stackoom
  简体   繁体   中英

.net core security headers middleware not adding headers to external http requests

 原文  2017-04-19 19:43:51       security/ asp.net-core/ asp.net-core-mvc/ .net-core/ asp.net-core-middleware

Question

I'm using security headers middleware in a web app to add security headers to all outgoing http requests. Security headers seem to get added to all network requests to internal resources - that is resources that make up the web app such as the javascript scripts and the images used in the web app and the css and html files. However the security headers do not get added to any external http requests such as to an API that I made that the web app uses to get json data. How do I make it just add security headers to everything, rather than just to the web apps own resources?

Below is some of the relevant code that adds security headers middleware

startup.cs 

private ILogger<SecurityHeadersBuilder> _logger;
private readonly SecurityHeadersPolicy _policy = new SecurityHeadersPolicy();

public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory, ISecurityHeadersBuilder securityHeadersBuilder)
{...
    app.UseSecurityHeadersMiddleware(
        securityHeadersBuilder.AddDefaultSecurePolicy()
    );

securityHeadersBuilder.cs 

public SecurityHeadersBuilder AddDefaultSecurePolicy()
{
    AddFrameOptionsDeny();
    AddXssProtectionBlock();
    AddContentTypeOptionsNoSniff();
    AddNoCache();
    AddStrictTransportSecurityMaxAgeIncludeSubDomains();
    AddContentSecurityPolicyAllContentFromSelfAndGoogle();
    RemoveServerHeader();
    return this;
}

public SecurityHeadersBuilder AddFrameOptionsDeny()
{
    _policy.SetHeaders[FrameOptionsConstants.Header] = FrameOptionsConstants.Deny;
    _logger.LogInformation(string.Format("setting {0} http header value to {1}", FrameOptionsConstants.Header, FrameOptionsConstants.Deny));
    return this;
}

1 answers

solution1
 1 ACCPTED  2017-04-19 20:46:52

There are two type of headers: request headers and _response headers.

The server sets response headers to instruct the browser how to handle a response (block iframing for example). Therefore it would not make sense to do a request with (for example) the header X-Frame-Options : Deny . Because the client application could alter the value and ignore the security restriction. The server will not handle the value of the header anyway, the user-agent of the browser will use this response header.

If you do a call to an (external) API you should manually add request headers to an HttpClient and make the call. The API in turn can return the (security) response headers.

All the headers that you have in the example code are response headers and should not be set as request headers.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Adding Security Headers to ASP.NET Core 3.1 Web Api security for http headers Spring Security using HTTP headers Headers for security HTTP(S) request security using random headers Adding security headers in play framework configuration security headers Strict-Transport-Security available for http? Does custom security HTTP headers violate separation of concerns Passing basic authentication details in spring security using http headers in java Security reasons to maintain a whitelist of allowed HTTP response headers
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM