ASP.NET MVC 5 默认不发送 X-Frame-Options 标头
[英]ASP.NET MVC 5 not sending X-Frame-Options header by default
问题描述
This article seems to suggest that an ASP.NET MVC 5 website automatically sends the X-Frame-Options HTTP header with the value SAMEORIGIN . 
这篇文章似乎暗示 ASP.NET MVC 5 网站会自动发送值为SAMEORIGIN的X-Frame-Options HTTP 标头。
I would like that by default, I am observing that for my website , it doesn't.我希望默认情况下,我观察到我的网站,它没有。
Even adding the following line of code, which would have been unnecessary if the default behavior would have been to send the header, does not seem to send it.即使添加以下代码行,如果默认行为是发送标头,这将是不必要的,似乎也不会发送它。
AntiForgeryConfig.SuppressXFrameOptionsHeader = false;
I can add an action filter attribute and do that explicitly.我可以添加一个动作过滤器属性并明确地做到这一点。 But I was wondering if I were missing something if I wanted to have that header be sent by default with the SAMEORIGIN value?但是我想知道如果我想默认发送带有SAMEORIGIN值的标头,我是否遗漏了什么?
I am using ASP.NET MVC 5.2.4 targeting .NET Framework 4.6.1.我正在使用面向 .NET Framework 4.6.1 的 ASP.NET MVC 5.2.4。
1 个解决方案
解决方案1
1 已采纳 2019-02-25 07:01:04
It will it add by default if you will use @Html.AntiForgeryToken() on a view.如果您将在视图上使用@Html.AntiForgeryToken() ,它将默认添加。 If you don't use it, you need to add this header explicitly eg in the action filter attribute.如果您不使用它,则需要显式添加此标头,例如在操作过滤器属性中。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.