文档建议反馈控制台
首页
学习
活动
专区
圈层
工具
MCP广场
文章/答案/技术大牛
发布
社区首页 >问答首页 >asp .net核心3的网络安全审计问题

asp .net核心3的网络安全审计问题
EN

Stack Overflow用户
提问于 2019-11-15 18:11:24
回答 1查看 1.7K关注 0票数 5

我正试图通过一个B或A级的http://observatory.mozilla.org和我是一个'C‘的分数。我实现了中间件来设置安全头和cookie,但仍然不知道如何修复一些东西。我所有的脚本和javascript都是通过src标记加载的,没有内联样式。有人能给我一些想法来解决我所遇到的各种问题,我似乎找不到解决的办法?

我的内容-安全性-策略是默认值-src https:'self';object-src 'none';框架祖先'none';base-uri 'none';字体-src https:

我的cookie显示:.AspNetCore.Antiforgery.GOAuSILz_xU=CfDJ8D3hsoQ239JIszuJwoP5ibPL-N9p62srnnwCdREtuQ0bGMft1N7bQulP3alJ4DsTVOUX_i76TbLdQtUjp1UgKAFup-FCj46R5vBSBujuDbXJDSbtQ2xgICsW_CofHqShdiLQj8xefPjmQvYYQMEL2d0;path=/;samesite=strict;httponly

这是我的代码:

代码语言:javascript
复制
public void ConfigureServices(IServiceCollection services)
    {
        services.AddControllersWithViews();

        services.Configure<CookiePolicyOptions>(options =>
        {
            // This lambda determines whether user consent for non-essential cookies is needed for a given request.
            options.CheckConsentNeeded = context => true;
            options.MinimumSameSitePolicy = SameSiteMode.Strict;
            options.Secure = HostingEnvironment.IsDevelopment() ? CookieSecurePolicy.SameAsRequest : CookieSecurePolicy.Always;
            options.HttpOnly = Microsoft.AspNetCore.CookiePolicy.HttpOnlyPolicy.None;
        });

        services.AddSession(opts =>
        {
            opts.Cookie.IsEssential = true; // make the session cookie Essential,
            opts.Cookie.HttpOnly = false;
            opts.Cookie.SecurePolicy = HostingEnvironment.IsDevelopment() ? CookieSecurePolicy.SameAsRequest : CookieSecurePolicy.Always;
        });

        services.AddSession();
        services.Configure<Credentials>(Configuration.GetSection("Credentials"));
    }

    // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
    public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
    {
        if (env.IsDevelopment())
        {
            app.UseBrowserLink();
            app.UseDeveloperExceptionPage();
        }
        else
        {
            app.UseExceptionHandler("/Home/Error");
            // The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
            app.UseHsts();
        }

        app.UseSecurityHeadersMiddleware(
           new SecurityHeadersBuilder()
               .AddDefaultSecurePolicy());

        app.UseSession();
        app.UseHttpsRedirection();
        app.UseStaticFiles();

        app.UseRouting();

        //app.UseAuthorization();

        app.UseEndpoints(endpoints =>
        {
            endpoints.MapControllerRoute(
                name: "default",
                pattern: "{controller=Home}/{action=Index}/{id?}");
        });
    }

这是web.config,如果你需要的话

代码语言:javascript
复制
<system.webServer>
    <httpProtocol>
      <customHeaders>
        <clear />
        <add name="X-UA-Compatible" value="IE=edge" />
        <add name="Cache-Control" value="public, max-age=31536000" />
      </customHeaders>
    </httpProtocol>
  </system.webServer>
.net
.net-core
content-security-policy
asp.net
EN

回答 1

Stack Overflow用户

回答已采纳

发布于 2019-11-25 15:09:23

配置服务:

代码语言:javascript
复制
services.Configure<CookiePolicyOptions>(opts =>
            {
                opts.CheckConsentNeeded = _ => true;
                opts.HttpOnly = Microsoft.AspNetCore.CookiePolicy.HttpOnlyPolicy.Always;
                opts.Secure = Microsoft.AspNetCore.Http.CookieSecurePolicy.Always;
                opts.MinimumSameSitePolicy = Microsoft.AspNetCore.Http.SameSiteMode.Strict;
            });
            services.AddSession(opts =>
            {
                opts.Cookie.IsEssential = true;
                opts.Cookie.HttpOnly = true;
                opts.Cookie.SecurePolicy = Microsoft.AspNetCore.Http.CookieSecurePolicy.Always;
                opts.Cookie.SameSite = Microsoft.AspNetCore.Http.SameSiteMode.Strict;
            });

不要忘记添加UseCookiePolicy中间件:

代码语言:javascript
复制
app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseCookiePolicy(); //here
app.UseSession();
app.UseRouting();

票数 3
EN
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:

https://stackoverflow.com/questions/58882541

复制
相关文章

相似问题

领券

腾讯云开发者

扫码关注腾讯云开发者

扫码关注腾讯云开发者

领取腾讯云代金券

热门产品

热门推荐

更多推荐

Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有 

深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 粤公网安备44030502008569号

腾讯云计算(北京)有限责任公司 京ICP证150476号 |  京ICP备11018762号

问题归档专栏文章快讯文章归档关键词归档开发者手册归档开发者手册 Section 归档