301重定向响应中缺少标头

Question

我们的一个客户的笔测试仪已经标记出，我们构建的站点没有为302、500和403响应返回正确的标头。我已经对此进行了测试，在fiddler中，我可以看到从302返回的报头确实与正常的200响应不同。我已经检查了我们的配置文件，可以看到所有的头文件都在配置文件中。

为什么标头不同，我需要做些什么来解决这个问题？

笔测试仪的响应如下所示：

The following HTTP security headers were found to be missing from 403, 302 and 500 responses:
• HTTP Strict Transport Security (HSTS) – The header ensures that supported browsers should only interact with it using HTTPS protocol, rejecting the insecure HTTP protocol, protecting against protocol downgrade attacks and cookie hijacking.
• X-Frame-Options – The header ensures that the browser must not display the transmitted content in frames of other web pages, protecting against Clickjacking attacks.
• X-XSS-Protection – The header will force the browser to enable any available Cross-Site Scripting filter, providing an additional defence against Cross-Site Scripting attacks.
• X-Content-Type-Options – The header will prevent the browser from interpreting files as something else other than what is declared by the content type, which can help protect against some Cross-Site Scripting attacks.
• Referrer Policy – The header governs which referrer information is sent in the Referer header along with requests.

我的web配置文件是：

    <add name="Vary" value="Accept-Encoding"/>
    <add name="X-UA-Compatible" value="IE=edge"/>
    <add name="P3P" value="policyref=&quot;/w3c/p3p.xml&quot;, CP=&quot;This is not a privacy policy!&quot;"/>
    <add name="E-TAG" value=""/>
    <add name="Arr-Disable-Session-Affinity" value="True"/>
    <add name="Access-Control-Allow-Origin" value="*"/>
    <add name="Access-Control-Allow-Methods" value="*"/>
    <add name="Access-Control-Allow-Headers" value="*"/>
    <add name="Strict-Transport-Security" value="max-age=31536000;includeSubDomains"/>
    <add name="Referrer-Policy" value="strict-origin"/>
    <add name="x-Content-Type-Options" value="nosniff"/>

<nwebsec>
        <httpHeaderSecurityModule xsi:noNamespaceSchemaLocation="NWebsecConfig/HttpHeaderSecurityModuleConfig.xsd" xmlns="http://nwebsec.com/HttpHeaderSecurityModuleConfig.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <redirectValidation enabled="false" />
            <securityHttpHeaders>
                <x-Frame-Options policy="Deny" />
                <strict-Transport-Security max-age="365" includeSubdomains="true" httpsOnly="true" preload="true" />
                <x-Content-Type-Options enabled="true" />
                <x-Download-Options enabled="true" />
                <x-XSS-Protection policy="FilterEnabled" blockMode="true" />
                <content-Security-Policy enabled="false" />
            </securityHttpHeaders>
        </httpHeaderSecurityModule>
    </nwebsec>

返回一个200响应：

Vary: Accept-Encoding
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Frame-Options: Deny
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-XSS-Protection: 1; mode=block
X-UA-Compatible: IE=edge
P3P: policyref="/w3c/p3p.xml", CP="This is not a privacy policy!"
E-TAG: True
Arr-Disable-Session-Affinity: *
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: *
Access-Control-Allow-Headers: max-age=31536000;includeSubDomains
Strict-Transport-Security: strict-origin
Referrer-Policy: nosniff

然而，302返回:-

Vary: Accept-Encoding
X-UA-Compatible: IE=edge
P3P: policyref="/w3c/p3p.xml", CP="This is not a privacy policy!"
E-TAG: True
Arr-Disable-Session-Affinity: *
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: *
Access-Control-Allow-Headers: max-age=31536000;includeSubDomains
Strict-Transport-Security: strict-origin
Referrer-Policy: nosniff

在我看来所有的x-*头都不见了？

Answer 1

不是一个权威的答案，但是:我看不出X头有302的点，或者在正常情况下有403或500的点。它们指示您的浏览器如何处理返回页面的各个方面，并且(通常)不会返回带有这些响应代码的页面。与在https://security.stackexchange.com/questions/188134/x-frame-options-header-on-redirect上回答的大体相同

我没有发现任何关于HSTS应用于这些响应的像样的讨论。我建议在大多数情况下包含HSTS实际上是无关紧要的，但理论上是理想的(除了像URL缩写这样的总是重定向的例外，所以如果不包含30X，大多数访问者永远不会收到HSTS指令)。

根据https://www.w3.org/TR/referrer-policy/#set-requests-referrer-policy-on-redirect，似乎引用策略应该包含在重定向中。403和500似乎无关紧要(同样，除非您包含一个包含这些响应的页面)。

再说一次，我不是权威人士，尽管我搜索了很多，但在大多数问题上我都没有找到一个令人信服的答案，所以只把它当作一种观点。