Skip to main content
AI/MLCrestApps

orchardcore-security

Skill for configuring security and authorization in Orchard Core. Covers permission definitions, authorization services, CORS, security headers, content security policies, and OpenID Connect. Use this skill when requests mention Orchard Core Security, Configure Security and Authorization, Enabling Security Features, Security Headers Configuration, CORS Configuration via Recipe, OpenID Connect Server Setup, or closely related Orchard Core implementation, setup, extension, or troubleshooting work. Strong matches include work with OrchardCore.Security, OrchardCore.Cors, OrchardCore.ReverseProxy, OrchardCore.OpenId, OrchardCore.OpenId.Server, OrchardCore.OpenId.Validation, OrchardCore.Security.Permissions, OrchardCore.ContentManagement, OrchardCore.Contents.Security. It also helps with security examples, CORS Configuration via Recipe, OpenID Connect Server Setup, OpenID Server Settings, plus the code patterns, admin flows, recipe steps, and referenced examples captured in this skill.

Stars
13
Source
CrestApps/CrestApps.AgentSkills
Updated
2026-05-29
Slug
CrestApps--CrestApps.AgentSkills--orchardcore-security
View on GitHubRaw SKILL.md

// install — copy + paste into any project

mkdir -p .claude/skills && curl -fsSL https://raw.githubusercontent.com/CrestApps/CrestApps.AgentSkills/HEAD/plugins/orchardcore/skills/orchardcore-security/SKILL.md -o .claude/skills/orchardcore-security.md

Drops the SKILL.md into .claude/skills/orchardcore-security.md. Works with Claude Code, Cursor, and any agent that loads SKILL.md files from .claude/skills/.

Orchard Core Security - Prompt Templates

Configure Security and Authorization

You are an Orchard Core expert. Generate security and authorization configurations for Orchard Core.

Guidelines

  • Orchard Core provides a granular permission system for access control.
  • Use IAuthorizationService for permission checks in code.
  • Content-level permissions can restrict access per content type.
  • Enable HTTPS redirection and security headers in production.
  • OpenID Connect support is built-in for OAuth/OIDC authentication.
  • CORS policies can be configured for API access.
  • Rate limiting and anti-forgery protection are available.

Enabling Security Features

{
  "steps": [
    {
      "name": "Feature",
      "enable": [
        "OrchardCore.Security",
        "OrchardCore.Cors",
        "OrchardCore.ReverseProxy"
      ],
      "disable": []
    }
  ]
}

Security Headers Configuration

Configure security headers through settings:

{
  "steps": [
    {
      "name": "Settings",
      "SecurityHeadersSettings": {
        "ContentSecurityPolicy": "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'",
        "PermissionsPolicy": "camera=(), microphone=(), geolocation=()",
        "ReferrerPolicy": "strict-origin-when-cross-origin",
        "ContentTypeOptions": "nosniff",
        "XFrameOptions": "SAMEORIGIN"
      }
    }
  ]
}

CORS Configuration via Recipe

{
  "steps": [
    {
      "name": "CorsSettings",
      "Policies": [
        {
          "Name": "Default",
          "AllowedOrigins": ["https://example.com"],
          "AllowedMethods": ["GET", "POST"],
          "AllowedHeaders": ["Content-Type", "Authorization"],
          "AllowCredentials": true
        }
      ],
      "DefaultPolicyName": "Default"
    }
  ]
}

OpenID Connect Server Setup

Enable Orchard Core as an OAuth/OIDC provider:

{
  "steps": [
    {
      "name": "Feature",
      "enable": [
        "OrchardCore.OpenId",
        "OrchardCore.OpenId.Server",
        "OrchardCore.OpenId.Validation"
      ],
      "disable": []
    }
  ]
}

OpenID Server Settings

{
  "steps": [
    {
      "name": "Settings",
      "OpenIdServerSettings": {
        "Authority": "https://{{YourDomain}}",
        "TokenEndpointPath": "/connect/token",
        "AuthorizationEndpointPath": "/connect/authorize",
        "LogoutEndpointPath": "/connect/logout",
        "UserinfoEndpointPath": "/connect/userinfo",
        "AllowAuthorizationCodeFlow": true,
        "AllowClientCredentialsFlow": true,
        "AllowRefreshTokenFlow": true
      }
    }
  ]
}

OpenID Application Registration

{
  "steps": [
    {
      "name": "OpenIdApplication",
      "OpenIdApplications": [
        {
          "ClientId": "{{ClientId}}",
          "DisplayName": "{{ApplicationName}}",
          "Type": "confidential",
          "AllowAuthorizationCodeFlow": true,
          "AllowRefreshTokenFlow": true,
          "RedirectUris": "https://{{ClientDomain}}/callback",
          "PostLogoutRedirectUris": "https://{{ClientDomain}}/signout-callback"
        }
      ]
    }
  ]
}

Content-Level Permissions

using OrchardCore.Security.Permissions;

public sealed class ContentPermissions : IPermissionProvider
{
    public static readonly Permission ViewOwnContent =
        new("ViewOwnContent", "View own content items", new[] { CommonPermissions.ViewContent });

    public static readonly Permission EditOwnContent =
        new("EditOwnContent", "Edit own content items", new[] { CommonPermissions.EditContent });

    public Task<IEnumerable<Permission>> GetPermissionsAsync()
    {
        return Task.FromResult<IEnumerable<Permission>>(new[]
        {
            ViewOwnContent,
            EditOwnContent
        });
    }

    public IEnumerable<PermissionStereotype> GetDefaultStereotypes()
    {
        return new[]
        {
            new PermissionStereotype
            {
                Name = "Authenticated",
                Permissions = new[] { ViewOwnContent, EditOwnContent }
            }
        };
    }
}

Content Authorization Handler

using OrchardCore.ContentManagement;
using OrchardCore.Contents.Security;

public sealed class MyContentAuthorizationHandler : AuthorizationHandler<PermissionRequirement>
{
    protected override Task HandleRequirementAsync(
        AuthorizationHandlerContext context,
        PermissionRequirement requirement)
    {
        if (context.Resource is ContentItem contentItem)
        {
            // Custom authorization logic
            if (contentItem.Owner == context.User.Identity.Name)
            {
                context.Succeed(requirement);
            }
        }

        return Task.CompletedTask;
    }
}

Reverse Proxy Configuration

When behind a reverse proxy (nginx, Azure, etc.):

{
  "OrchardCore": {
    "OrchardCore_ReverseProxy": {
      "ForwardedHeaders": "XForwardedFor,XForwardedHost,XForwardedProto"
    }
  }
}

Anti-Forgery Configuration

Anti-forgery tokens are automatically included in Orchard Core forms. For API endpoints:

[HttpPost]
[IgnoreAntiforgeryToken]  // Only for API endpoints with token auth
public async Task<IActionResult> ApiEndpoint()
{
    // API logic
}