" Version="2.9.3" />
+	<PackageReference Include="xunit.v3" Version="3.2.2" />
     <PackageReference Include="xunit.runner.visualstudio" Version="3.1.5">
       <PrivateAssets>all</PrivateAssets>
       <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>

diff --git a/tests/UserEndpointsTests.cs b/tests/UserEndpointsTests.cs
@@ -19,11 +19,11 @@ public async Task Get_AsUnauthenticatedUser_ReturnsAnonymousUserInfo()
         var client = _factory.CreateClient();
 
         // Act
-        var response = await client.GetAsync("/api/user");
+        var response = await client.GetAsync("/api/user", TestContext.Current.CancellationToken);
 
         // Assert
         response.EnsureSuccessStatusCode();
-        var userInfo = await response.Content.ReadFromJsonAsync<Models.UserInfo>();
+        var userInfo = await response.Content.ReadFromJsonAsync<Models.UserInfo>(cancellationToken: TestContext.Current.CancellationToken);
         Assert.NotNull(userInfo);
         Assert.False(userInfo!.IsAuthenticated);
     }