From 5ea2b7830f6cca092c0c9339cf3aba5f029c321f Mon Sep 17 00:00:00 2001
From: Christopher Morriss <Christopher.MORRISS@EDUCATION.GOV.UK>
Date: Mon, 22 Jun 2026 10:02:38 +0100
Subject: [PATCH 1/4] removed inline styles, added prod only CSP, reviewed CSP

---
 SAPSec.Web/AssetSrc/scss/main.scss            | 12 +++++
 SAPSec.Web/Helpers/CspHelper.cs               | 45 +++++++++++++++++--
 .../Middleware/SecurityHeadersMiddleware.cs   |  4 +-
 SAPSec.Web/Program.cs                         |  2 +-
 SAPSec.Web/Views/Shared/_Layout.cshtml        |  2 +-
 .../SchoolDetails.cshtml                      |  6 +--
 .../Similarity.cshtml                         |  6 +--
 7 files changed, 62 insertions(+), 15 deletions(-)

diff --git a/SAPSec.Web/AssetSrc/scss/main.scss b/SAPSec.Web/AssetSrc/scss/main.scss
index 093a3d04..5c4a7bc5 100644
--- a/SAPSec.Web/AssetSrc/scss/main.scss
+++ b/SAPSec.Web/AssetSrc/scss/main.scss
@@ -212,6 +212,18 @@
   }
 }
 
+.app-similar-schools-contact {
+    border: 1px solid #b1b4b6;
+}
+
+.app-similar-schools-contact-content {
+    background: #f3f2f1;
+}
+
+.app-similar-schools-tag {
+    white-space: nowrap;
+}
+
 .app-similar-schools-sort {
   display: flex;
   align-items: center;
diff --git a/SAPSec.Web/Helpers/CspHelper.cs b/SAPSec.Web/Helpers/CspHelper.cs
index 0fcc8a19..b6c1960a 100644
--- a/SAPSec.Web/Helpers/CspHelper.cs
+++ b/SAPSec.Web/Helpers/CspHelper.cs
@@ -14,18 +14,55 @@ public static string GenerateNonce()
         return Convert.ToBase64String(byteArray);
     }
 
-    public static string BuildPolicy(string nonce)
+    public static string BuildPolicy(string nonce, IWebHostEnvironment environment)
     {
+        if (environment.IsProduction())
+        { 
         return string.Join(" ",
             "base-uri 'self';",
             "object-src 'none';",
             "default-src 'self';",
             "frame-ancestors 'none';",
-            "form-action 'self' https://test-oidc.signin.education.gov.uk https://pp-oidc.signin.education.gov.uk https://oidc.signin.education.gov.uk;",
-            "connect-src 'self' *.google-analytics.com *.analytics.google.com https://www.compare-school-performance.service.gov.uk https://api.postcodes.io https://*.doubleclick.net https://*.clarity.ms https://c.bing.com https://*.applicationinsights.azure.com/ https://*.visualstudio.com/ wss://localhost:*;",
+            "form-action 'self' https://oidc.signin.education.gov.uk;",
+            "connect-src 'self' *.google-analytics.com *.analytics.google.com https://*.clarity.ms",
             "img-src 'self' data: https://www.googletagmanager.com/ https://*.google-analytics.com https://atlas.microsoft.com https://*.clarity.ms https://c.bing.com https://js.monitor.azure.com/ https://*.tile.openstreetmap.org;",
-            "style-src 'self' 'unsafe-inline';",
+            "style-src 'self';",
             "font-src 'self' data:;",
             $"script-src 'self' 'nonce-{nonce}' https://www.googletagmanager.com *.google-analytics.com https://*.clarity.ms https://c.bing.com https://js.monitor.azure.com/;");
+        }
+        else
+        {
+            return string.Join(" ",
+            "base-uri 'self';",
+            "object-src 'none';",
+            "default-src 'self';",
+            "frame-ancestors 'none';",
+            "form-action 'self' https://test-oidc.signin.education.gov.uk https://pp-oidc.signin.education.gov.uk;",
+            "connect-src 'self' *.google-analytics.com *.analytics.google.com https://*.clarity.ms https://*.visualstudio.com/ https://localhost:*;",
+            "img-src 'self' data: https://www.googletagmanager.com/ https://*.google-analytics.com https://atlas.microsoft.com https://*.clarity.ms https://c.bing.com https://js.monitor.azure.com/ https://*.tile.openstreetmap.org;",
+            "style-src 'self';",
+            "font-src 'self' data:;",
+            $"script-src 'self' 'nonce-{nonce}' https://www.googletagmanager.com *.google-analytics.com https://*.clarity.ms https://c.bing.com https://js.monitor.azure.com/;");
+         }
+
+        //Notes:
+        //https://c.bing.com is required by Clarity
+        //https://*.visualstudio.com/ used for live share in Visual Studio
+        //wss://localhost:* used by browsersync
     }
+
+    //public static string BuildPolicy(string nonce)
+    //{
+    //    return string.Join(" ",
+    //        "base-uri 'self';",
+    //        "object-src 'none';",
+    //        "default-src 'self';",
+    //        "frame-ancestors 'none';",
+    //        "form-action 'self' https://test-oidc.signin.education.gov.uk https://pp-oidc.signin.education.gov.uk https://oidc.signin.education.gov.uk;",
+    //        "connect-src 'self' *.google-analytics.com *.analytics.google.com https://www.compare-school-performance.service.gov.uk https://api.postcodes.io https://*.doubleclick.net https://*.clarity.ms https://c.bing.com https://*.applicationinsights.azure.com/ https://*.visualstudio.com/ wss://localhost:*;",
+    //        "img-src 'self' data: https://www.googletagmanager.com/ https://*.google-analytics.com https://atlas.microsoft.com https://*.clarity.ms https://c.bing.com https://js.monitor.azure.com/ https://*.tile.openstreetmap.org;",
+    //        "style-src 'self' 'unsafe-inline';",
+    //        "font-src 'self' data:;",
+    //        $"script-src 'self' 'nonce-{nonce}' https://www.googletagmanager.com *.google-analytics.com https://*.clarity.ms https://c.bing.com https://js.monitor.azure.com/;");
+    //}
 }
diff --git a/SAPSec.Web/Middleware/SecurityHeadersMiddleware.cs b/SAPSec.Web/Middleware/SecurityHeadersMiddleware.cs
index 36a53999..3d3a92a0 100644
--- a/SAPSec.Web/Middleware/SecurityHeadersMiddleware.cs
+++ b/SAPSec.Web/Middleware/SecurityHeadersMiddleware.cs
@@ -4,7 +4,7 @@
 namespace SAPSec.Web.Middleware;
 
 [ExcludeFromCodeCoverage]
-public class SecurityHeadersMiddleware(RequestDelegate next)
+public class SecurityHeadersMiddleware(RequestDelegate next, IWebHostEnvironment environment)
 {
     public async Task InvokeAsync(HttpContext context)
     {
@@ -32,7 +32,7 @@ public async Task InvokeAsync(HttpContext context)
         context.Response.Headers.Append("X-Permitted-Cross-Domain-Policies", "none");
         context.Response.Headers.Append("X-XSS-Protection", "0");
         context.Response.Headers.Append("Strict-Transport-Security", "max-age=31536000; includeSubDomains; preload");
-        context.Response.Headers.Append("Content-Security-Policy", CspHelper.BuildPolicy(nonce));
+        context.Response.Headers.Append("Content-Security-Policy", CspHelper.BuildPolicy(nonce, environment));
 
         await next(context);
     }
diff --git a/SAPSec.Web/Program.cs b/SAPSec.Web/Program.cs
index 33138e6b..9b16ca79 100644
--- a/SAPSec.Web/Program.cs
+++ b/SAPSec.Web/Program.cs
@@ -201,7 +201,7 @@ public static void Main(string[] args)
             app.UseHsts();
         }
         app.UseForwardedHeaders();
-        app.UseMiddleware<SecurityHeadersMiddleware>();
+        app.UseMiddleware<SecurityHeadersMiddleware>(app.Environment);
         app.UseHttpsRedirection();
 
         var provider = new FileExtensionContentTypeProvider
diff --git a/SAPSec.Web/Views/Shared/_Layout.cshtml b/SAPSec.Web/Views/Shared/_Layout.cshtml
index 96a17277..f5fceff0 100644
--- a/SAPSec.Web/Views/Shared/_Layout.cshtml
+++ b/SAPSec.Web/Views/Shared/_Layout.cshtml
@@ -71,7 +71,7 @@ n&&j.setAttribute('nonce',n.nonce||n.getAttribute('nonce'));f.parentNode.insertB
     @if (loadAnalytics && !string.IsNullOrWhiteSpace(gtmId))
     {
     <!-- Google Tag Manager (noscript) -->
-    <noscript><iframe src="https://www.googletagmanager.com/ns.html?id=@gtmId@Html.Raw(gtmAdditional)" height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>
+    <noscript><iframe src="https://www.googletagmanager.com/ns.html?id=@gtmId@Html.Raw(gtmAdditional)" height="0" width="0" hidden"></iframe></noscript>
     <!-- End Google Tag Manager (noscript) -->
     }
     <script add-nonce="true">
diff --git a/SAPSec.Web/Views/SimilarSchoolsComparison/SchoolDetails.cshtml b/SAPSec.Web/Views/SimilarSchoolsComparison/SchoolDetails.cshtml
index cb498813..53aa66ae 100644
--- a/SAPSec.Web/Views/SimilarSchoolsComparison/SchoolDetails.cshtml
+++ b/SAPSec.Web/Views/SimilarSchoolsComparison/SchoolDetails.cshtml
@@ -55,7 +55,6 @@
     </summary>
 
     <div class="govuk-details__text govuk-!-padding-left-2 govuk-!-padding-right-0">
-        @* <div id="comparison-map" style="height:520px;"></div> *@
         <div id="map" data-map-mode="compare"
              data-fixed-zoom="14"
              role="region"
@@ -93,9 +92,8 @@
 
 @if (Model.SimilarSchoolDetails is not null)
 {
-    <div class="govuk-!-margin-top-6 govuk-!-margin-bottom-9" style="border: 1px solid #b1b4b6;">
-        <div class="govuk-!-padding-top-4 govuk-!-padding-right-6 govuk-!-padding-bottom-4 govuk-!-padding-left-6"
-             style="background: #f3f2f1;">
+    <div class="govuk-!-margin-top-6 govuk-!-margin-bottom-9 app-similar-schools-contact">
+        <div class="govuk-!-padding-top-4 govuk-!-padding-right-6 govuk-!-padding-bottom-4 govuk-!-padding-left-6 app-similar-schools-contact-content">
             <h2 class="govuk-heading-m govuk-!-margin-bottom-0">Contact this school</h2>
         </div>
 
diff --git a/SAPSec.Web/Views/SimilarSchoolsComparison/Similarity.cshtml b/SAPSec.Web/Views/SimilarSchoolsComparison/Similarity.cshtml
index 24694f24..6bdaed11 100644
--- a/SAPSec.Web/Views/SimilarSchoolsComparison/Similarity.cshtml
+++ b/SAPSec.Web/Views/SimilarSchoolsComparison/Similarity.cshtml
@@ -44,13 +44,13 @@
                     @switch (row.Similarity)
                     {
                         case SchoolSimilarity.Similar:
-                            <strong class="govuk-tag govuk-tag--green" style="white-space: nowrap;">Similar</strong>
+                            <strong class="govuk-tag govuk-tag--green app-similar-schools-tag">Similar</strong>
                             break;
                         case SchoolSimilarity.LessSimilar:
-                            <strong class="govuk-tag govuk-tag--yellow" style="white-space: nowrap;">Less similar</strong>
+                                <strong class="govuk-tag govuk-tag--yellow app-similar-schools-tag">Less similar</strong>
                             break;
                         default:
-                            <strong class="govuk-tag govuk-tag--red" style="white-space: nowrap;">Not similar</strong>
+                            <strong class="govuk-tag govuk-tag--red app-similar-schools-tag">Not similar</strong>
                             break;
                     }
                 </td>

From 4b27cfb3883aa701eb9cb9f75d3a641dbd66eac2 Mon Sep 17 00:00:00 2001
From: Christopher Morriss <Christopher.MORRISS@EDUCATION.GOV.UK>
Date: Mon, 22 Jun 2026 10:40:03 +0100
Subject: [PATCH 2/4] removed further unused CSP referemces

---
 SAPSec.Web/Helpers/CspHelper.cs | 27 ++++++---------------------
 1 file changed, 6 insertions(+), 21 deletions(-)

diff --git a/SAPSec.Web/Helpers/CspHelper.cs b/SAPSec.Web/Helpers/CspHelper.cs
index b6c1960a..9cdfdba9 100644
--- a/SAPSec.Web/Helpers/CspHelper.cs
+++ b/SAPSec.Web/Helpers/CspHelper.cs
@@ -25,10 +25,10 @@ public static string BuildPolicy(string nonce, IWebHostEnvironment environment)
             "frame-ancestors 'none';",
             "form-action 'self' https://oidc.signin.education.gov.uk;",
             "connect-src 'self' *.google-analytics.com *.analytics.google.com https://*.clarity.ms",
-            "img-src 'self' data: https://www.googletagmanager.com/ https://*.google-analytics.com https://atlas.microsoft.com https://*.clarity.ms https://c.bing.com https://js.monitor.azure.com/ https://*.tile.openstreetmap.org;",
+            "img-src 'self' data: https://www.googletagmanager.com/ https://*.google-analytics.com https://*.clarity.ms https://c.bing.com https://*.tile.openstreetmap.org;",
             "style-src 'self';",
             "font-src 'self' data:;",
-            $"script-src 'self' 'nonce-{nonce}' https://www.googletagmanager.com *.google-analytics.com https://*.clarity.ms https://c.bing.com https://js.monitor.azure.com/;");
+            $"script-src 'self' 'nonce-{nonce}' https://www.googletagmanager.com *.google-analytics.com https://*.clarity.ms https://c.bing.com;");
         }
         else
         {
@@ -38,31 +38,16 @@ public static string BuildPolicy(string nonce, IWebHostEnvironment environment)
             "default-src 'self';",
             "frame-ancestors 'none';",
             "form-action 'self' https://test-oidc.signin.education.gov.uk https://pp-oidc.signin.education.gov.uk;",
-            "connect-src 'self' *.google-analytics.com *.analytics.google.com https://*.clarity.ms https://*.visualstudio.com/ https://localhost:*;",
-            "img-src 'self' data: https://www.googletagmanager.com/ https://*.google-analytics.com https://atlas.microsoft.com https://*.clarity.ms https://c.bing.com https://js.monitor.azure.com/ https://*.tile.openstreetmap.org;",
+            "connect-src 'self' *.google-analytics.com *.analytics.google.com https://*.clarity.ms https://*.visualstudio.com/ ws://localhost:* http://localhost:*;",
+            "img-src 'self' data: https://www.googletagmanager.com/ https://*.google-analytics.com https://*.clarity.ms https://c.bing.com https://*.tile.openstreetmap.org;",
             "style-src 'self';",
             "font-src 'self' data:;",
-            $"script-src 'self' 'nonce-{nonce}' https://www.googletagmanager.com *.google-analytics.com https://*.clarity.ms https://c.bing.com https://js.monitor.azure.com/;");
+            $"script-src 'self' 'nonce-{nonce}' https://www.googletagmanager.com *.google-analytics.com https://*.clarity.ms https://c.bing.com;");
          }
 
         //Notes:
         //https://c.bing.com is required by Clarity
         //https://*.visualstudio.com/ used for live share in Visual Studio
-        //wss://localhost:* used by browsersync
+        //ws://localhost:* http://localhost:* used by https://browsersync.io/
     }
-
-    //public static string BuildPolicy(string nonce)
-    //{
-    //    return string.Join(" ",
-    //        "base-uri 'self';",
-    //        "object-src 'none';",
-    //        "default-src 'self';",
-    //        "frame-ancestors 'none';",
-    //        "form-action 'self' https://test-oidc.signin.education.gov.uk https://pp-oidc.signin.education.gov.uk https://oidc.signin.education.gov.uk;",
-    //        "connect-src 'self' *.google-analytics.com *.analytics.google.com https://www.compare-school-performance.service.gov.uk https://api.postcodes.io https://*.doubleclick.net https://*.clarity.ms https://c.bing.com https://*.applicationinsights.azure.com/ https://*.visualstudio.com/ wss://localhost:*;",
-    //        "img-src 'self' data: https://www.googletagmanager.com/ https://*.google-analytics.com https://atlas.microsoft.com https://*.clarity.ms https://c.bing.com https://js.monitor.azure.com/ https://*.tile.openstreetmap.org;",
-    //        "style-src 'self' 'unsafe-inline';",
-    //        "font-src 'self' data:;",
-    //        $"script-src 'self' 'nonce-{nonce}' https://www.googletagmanager.com *.google-analytics.com https://*.clarity.ms https://c.bing.com https://js.monitor.azure.com/;");
-    //}
 }

From 95ddcc299b4b5523f29c254047ef9a2ccc184709 Mon Sep 17 00:00:00 2001
From: Christopher Morriss <Christopher.MORRISS@EDUCATION.GOV.UK>
Date: Mon, 22 Jun 2026 16:03:23 +0100
Subject: [PATCH 3/4] add bing back in

---
 SAPSec.Web/Helpers/CspHelper.cs | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/SAPSec.Web/Helpers/CspHelper.cs b/SAPSec.Web/Helpers/CspHelper.cs
index 9cdfdba9..6b0bcfed 100644
--- a/SAPSec.Web/Helpers/CspHelper.cs
+++ b/SAPSec.Web/Helpers/CspHelper.cs
@@ -24,7 +24,7 @@ public static string BuildPolicy(string nonce, IWebHostEnvironment environment)
             "default-src 'self';",
             "frame-ancestors 'none';",
             "form-action 'self' https://oidc.signin.education.gov.uk;",
-            "connect-src 'self' *.google-analytics.com *.analytics.google.com https://*.clarity.ms",
+            "connect-src 'self' *.google-analytics.com *.analytics.google.com https://*.clarity.ms https://c.bing.com;",
             "img-src 'self' data: https://www.googletagmanager.com/ https://*.google-analytics.com https://*.clarity.ms https://c.bing.com https://*.tile.openstreetmap.org;",
             "style-src 'self';",
             "font-src 'self' data:;",
@@ -38,7 +38,7 @@ public static string BuildPolicy(string nonce, IWebHostEnvironment environment)
             "default-src 'self';",
             "frame-ancestors 'none';",
             "form-action 'self' https://test-oidc.signin.education.gov.uk https://pp-oidc.signin.education.gov.uk;",
-            "connect-src 'self' *.google-analytics.com *.analytics.google.com https://*.clarity.ms https://*.visualstudio.com/ ws://localhost:* http://localhost:*;",
+            "connect-src 'self' *.google-analytics.com *.analytics.google.com https://*.clarity.ms https://c.bing.com https://*.visualstudio.com/ ws://localhost:* http://localhost:*;",
             "img-src 'self' data: https://www.googletagmanager.com/ https://*.google-analytics.com https://*.clarity.ms https://c.bing.com https://*.tile.openstreetmap.org;",
             "style-src 'self';",
             "font-src 'self' data:;",

From c0fd5e4c40b9d327b2608aa6ef124a5daf156f94 Mon Sep 17 00:00:00 2001
From: Christopher Morriss <Christopher.MORRISS@EDUCATION.GOV.UK>
Date: Tue, 23 Jun 2026 10:43:21 +0100
Subject: [PATCH 4/4] added wss://localhost:* for VS hot reload

---
 SAPSec.Web/Helpers/CspHelper.cs | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/SAPSec.Web/Helpers/CspHelper.cs b/SAPSec.Web/Helpers/CspHelper.cs
index 6b0bcfed..58dfde4f 100644
--- a/SAPSec.Web/Helpers/CspHelper.cs
+++ b/SAPSec.Web/Helpers/CspHelper.cs
@@ -38,7 +38,7 @@ public static string BuildPolicy(string nonce, IWebHostEnvironment environment)
             "default-src 'self';",
             "frame-ancestors 'none';",
             "form-action 'self' https://test-oidc.signin.education.gov.uk https://pp-oidc.signin.education.gov.uk;",
-            "connect-src 'self' *.google-analytics.com *.analytics.google.com https://*.clarity.ms https://c.bing.com https://*.visualstudio.com/ ws://localhost:* http://localhost:*;",
+            "connect-src 'self' *.google-analytics.com *.analytics.google.com https://*.clarity.ms https://c.bing.com https://*.visualstudio.com/ ws://localhost:* wss://localhost:* http://localhost:*;",
             "img-src 'self' data: https://www.googletagmanager.com/ https://*.google-analytics.com https://*.clarity.ms https://c.bing.com https://*.tile.openstreetmap.org;",
             "style-src 'self';",
             "font-src 'self' data:;",
@@ -49,5 +49,6 @@ public static string BuildPolicy(string nonce, IWebHostEnvironment environment)
         //https://c.bing.com is required by Clarity
         //https://*.visualstudio.com/ used for live share in Visual Studio
         //ws://localhost:* http://localhost:* used by https://browsersync.io/
+        //wss://localhost:* used by hot reload in Visual Studio
     }
 }