.net核心安全头中间件不向外部http请求添加头
[英].net core security headers middleware not adding headers to external http requests
问题描述
I'm using security headers middleware in a web app to add security headers to all outgoing http requests. 
我在Web应用程序中使用安全头中间件为所有传出的http请求添加安全头。 Security headers seem to get added to all network requests to internal resources - that is resources that make up the web app such as the javascript scripts and the images used in the web app and the css and html files. 安全标头似乎被添加到内部资源的所有网络请求 - 这是构成Web应用程序的资源,例如javascript脚本和Web应用程序中使用的图像以及css和html文件。 However the security headers do not get added to any external http requests such as to an API that I made that the web app uses to get json data. 但是,安全标头不会添加到任何外部http请求中,例如我创建的Web应用程序用于获取json数据的API。 How do I make it just add security headers to everything, rather than just to the web apps own resources? 如何让它只是为所有内容添加安全标头,而不仅仅是Web应用程序自己的资源?
Below is some of the relevant code that adds security headers middleware 下面是一些添加安全头中间件的相关代码
startup.cs startup.cs
private ILogger<SecurityHeadersBuilder> _logger;
private readonly SecurityHeadersPolicy _policy = new SecurityHeadersPolicy();
public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory, ISecurityHeadersBuilder securityHeadersBuilder)
{...
app.UseSecurityHeadersMiddleware(
securityHeadersBuilder.AddDefaultSecurePolicy()
);
securityHeadersBuilder.cs securityHeadersBuilder.cs
public SecurityHeadersBuilder AddDefaultSecurePolicy()
{
AddFrameOptionsDeny();
AddXssProtectionBlock();
AddContentTypeOptionsNoSniff();
AddNoCache();
AddStrictTransportSecurityMaxAgeIncludeSubDomains();
AddContentSecurityPolicyAllContentFromSelfAndGoogle();
RemoveServerHeader();
return this;
}
public SecurityHeadersBuilder AddFrameOptionsDeny()
{
_policy.SetHeaders[FrameOptionsConstants.Header] = FrameOptionsConstants.Deny;
_logger.LogInformation(string.Format("setting {0} http header value to {1}", FrameOptionsConstants.Header, FrameOptionsConstants.Deny));
return this;
}
1 个解决方案
解决方案1
1 已采纳 2017-04-19 20:46:52
There are two type of headers: request headers and _response headers. 有两种类型的标头: 请求标头和_response标头。
The server sets response headers to instruct the browser how to handle a response (block iframing for example). 服务器设置响应头以指示浏览器如何处理响应(例如阻止iframing)。 Therefore it would not make sense to do a request with (for example) the header X-Frame-Options : Deny . 因此,使用(例如)标题X-Frame-Options : Deny进行请求是没有意义的。 Because the client application could alter the value and ignore the security restriction. 因为客户端应用程序可能会更改值并忽略安全限制。 The server will not handle the value of the header anyway, the user-agent of the browser will use this response header. 无论如何,服务器都不会处理标头的值,浏览器的用户代理将使用此响应标头。
If you do a call to an (external) API you should manually add request headers to an HttpClient and make the call. 如果您调用(外部)API,则应手动将请求标头添加到HttpClient并进行调用。 The API in turn can return the (security) response headers. API又可以返回(安全)响应头。
All the headers that you have in the example code are response headers and should not be set as request headers. 示例代码中的所有标头都是响应标头,不应设置为请求标头。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.