diff --git a/.github/workflows/dotnet.yml b/.github/workflows/dotnet.yml
index 27d3932..03e32f8 100644
--- a/.github/workflows/dotnet.yml
+++ b/.github/workflows/dotnet.yml
@@ -12,12 +12,12 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
 
     - name: Setup .NET
-      uses: actions/setup-dotnet@v3
+      uses: actions/setup-dotnet@v4
       with:
-        dotnet-version: 8.0.*
+        dotnet-version: 9.0.*
 
     - name: Build Blazor template
       run: dotnet build ./BlazorBffOpenIdConnect/
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index a9d57e0..f83b470 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -13,9 +13,9 @@ jobs:
         fetch-depth: 0
 
     - name: Setup .NET
-      uses: actions/setup-dotnet@v3
+      uses: actions/setup-dotnet@v4
       with:
-        dotnet-version: 8.0.*
+        dotnet-version: 9.0.*
 
     - name: Build Blazor template
       run: dotnet build ./BlazorBffOpenIdConnect/
diff --git a/BlazorBffOpenIDConnect.Template.csproj b/BlazorBffOpenIDConnect.Template.csproj
index 6ce190d..1d43d0a 100644
--- a/BlazorBffOpenIDConnect.Template.csproj
+++ b/BlazorBffOpenIDConnect.Template.csproj
@@ -7,7 +7,7 @@
         <Authors>damienbod</Authors>
         <Description>This template provides a simple Blazor template with BFF server authentication WASM hosted.</Description>
         <PackageTags>dotnet-new;templates;Blazor;BFF;WASM;ASP.NET Core;AspNetCore;OpenIDConnect;OAuth2</PackageTags>
-        <TargetFramework>net8.0</TargetFramework>
+        <TargetFramework>net9.0</TargetFramework>
 		<Summary>This template provides a simple Blazor template with BFF server authentication WASM hosted</Summary>
         <IncludeContentInPack>true</IncludeContentInPack>
         <IncludeBuildOutput>false</IncludeBuildOutput>
@@ -16,10 +16,10 @@
         <NoDefaultExcludes>true</NoDefaultExcludes>
         <PackageIcon>icon.png</PackageIcon>
         <PackageProjectUrl>https://github.com/damienbod/Blazor.BFF.OpenIDConnect.Template</PackageProjectUrl>
-        <Copyright>2023 damienbod</Copyright>
+        <Copyright>2024 damienbod</Copyright>
         <PackageReadmeFile>README-NUGET.md</PackageReadmeFile>
         <RepositoryUrl>https://github.com/damienbod/Blazor.BFF.OpenIDConnect.Template</RepositoryUrl>
-        <PackageReleaseNotes>New template, support for HTTP port parameter</PackageReleaseNotes>
+        <PackageReleaseNotes>Support .NET 9</PackageReleaseNotes>
         <PackageLicenseFile>LICENSE</PackageLicenseFile>
     </PropertyGroup>
 
diff --git a/BlazorBffOpenIdConnect/Client/BlazorBffOpenIDConnect.Client.csproj b/BlazorBffOpenIdConnect/Client/BlazorBffOpenIDConnect.Client.csproj
index 986cb2e..33351a5 100644
--- a/BlazorBffOpenIdConnect/Client/BlazorBffOpenIDConnect.Client.csproj
+++ b/BlazorBffOpenIdConnect/Client/BlazorBffOpenIDConnect.Client.csproj
@@ -1,17 +1,17 @@
 <Project Sdk="Microsoft.NET.Sdk.BlazorWebAssembly">
 
 	<PropertyGroup>
-		<TargetFramework>net8.0</TargetFramework>
+		<TargetFramework>net9.0</TargetFramework>
 		<NoDefaultLaunchSettingsFile>true</NoDefaultLaunchSettingsFile>
 		<Nullable>enable</Nullable>
 		<ImplicitUsings>enable</ImplicitUsings>
 	</PropertyGroup>
 
 	<ItemGroup>
-		<PackageReference Include="Microsoft.AspNetCore.Components.WebAssembly" Version="8.0.8" />
-		<PackageReference Include="Microsoft.AspNetCore.Components.WebAssembly.DevServer" Version="8.0.8" PrivateAssets="all" />
-		<PackageReference Include="Microsoft.Extensions.Http" Version="8.0.0" />
-		<PackageReference Include="Microsoft.AspNetCore.Components.WebAssembly.Authentication" Version="8.0.8" />
+		<PackageReference Include="Microsoft.AspNetCore.Components.WebAssembly" Version="9.0.0" />
+		<PackageReference Include="Microsoft.AspNetCore.Components.WebAssembly.DevServer" Version="9.0.0" PrivateAssets="all" />
+		<PackageReference Include="Microsoft.Extensions.Http" Version="9.0.0" />
+		<PackageReference Include="Microsoft.AspNetCore.Components.WebAssembly.Authentication" Version="9.0.0" />
 	</ItemGroup>
 
 	<ItemGroup>
diff --git a/BlazorBffOpenIdConnect/Client/GlobalUsings.cs b/BlazorBffOpenIdConnect/Client/GlobalUsings.cs
index fa59a56..f64e9c7 100644
--- a/BlazorBffOpenIdConnect/Client/GlobalUsings.cs
+++ b/BlazorBffOpenIdConnect/Client/GlobalUsings.cs
@@ -1,15 +1,13 @@
-global using System.Net;
-global using System.Net.Http.Headers;
-global using System.Net.Http.Json;
-global using System.Security.Claims;
-
-global using BlazorBffOpenIDConnect.Client;
+global using BlazorBffOpenIDConnect.Client;
 global using BlazorBffOpenIDConnect.Client.Services;
 global using BlazorBffOpenIDConnect.Shared.Authorization;
 global using BlazorBffOpenIDConnect.Shared.Defaults;
-
 global using Microsoft.AspNetCore.Components;
 global using Microsoft.AspNetCore.Components.Authorization;
 global using Microsoft.AspNetCore.Components.WebAssembly.Hosting;
 global using Microsoft.Extensions.DependencyInjection.Extensions;
 global using Microsoft.JSInterop;
+global using System.Net;
+global using System.Net.Http.Headers;
+global using System.Net.Http.Json;
+global using System.Security.Claims;
diff --git a/BlazorBffOpenIdConnect/Client/Services/AntiforgeryHttpClientFactory.cs b/BlazorBffOpenIdConnect/Client/Services/AntiforgeryHttpClientFactory.cs
index c584bbe..96e4351 100644
--- a/BlazorBffOpenIdConnect/Client/Services/AntiforgeryHttpClientFactory.cs
+++ b/BlazorBffOpenIdConnect/Client/Services/AntiforgeryHttpClientFactory.cs
@@ -1,6 +1,6 @@
 namespace BlazorBffOpenIDConnect.Client.Services;
 
-public class AntiforgeryHttpClientFactory(IHttpClientFactory httpClientFactory, IJSRuntime jSRuntime) 
+public class AntiforgeryHttpClientFactory(IHttpClientFactory httpClientFactory, IJSRuntime jSRuntime)
     : IAntiforgeryHttpClientFactory
 {
     public async Task<HttpClient> CreateClientAsync(string clientName = AuthDefaults.AuthorizedClientName)
diff --git a/BlazorBffOpenIdConnect/Client/Services/AuthorizedHandler.cs b/BlazorBffOpenIdConnect/Client/Services/AuthorizedHandler.cs
index 61272ae..d8065cb 100644
--- a/BlazorBffOpenIdConnect/Client/Services/AuthorizedHandler.cs
+++ b/BlazorBffOpenIdConnect/Client/Services/AuthorizedHandler.cs
@@ -1,7 +1,7 @@
 namespace BlazorBffOpenIDConnect.Client.Services;
 
 // orig src https://github.com/berhir/BlazorWebAssemblyCookieAuth
-public class AuthorizedHandler(HostAuthenticationStateProvider authenticationStateProvider) 
+public class AuthorizedHandler(HostAuthenticationStateProvider authenticationStateProvider)
     : DelegatingHandler
 {
     protected override async Task<HttpResponseMessage> SendAsync(
diff --git a/BlazorBffOpenIdConnect/Client/Services/HostAuthenticationStateProvider.cs b/BlazorBffOpenIdConnect/Client/Services/HostAuthenticationStateProvider.cs
index 9e14ddc..bd59ce4 100644
--- a/BlazorBffOpenIdConnect/Client/Services/HostAuthenticationStateProvider.cs
+++ b/BlazorBffOpenIdConnect/Client/Services/HostAuthenticationStateProvider.cs
@@ -1,7 +1,7 @@
 namespace BlazorBffOpenIDConnect.Client.Services;
 
 // orig src https://github.com/berhir/BlazorWebAssemblyCookieAuth
-public class HostAuthenticationStateProvider(NavigationManager navigation, HttpClient client, ILogger<HostAuthenticationStateProvider> logger) 
+public class HostAuthenticationStateProvider(NavigationManager navigation, HttpClient client, ILogger<HostAuthenticationStateProvider> logger)
     : AuthenticationStateProvider
 {
     private static readonly TimeSpan userCacheRefreshInterval = TimeSpan.FromSeconds(60);
diff --git a/BlazorBffOpenIdConnect/Server/BlazorBffOpenIDConnect.Server.csproj b/BlazorBffOpenIdConnect/Server/BlazorBffOpenIDConnect.Server.csproj
index 96f4fdd..b108b59 100644
--- a/BlazorBffOpenIdConnect/Server/BlazorBffOpenIDConnect.Server.csproj
+++ b/BlazorBffOpenIdConnect/Server/BlazorBffOpenIDConnect.Server.csproj
@@ -1,7 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk.Web">
 
 	<PropertyGroup>
-		<TargetFramework>net8.0</TargetFramework>
+		<TargetFramework>net9.0</TargetFramework>
 		<Nullable>enable</Nullable>
 		<ImplicitUsings>enable</ImplicitUsings>
 	</PropertyGroup>
@@ -12,10 +12,10 @@
 	</ItemGroup>
 
 	<ItemGroup>
-		<PackageReference Include="Microsoft.AspNetCore.Components.WebAssembly.Server" Version="8.0.8" />
-		<PackageReference Include="Microsoft.AspNetCore.Authentication.OpenIdConnect" Version="8.0.8" NoWarn="NU1605" />
-		<PackageReference Include="NetEscapades.AspNetCore.SecurityHeaders" Version="1.0.0-preview.1" />
-		<PackageReference Include="NetEscapades.AspNetCore.SecurityHeaders.TagHelpers" Version="1.0.0-preview.1" />
+		<PackageReference Include="Microsoft.AspNetCore.Components.WebAssembly.Server" Version="9.0.0" />
+		<PackageReference Include="Microsoft.AspNetCore.Authentication.OpenIdConnect" Version="9.0.0" NoWarn="NU1605" />
+		<PackageReference Include="NetEscapades.AspNetCore.SecurityHeaders" Version="1.0.0-preview.2" />
+		<PackageReference Include="NetEscapades.AspNetCore.SecurityHeaders.TagHelpers" Version="1.0.0-preview.2" />
 	</ItemGroup>
 
 </Project>
diff --git a/BlazorBffOpenIdConnect/Server/GlobalUsings.cs b/BlazorBffOpenIdConnect/Server/GlobalUsings.cs
index fd17b9a..a955d87 100644
--- a/BlazorBffOpenIdConnect/Server/GlobalUsings.cs
+++ b/BlazorBffOpenIdConnect/Server/GlobalUsings.cs
@@ -1,11 +1,7 @@
-global using System.Diagnostics;
-global using System.Security.Claims;
-
-global using BlazorBffOpenIDConnect.Server;
+global using BlazorBffOpenIDConnect.Server;
 global using BlazorBffOpenIDConnect.Server.Services;
 global using BlazorBffOpenIDConnect.Shared.Authorization;
 global using BlazorBffOpenIDConnect.Shared.Defaults;
-
 global using Microsoft.AspNetCore.Authentication;
 global using Microsoft.AspNetCore.Authentication.Cookies;
 global using Microsoft.AspNetCore.Authentication.OpenIdConnect;
@@ -14,4 +10,6 @@
 global using Microsoft.AspNetCore.Mvc;
 global using Microsoft.AspNetCore.Mvc.RazorPages;
 global using Microsoft.IdentityModel.Protocols.OpenIdConnect;
+global using System.Diagnostics;
+global using System.Security.Claims;
 
diff --git a/BlazorBffOpenIdConnect/Server/SecurityHeadersDefinitions.cs b/BlazorBffOpenIdConnect/Server/SecurityHeadersDefinitions.cs
index 3d90e36..ecc7dff 100644
--- a/BlazorBffOpenIdConnect/Server/SecurityHeadersDefinitions.cs
+++ b/BlazorBffOpenIdConnect/Server/SecurityHeadersDefinitions.cs
@@ -2,11 +2,17 @@
 
 public static class SecurityHeadersDefinitions
 {
+    private static HeaderPolicyCollection? policy;
+
     public static HeaderPolicyCollection GetHeaderPolicyCollection(bool isDev, string? idpHost)
     {
         ArgumentNullException.ThrowIfNull(idpHost);
 
-        var policy = new HeaderPolicyCollection()
+        // Avoid building a new HeaderPolicyCollection on every request for performance reasons.
+        // Where possible, cache and reuse HeaderPolicyCollection instances.
+        if (policy != null) return policy;
+
+        policy = new HeaderPolicyCollection()
             .AddFrameOptionsDeny()
             .AddContentTypeOptionsNoSniff()
             .AddReferrerPolicyStrictOriginWhenCrossOrigin()
diff --git a/BlazorBffOpenIdConnect/Server/appsettings.json b/BlazorBffOpenIdConnect/Server/appsettings.json
index 2f3f3a0..8ca5ee0 100644
--- a/BlazorBffOpenIdConnect/Server/appsettings.json
+++ b/BlazorBffOpenIdConnect/Server/appsettings.json
@@ -1,8 +1,8 @@
 {
   "OpenIDConnectSettings": {
-    "Authority": "--your-authority--",
-    "ClientId": "--client-ID--",
-    "ClientSecret": "--client-secret-from-user-secrets--"
+    "Authority": "https://localhost:44395",
+    "ClientId": "blazorcodeflowpkceclient",
+    "ClientSecret": "codeflow_pkce_client_secret"
   },
   "Logging": {
     "LogLevel": {
diff --git a/BlazorBffOpenIdConnect/Shared/BlazorBffOpenIDConnect.Shared.csproj b/BlazorBffOpenIdConnect/Shared/BlazorBffOpenIDConnect.Shared.csproj
index a9968ac..4b5c766 100644
--- a/BlazorBffOpenIdConnect/Shared/BlazorBffOpenIDConnect.Shared.csproj
+++ b/BlazorBffOpenIdConnect/Shared/BlazorBffOpenIDConnect.Shared.csproj
@@ -1,7 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
 	<PropertyGroup>
-		<TargetFramework>net8.0</TargetFramework>
+		<TargetFramework>net9.0</TargetFramework>
 		<Nullable>enable</Nullable>
 		<ImplicitUsings>enable</ImplicitUsings>
 	</PropertyGroup>
diff --git a/Changelog.md b/Changelog.md
index b22cb8a..b9b3079 100644
--- a/Changelog.md
+++ b/Changelog.md
@@ -2,6 +2,9 @@
 
 [Readme](https://github.com/damienbod/Blazor.BFF.OpenIDConnect.Template/blob/main/README.md) 
 
+**2024-12-10** 4.0.0
+- .NET 9
+
 **2024-10-07** 3.0.5
 - Updated security headers package
 
diff --git a/README-NUGET.md b/README-NUGET.md
index bdb6448..ba625cc 100644
--- a/README-NUGET.md
+++ b/README-NUGET.md
@@ -6,7 +6,7 @@ This template can be used to create a Blazor WASM application hosted in an ASP.N
 
 ## Features
 
-- WASM hosted in ASP.NET Core 8
+- WASM hosted in ASP.NET Core 9
 - BFF (backend for frontend) with Standard OpenID Connect
 - OAuth2 and OpenID Connect OIDC
 - No tokens in the browser
@@ -48,7 +48,7 @@ dotnet new uninstall Blazor.BFF.OpenIDConnect.Template
 ```
 
 
-## Credits, Used NuGet packages + ASP.NET Core 8.0 standard packages
+## Credits, Used NuGet packages + ASP.NET Core 9.0 standard packages
 
 - NetEscapades.AspNetCore.SecurityHeaders
 
diff --git a/README.md b/README.md
index 41465fe..ff1bdb1 100644
--- a/README.md
+++ b/README.md
@@ -8,7 +8,7 @@ This template can be used to create a Blazor WASM application hosted in an ASP.N
 
 ## Features
 
-- WASM hosted in ASP.NET Core 8
+- WASM hosted in ASP.NET Core 9
 - BFF with OpenID Connect
 - OAuth2 and OpenID Connect OIDC
 - No tokens in the browser
@@ -81,7 +81,7 @@ dotnet new install <PATH>
 Where `<PATH>` is the path to the folder containing .template.config.
 
 
-## Credits, Used NuGet packages + ASP.NET Core 8.0 standard packages
+## Credits, Used NuGet packages + ASP.NET Core 9.0 standard packages
 
 - NetEscapades.AspNetCore.SecurityHeaders
 
diff --git a/global.json b/global.json
index 65af5e6..b6b5c9f 100644
--- a/global.json
+++ b/global.json
@@ -1,5 +1,5 @@
 {
   "sdk": {
-    "version": "8.0.400"
+    "version": "9.0.101"
   }
 }