asp .net core 3的Web安全审核问题>> [
问题描述 投票:2回答:1
我的内容安全策略是
default-src https:'self'; object-src'none';框架祖先“无”; base-uri'none'; font-src https:数据:
我的cookie显示为:.AspNetCore.Antiforgery.GOAuSILz_xU = CfDJ8D3hsoQ239JIszuJwoP5ibPL-N9p62srnnwCdREtuQ0bGMft1N7bQulP3alJ4DsTVOUX_i76TbLQQQJJ2JJQJJQJJQJJQJJQJJQJJQJJQJQJJQJQJJQJJQJJQJJQJJQJJQJJJQJJJJJKJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJN路径= /; samesite = strict; httponly这是我的代码:
public void ConfigureServices(IServiceCollection services)
{
services.AddControllersWithViews();
services.Configure<CookiePolicyOptions>(options =>
{
// This lambda determines whether user consent for non-essential cookies is needed for a given request.
options.CheckConsentNeeded = context => true;
options.MinimumSameSitePolicy = SameSiteMode.Strict;
options.Secure = HostingEnvironment.IsDevelopment() ? CookieSecurePolicy.SameAsRequest : CookieSecurePolicy.Always;
options.HttpOnly = Microsoft.AspNetCore.CookiePolicy.HttpOnlyPolicy.None;
});
services.AddSession(opts =>
{
opts.Cookie.IsEssential = true; // make the session cookie Essential,
opts.Cookie.HttpOnly = false;
opts.Cookie.SecurePolicy = HostingEnvironment.IsDevelopment() ? CookieSecurePolicy.SameAsRequest : CookieSecurePolicy.Always;
});
services.AddSession();
services.Configure<Credentials>(Configuration.GetSection("Credentials"));
}
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
if (env.IsDevelopment())
{
app.UseBrowserLink();
app.UseDeveloperExceptionPage();
}
else
{
app.UseExceptionHandler("/Home/Error");
// The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
app.UseHsts();
}
app.UseSecurityHeadersMiddleware(
new SecurityHeadersBuilder()
.AddDefaultSecurePolicy());
app.UseSession();
app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseRouting();
//app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
endpoints.MapControllerRoute(
name: "default",
pattern: "{controller=Home}/{action=Index}/{id?}");
});
}
如果需要,这里是web.config
<system.webServer> <httpProtocol> <customHeaders> <clear /> <add name="X-UA-Compatible" value="IE=edge" /> <add name="Cache-Control" value="public, max-age=31536000" /> </customHeaders> </httpProtocol> </system.webServer>
我正在尝试通过http://observatory.mozilla.org的B或A级,并且获得'C'级。我实现了中间件来设置安全标头和cookie,但仍然不了解如何...
1个回答
投票
services.Configure<CookiePolicyOptions>(opts =>
{
opts.CheckConsentNeeded = _ => true;
opts.HttpOnly = Microsoft.AspNetCore.CookiePolicy.HttpOnlyPolicy.Always;
opts.Secure = Microsoft.AspNetCore.Http.CookieSecurePolicy.Always;
opts.MinimumSameSitePolicy = Microsoft.AspNetCore.Http.SameSiteMode.Strict;
});
services.AddSession(opts =>
{
opts.Cookie.IsEssential = true;
opts.Cookie.HttpOnly = true;
opts.Cookie.SecurePolicy = Microsoft.AspNetCore.Http.CookieSecurePolicy.Always;
opts.Cookie.SameSite = Microsoft.AspNetCore.Http.SameSiteMode.Strict;
});
最新问题
- AWS Lambda 与 botocore/awscrt 的依赖关系问题
- 为什么我无法通过nslookup/dig解析traceroute中找到的主机名?
- 我的ngrx效果中switchMap和其他操作符的区别
- 无法通过服务器/客户端方式使两个 ESP32 相互连接意味着使用 WiFi.h
- 如何修复 MISRA 问题 14.3
- 尝试从网站抓取网页,但销售未显示
- 如何在每次运行时保存作业数据,而不仅仅是在发生更改时保存作业数据?
- Azure 数据工厂 - 将字符串数组(或分隔文本)中的所有值获取到单独的列以执行查找
- 使用 jest.mocked 来模拟选择器工厂
- 如何使用Vue.js使用数据库中的地址显示图像?
- JMeter - 如何为 MS Sql Server / Oracle DB 的每次运行动态创建/捕获新的测试数据
- 正则表达式无法按预期与字符类中的连字符一起工作[重复]
- 在 Android 设备上打开键盘时隐藏选项卡栏
- FlutterGeneratePluginRegistrant:找不到插件的android依赖项
- 如何按“年”列表数据分组为仅12个月
- 为什么正则表达式会匹配否定字符类中列出的重音/unicode 字符? [重复]
- 我应该如何更新mongodb中的多个数组
- Azure DevOps 管道中 Docker 容器中的 Libcrypto 错误
- Oracle Apex - 其余数据源参数
- 读取工作表并保留条件格式