我的内容安全策略是
default-src https:'self'; object-src'none';框架祖先“无”; base-uri'none'; font-src https:数据:
我的cookie显示为:.AspNetCore.Antiforgery.GOAuSILz_xU = CfDJ8D3hsoQ239JIszuJwoP5ibPL-N9p62srnnwCdREtuQ0bGMft1N7bQulP3alJ4DsTVOUX_i76TbLQQQJJ2JJQJJQJJQJJQJJQJJQJJQJJQJQJJQJQJJQJJQJJQJJQJJQJJQJJJQJJJJJKJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJN路径= /; samesite = strict; httponly这是我的代码:
public void ConfigureServices(IServiceCollection services)
{
services.AddControllersWithViews();
services.Configure<CookiePolicyOptions>(options =>
{
// This lambda determines whether user consent for non-essential cookies is needed for a given request.
options.CheckConsentNeeded = context => true;
options.MinimumSameSitePolicy = SameSiteMode.Strict;
options.Secure = HostingEnvironment.IsDevelopment() ? CookieSecurePolicy.SameAsRequest : CookieSecurePolicy.Always;
options.HttpOnly = Microsoft.AspNetCore.CookiePolicy.HttpOnlyPolicy.None;
});
services.AddSession(opts =>
{
opts.Cookie.IsEssential = true; // make the session cookie Essential,
opts.Cookie.HttpOnly = false;
opts.Cookie.SecurePolicy = HostingEnvironment.IsDevelopment() ? CookieSecurePolicy.SameAsRequest : CookieSecurePolicy.Always;
});
services.AddSession();
services.Configure<Credentials>(Configuration.GetSection("Credentials"));
}
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
if (env.IsDevelopment())
{
app.UseBrowserLink();
app.UseDeveloperExceptionPage();
}
else
{
app.UseExceptionHandler("/Home/Error");
// The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
app.UseHsts();
}
app.UseSecurityHeadersMiddleware(
new SecurityHeadersBuilder()
.AddDefaultSecurePolicy());
app.UseSession();
app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseRouting();
//app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
endpoints.MapControllerRoute(
name: "default",
pattern: "{controller=Home}/{action=Index}/{id?}");
});
}
如果需要,这里是web.config
<system.webServer> <httpProtocol> <customHeaders> <clear /> <add name="X-UA-Compatible" value="IE=edge" /> <add name="Cache-Control" value="public, max-age=31536000" /> </customHeaders> </httpProtocol> </system.webServer>
我正在尝试通过http://observatory.mozilla.org的B或A级,并且获得'C'级。我实现了中间件来设置安全标头和cookie,但仍然不了解如何...
services.Configure<CookiePolicyOptions>(opts =>
{
opts.CheckConsentNeeded = _ => true;
opts.HttpOnly = Microsoft.AspNetCore.CookiePolicy.HttpOnlyPolicy.Always;
opts.Secure = Microsoft.AspNetCore.Http.CookieSecurePolicy.Always;
opts.MinimumSameSitePolicy = Microsoft.AspNetCore.Http.SameSiteMode.Strict;
});
services.AddSession(opts =>
{
opts.Cookie.IsEssential = true;
opts.Cookie.HttpOnly = true;
opts.Cookie.SecurePolicy = Microsoft.AspNetCore.Http.CookieSecurePolicy.Always;
opts.Cookie.SameSite = Microsoft.AspNetCore.Http.SameSiteMode.Strict;
});