use named headers

hosts/AspNetIdentity/Pages/Extensions.cs

@@ -35,7 +35,7 @@ internal static bool IsNativeClient(this AuthorizationRequest context)
     internal static IActionResult LoadingPage(this PageModel page, string? redirectUri)
     {
         page.HttpContext.Response.StatusCode = 200;
-        page.HttpContext.Response.Headers["Location"] = "";
+        page.HttpContext.Response.Headers.Location = "";
 
         return page.RedirectToPage("/Redirect/Index", new { RedirectUri = redirectUri });
     }

hosts/Configuration/Extensions/SameSiteHandlingExtensions.cs

@@ -24,7 +24,7 @@ private static void CheckSameSite(HttpContext httpContext, CookieOptions options
     {
         if (options.SameSite == SameSiteMode.None)
         {
-            var userAgent = httpContext.Request.Headers["User-Agent"].ToString();
+            var userAgent = httpContext.Request.Headers.UserAgent.ToString();
             if (!httpContext.Request.IsHttps || DisallowsSameSiteNone(userAgent))
             {
                 // For .NET Core < 3.1 set SameSite = (SameSiteMode)(-1)

hosts/Configuration/Pages/Extensions.cs

@@ -35,7 +35,7 @@ internal static bool IsNativeClient(this AuthorizationRequest context)
     internal static IActionResult LoadingPage(this PageModel page, string? redirectUri)
     {
         page.HttpContext.Response.StatusCode = 200;
-        page.HttpContext.Response.Headers["Location"] = "";
+        page.HttpContext.Response.Headers.Location = "";
 
         return page.RedirectToPage("/Redirect/Index", new { RedirectUri = redirectUri });
     }

hosts/EntityFramework/Pages/Extensions.cs

@@ -35,7 +35,7 @@ internal static bool IsNativeClient(this AuthorizationRequest context)
     internal static IActionResult LoadingPage(this PageModel page, string? redirectUri)
     {
         page.HttpContext.Response.StatusCode = 200;
-        page.HttpContext.Response.Headers["Location"] = "";
+        page.HttpContext.Response.Headers.Location = "";
 
         return page.RedirectToPage("/Redirect/Index", new { RedirectUri = redirectUri });
     }

hosts/main/Extensions/SameSiteHandlingExtensions.cs

@@ -24,7 +24,7 @@ private static void CheckSameSite(HttpContext httpContext, CookieOptions options
     {
         if (options.SameSite == SameSiteMode.None)
         {
-            var userAgent = httpContext.Request.Headers["User-Agent"].ToString();
+            var userAgent = httpContext.Request.Headers.UserAgent.ToString();
             if (!httpContext.Request.IsHttps || DisallowsSameSiteNone(userAgent))
             {
                 // For .NET Core < 3.1 set SameSite = (SameSiteMode)(-1)

hosts/main/Pages/Extensions.cs

@@ -35,7 +35,7 @@ internal static bool IsNativeClient(this AuthorizationRequest context)
     internal static IActionResult LoadingPage(this PageModel page, string? redirectUri)
     {
         page.HttpContext.Response.StatusCode = 200;
-        page.HttpContext.Response.Headers["Location"] = "";
+        page.HttpContext.Response.Headers.Location = "";
 
         return page.RedirectToPage("/Redirect/Index", new { RedirectUri = redirectUri });
     }

src/IdentityServer/Extensions/HttpRequestExtensions.cs

@@ -15,7 +15,7 @@ public static class HttpRequestExtensions
 {
     public static string GetCorsOrigin(this HttpRequest request)
     {
-        var origin = request.Headers["Origin"].FirstOrDefault();
+        var origin = request.Headers.Origin.FirstOrDefault();
         var thisOrigin = request.Scheme + "://" + request.Host;
 
         // see if the Origin is different than this server's origin. if so

src/IdentityServer/Extensions/HttpResponseExtensions.cs

@@ -51,9 +51,9 @@ public static void SetCache(this HttpResponse response, int maxAge, params strin
                 var vary = varyBy.Aggregate((x, y) => x + "," + y);
                 if (response.Headers.ContainsKey("Vary"))
                 {
-                    vary = response.Headers["Vary"].ToString() + "," + vary;
+                    vary = response.Headers.Vary.ToString() + "," + vary;
                 }
-                response.Headers["Vary"] = vary;
+                response.Headers.Vary = vary;
             }
         }
     }
@@ -66,7 +66,7 @@ public static void SetNoCache(this HttpResponse response)
         }
         else
         {
-            response.Headers["Cache-Control"] = "no-store, no-cache, max-age=0";
+            response.Headers.CacheControl = "no-store, no-cache, max-age=0";
         }
 
         if (!response.Headers.ContainsKey("Pragma"))

src/IdentityServer/Hosting/LocalApiAuthentication/LocalApiAuthenticationHandler.cs

@@ -65,7 +65,7 @@ protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
 
         string token = null;
 
-        string authorization = Request.Headers["Authorization"];
+        string authorization = Request.Headers.Authorization;
 
         if (string.IsNullOrEmpty(authorization))
         {

src/IdentityServer/Validation/Default/BasicAuthenticationSecretParser.cs

@@ -53,7 +53,7 @@ public Task<ParsedSecret> ParseAsync(HttpContext context)
         _logger.LogDebug("Start parsing Basic Authentication secret");
 
         var notfound = Task.FromResult<ParsedSecret>(null);
-        var authorizationHeader = context.Request.Headers["Authorization"].FirstOrDefault();
+        var authorizationHeader = context.Request.Headers.Authorization.FirstOrDefault();
 
         if (authorizationHeader.IsMissing())
         {

src/IdentityServer/Validation/Default/BearerTokenUsageValidator.cs

@@ -62,7 +62,7 @@ public async Task<BearerTokenUsageValidationResult> ValidateAsync(HttpContext co
     /// <returns></returns>
     public BearerTokenUsageValidationResult ValidateAuthorizationHeader(HttpContext context)
     {
-        var authorizationHeader = context.Request.Headers["Authorization"].FirstOrDefault();
+        var authorizationHeader = context.Request.Headers.Authorization.FirstOrDefault();
         if (authorizationHeader.IsPresent())
         {
             var header = authorizationHeader.Trim();

test/IdentityServer.UnitTests/Endpoints/EndSession/EndSessionCallbackResultTests.cs

@@ -41,7 +41,7 @@ public async Task default_options_should_emit_frame_src_csp_headers()
 
         await _subject.WriteHttpResponse(new EndSessionCallbackResult(_validationResult), ctx);
 
-        ctx.Response.Headers["Content-Security-Policy"].First().Should().Contain("frame-src http://foo");
+        ctx.Response.Headers.ContentSecurityPolicy.First().Should().Contain("frame-src http://foo");
     }
 
     [Fact]
@@ -55,6 +55,6 @@ public async Task relax_csp_options_should_prevent_frame_src_csp_headers()
 
         await _subject.WriteHttpResponse(new EndSessionCallbackResult(_validationResult), ctx);
 
-        ctx.Response.Headers["Content-Security-Policy"].FirstOrDefault().Should().BeNull();
+        ctx.Response.Headers.ContentSecurityPolicy.FirstOrDefault().Should().BeNull();
     }
 }

test/IdentityServer.UnitTests/Endpoints/Results/AuthorizeResultTests.cs

@@ -59,7 +59,7 @@ public async Task error_should_redirect_to_error_page_and_passs_info()
 
         _mockErrorMessageStore.Messages.Count.Should().Be(1);
         _context.Response.StatusCode.Should().Be(302);
-        var location = _context.Response.Headers["Location"].First();
+        var location = _context.Response.Headers.Location.First();
         location.Should().StartWith("https://server/error");
         var query = QueryHelpers.ParseQuery(new Uri(location).Query);
         query["errorId"].First().Should().Be(_mockErrorMessageStore.Messages.First().Key);
@@ -84,7 +84,7 @@ public async Task prompt_none_errors_should_return_to_client(string error)
 
         _mockUserSession.Clients.Count.Should().Be(0);
         _context.Response.StatusCode.Should().Be(302);
-        var location = _context.Response.Headers["Location"].First();
+        var location = _context.Response.Headers.Location.First();
         location.Should().StartWith("http://client/callback");
     }
 
@@ -108,7 +108,7 @@ public async Task prompt_none_errors_for_anonymous_users_should_include_session_
 
         _mockUserSession.Clients.Count.Should().Be(0);
         _context.Response.StatusCode.Should().Be(302);
-        var location = _context.Response.Headers["Location"].First();
+        var location = _context.Response.Headers.Location.First();
         location.Should().Contain("session_state=some_session_state");
     }
 
@@ -129,7 +129,7 @@ public async Task access_denied_should_return_to_client()
 
         _mockUserSession.Clients.Count.Should().Be(0);
         _context.Response.StatusCode.Should().Be(302);
-        var location = _context.Response.Headers["Location"].First();
+        var location = _context.Response.Headers.Location.First();
         location.Should().StartWith("http://client/callback");
 
         var queryString = new Uri(location).Query;
@@ -168,10 +168,10 @@ public async Task query_mode_should_pass_results_in_query()
         await _subject.WriteHttpResponse(new AuthorizeResult(_response), _context);
 
         _context.Response.StatusCode.Should().Be(302);
-        _context.Response.Headers["Cache-Control"].First().Should().Contain("no-store");
-        _context.Response.Headers["Cache-Control"].First().Should().Contain("no-cache");
-        _context.Response.Headers["Cache-Control"].First().Should().Contain("max-age=0");
-        var location = _context.Response.Headers["Location"].First();
+        _context.Response.Headers.CacheControl.First().Should().Contain("no-store");
+        _context.Response.Headers.CacheControl.First().Should().Contain("no-cache");
+        _context.Response.Headers.CacheControl.First().Should().Contain("max-age=0");
+        var location = _context.Response.Headers.Location.First();
         location.Should().StartWith("http://client/callback");
         location.Should().Contain("?state=state");
     }
@@ -190,10 +190,10 @@ public async Task fragment_mode_should_pass_results_in_fragment()
         await _subject.WriteHttpResponse(new AuthorizeResult(_response), _context);
 
         _context.Response.StatusCode.Should().Be(302);
-        _context.Response.Headers["Cache-Control"].First().Should().Contain("no-store");
-        _context.Response.Headers["Cache-Control"].First().Should().Contain("no-cache");
-        _context.Response.Headers["Cache-Control"].First().Should().Contain("max-age=0");
-        var location = _context.Response.Headers["Location"].First();
+        _context.Response.Headers.CacheControl.First().Should().Contain("no-store");
+        _context.Response.Headers.CacheControl.First().Should().Contain("no-cache");
+        _context.Response.Headers.CacheControl.First().Should().Contain("max-age=0");
+        var location = _context.Response.Headers.Location.First();
         location.Should().StartWith("http://client/callback");
         location.Should().Contain("#state=state");
     }
@@ -213,11 +213,11 @@ public async Task form_post_mode_should_pass_results_in_body()
 
         _context.Response.StatusCode.Should().Be(200);
         _context.Response.ContentType.Should().StartWith("text/html");
-        _context.Response.Headers["Cache-Control"].First().Should().Contain("no-store");
-        _context.Response.Headers["Cache-Control"].First().Should().Contain("no-cache");
-        _context.Response.Headers["Cache-Control"].First().Should().Contain("max-age=0");
-        _context.Response.Headers["Content-Security-Policy"].First().Should().Contain("default-src 'none';");
-        _context.Response.Headers["Content-Security-Policy"].First().Should().Contain($"script-src '{IdentityServerConstants.ContentSecurityPolicyHashes.AuthorizeScript}'");
+        _context.Response.Headers.CacheControl.First().Should().Contain("no-store");
+        _context.Response.Headers.CacheControl.First().Should().Contain("no-cache");
+        _context.Response.Headers.CacheControl.First().Should().Contain("max-age=0");
+        _context.Response.Headers.ContentSecurityPolicy.First().Should().Contain("default-src 'none';");
+        _context.Response.Headers.ContentSecurityPolicy.First().Should().Contain($"script-src '{IdentityServerConstants.ContentSecurityPolicyHashes.AuthorizeScript}'");
         _context.Response.Headers["X-Content-Security-Policy"].First().Should().Contain("default-src 'none';");
         _context.Response.Headers["X-Content-Security-Policy"].First().Should().Contain($"script-src '{IdentityServerConstants.ContentSecurityPolicyHashes.AuthorizeScript}'");
         _context.Response.Body.Seek(0, SeekOrigin.Begin);
@@ -245,7 +245,7 @@ public async Task form_post_mode_should_add_unsafe_inline_for_csp_level_1()
 
         await _subject.WriteHttpResponse(new AuthorizeResult(_response), _context);
 
-        _context.Response.Headers["Content-Security-Policy"].First().Should().Contain($"script-src 'unsafe-inline' '{IdentityServerConstants.ContentSecurityPolicyHashes.AuthorizeScript}'");
+        _context.Response.Headers.ContentSecurityPolicy.First().Should().Contain($"script-src 'unsafe-inline' '{IdentityServerConstants.ContentSecurityPolicyHashes.AuthorizeScript}'");
         _context.Response.Headers["X-Content-Security-Policy"].First().Should().Contain($"script-src 'unsafe-inline' '{IdentityServerConstants.ContentSecurityPolicyHashes.AuthorizeScript}'");
     }
 
@@ -264,7 +264,7 @@ public async Task form_post_mode_should_not_add_deprecated_header_when_it_is_dis
 
         await _subject.WriteHttpResponse(new AuthorizeResult(_response), _context);
 
-        _context.Response.Headers["Content-Security-Policy"].First().Should().Contain($"script-src '{IdentityServerConstants.ContentSecurityPolicyHashes.AuthorizeScript}'");
+        _context.Response.Headers.ContentSecurityPolicy.First().Should().Contain($"script-src '{IdentityServerConstants.ContentSecurityPolicyHashes.AuthorizeScript}'");
         _context.Response.Headers["X-Content-Security-Policy"].Should().BeEmpty();
     }
 }

test/IdentityServer.UnitTests/Endpoints/Results/CheckSessionResultTests.cs

@@ -41,8 +41,8 @@ public async Task should_pass_results_in_body()
 
         _context.Response.StatusCode.Should().Be(200);
         _context.Response.ContentType.Should().StartWith("text/html");
-        _context.Response.Headers["Content-Security-Policy"].First().Should().Contain("default-src 'none';");
-        _context.Response.Headers["Content-Security-Policy"].First().Should().Contain($"script-src '{IdentityServerConstants.ContentSecurityPolicyHashes.CheckSessionScript}'");
+        _context.Response.Headers.ContentSecurityPolicy.First().Should().Contain("default-src 'none';");
+        _context.Response.Headers.ContentSecurityPolicy.First().Should().Contain($"script-src '{IdentityServerConstants.ContentSecurityPolicyHashes.CheckSessionScript}'");
         _context.Response.Headers["X-Content-Security-Policy"].First().Should().Contain("default-src 'none';");
         _context.Response.Headers["X-Content-Security-Policy"].First().Should().Contain($"script-src '{IdentityServerConstants.ContentSecurityPolicyHashes.CheckSessionScript}'");
         _context.Response.Body.Seek(0, SeekOrigin.Begin);
@@ -60,7 +60,7 @@ public async Task form_post_mode_should_add_unsafe_inline_for_csp_level_1()
 
         await _subject.WriteHttpResponse(new CheckSessionResult(), _context);
 
-        _context.Response.Headers["Content-Security-Policy"].First().Should().Contain($"script-src 'unsafe-inline' '{IdentityServerConstants.ContentSecurityPolicyHashes.CheckSessionScript}'");
+        _context.Response.Headers.ContentSecurityPolicy.First().Should().Contain($"script-src 'unsafe-inline' '{IdentityServerConstants.ContentSecurityPolicyHashes.CheckSessionScript}'");
         _context.Response.Headers["X-Content-Security-Policy"].First().Should().Contain($"script-src 'unsafe-inline' '{IdentityServerConstants.ContentSecurityPolicyHashes.CheckSessionScript}'");
     }
 
@@ -71,7 +71,7 @@ public async Task form_post_mode_should_not_add_deprecated_header_when_it_is_dis
 
         await _subject.WriteHttpResponse(new CheckSessionResult(), _context);
 
-        _context.Response.Headers["Content-Security-Policy"].First().Should().Contain($"script-src '{IdentityServerConstants.ContentSecurityPolicyHashes.CheckSessionScript}'");
+        _context.Response.Headers.ContentSecurityPolicy.First().Should().Contain($"script-src '{IdentityServerConstants.ContentSecurityPolicyHashes.CheckSessionScript}'");
         _context.Response.Headers["X-Content-Security-Policy"].Should().BeEmpty();
     }
 

test/IdentityServer.UnitTests/Endpoints/Results/EndSessionCallbackResultTests.cs

@@ -53,12 +53,12 @@ public async Task success_should_render_html_and_iframes()
         await _subject.WriteHttpResponse(new EndSessionCallbackResult(_result), _context);
 
         _context.Response.ContentType.Should().StartWith("text/html");
-        _context.Response.Headers["Cache-Control"].First().Should().Contain("no-store");
-        _context.Response.Headers["Cache-Control"].First().Should().Contain("no-cache");
-        _context.Response.Headers["Cache-Control"].First().Should().Contain("max-age=0");
-        _context.Response.Headers["Content-Security-Policy"].First().Should().Contain("default-src 'none';");
-        _context.Response.Headers["Content-Security-Policy"].First().Should().Contain("style-src 'sha256-e6FQZewefmod2S/5T11pTXjzE2vn3/8GRwWOs917YE4=';");
-        _context.Response.Headers["Content-Security-Policy"].First().Should().Contain("frame-src http://foo.com http://bar.com");
+        _context.Response.Headers.CacheControl.First().Should().Contain("no-store");
+        _context.Response.Headers.CacheControl.First().Should().Contain("no-cache");
+        _context.Response.Headers.CacheControl.First().Should().Contain("max-age=0");
+        _context.Response.Headers.ContentSecurityPolicy.First().Should().Contain("default-src 'none';");
+        _context.Response.Headers.ContentSecurityPolicy.First().Should().Contain("style-src 'sha256-e6FQZewefmod2S/5T11pTXjzE2vn3/8GRwWOs917YE4=';");
+        _context.Response.Headers.ContentSecurityPolicy.First().Should().Contain("frame-src http://foo.com http://bar.com");
         _context.Response.Headers["X-Content-Security-Policy"].First().Should().Contain("default-src 'none';");
         _context.Response.Headers["X-Content-Security-Policy"].First().Should().Contain("style-src 'sha256-e6FQZewefmod2S/5T11pTXjzE2vn3/8GRwWOs917YE4=';");
         _context.Response.Headers["X-Content-Security-Policy"].First().Should().Contain("frame-src http://foo.com http://bar.com");
@@ -80,7 +80,7 @@ public async Task fsuccess_should_add_unsafe_inline_for_csp_level_1()
 
         await _subject.WriteHttpResponse(new EndSessionCallbackResult(_result), _context);
 
-        _context.Response.Headers["Content-Security-Policy"].First().Should().Contain("style-src 'unsafe-inline' 'sha256-e6FQZewefmod2S/5T11pTXjzE2vn3/8GRwWOs917YE4='");
+        _context.Response.Headers.ContentSecurityPolicy.First().Should().Contain("style-src 'unsafe-inline' 'sha256-e6FQZewefmod2S/5T11pTXjzE2vn3/8GRwWOs917YE4='");
         _context.Response.Headers["X-Content-Security-Policy"].First().Should().Contain("style-src 'unsafe-inline' 'sha256-e6FQZewefmod2S/5T11pTXjzE2vn3/8GRwWOs917YE4='");
     }
 
@@ -93,7 +93,7 @@ public async Task form_post_mode_should_not_add_deprecated_header_when_it_is_dis
 
         await _subject.WriteHttpResponse(new EndSessionCallbackResult(_result), _context);
 
-        _context.Response.Headers["Content-Security-Policy"].First().Should().Contain("style-src 'sha256-e6FQZewefmod2S/5T11pTXjzE2vn3/8GRwWOs917YE4='");
+        _context.Response.Headers.ContentSecurityPolicy.First().Should().Contain("style-src 'sha256-e6FQZewefmod2S/5T11pTXjzE2vn3/8GRwWOs917YE4='");
         _context.Response.Headers["X-Content-Security-Policy"].Should().BeEmpty();
     }
 }