stackoom
  简体   繁体   中英

Content security policy header list protection using web.config in ASP.NET MVC

 原文  2019-07-22 11:39:35       c#/ asp.net-mvc/ iis-7/ content-security-policy

Question

eg Image file Webconfig file which i manage in my project

eg Image file of Issue facing for 404Javascript.js I am facing the following Content Security Policy issue in my existing ASP.NET MVC project.

We used https://sitecheck.sucuri.net/ to check security scan

Issue - Security Headers

Missing security header for XSS Protection. Affected pages:

Missing security header to prevent Content Type sniffing. Affected pages:

Missing Strict-Transport-Security security header. Affected pages:

Default server banners displayed. Your site is displaying your web server default banners. Affected pages:
https://www.example.com/404javascript.js
https://www.example.com/404testpage4525d2fdc

We are trying to resolve that using web config file with following configuration: 

<customHeaders>
  <remove name="X-Powered-By" />
  <add name="X-Frame-Options" value="DENY" />
  <add name="X-Xss-Protection" value="1; mode=block" />
  <add name="X-Content-Type-Options" value="nosniff" />
  <add name="Referrer-Policy" value="no-referrer" />
  <add name="X-Permitted-Cross-Domain-Policies" value="none" />
  <add name="Strict-Transport-Security" value="max-age=31536000; includeSubDomains" />
  <add name="Feature-Policy" value="accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none'" />
</customHeaders>

<httpRuntime targetFramework="4.6.1" maxRequestLength="1048576"  
             requestValidationMode="4.0" executionTimeout="110" 
             enableVersionHeader="false" />

But we are still facing same issue after changing configuration, please look at our process where we are wrong or any alternate solution.

1 answers

solution1
 0  2019-07-23 07:03:20

Make sure you add custom header tag in system.webserver section not in the system.web section.: 

<system.webServer>
  <httpProtocol>
    <customHeaders>

      <add name="X-Frame-Options" value="SAMEORIGIN" />

      <add name="Strict-Transport-Security" value="max-age=31536000; includeSubDomains"/>

      <add name="X-XSS-Protection" value="1; mode=block" />

      <add name="X-Content-Type-Options" value="nosniff" />

      <add name="Content-Security-Policy" value="default-src 'self'; font-src *;img-src * data:; script-src *; style-src *;" />

      <add name="Referrer-Policy" value="strict-origin" />
    </customHeaders>
  </httpProtocol>
</system.webServer>

after doing chnages restart the iis server.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question web.config in ASP.NET 5 MVC 6 Overwrite ConnectionString in web.config ASP.NET MVC Double error in Web.config file ASP.NET MVC Customer Error in Asp.net MVC web.config LDAP Authentication in ASP.NET MVC 4 web.config file Windows Authentication in web.config in asp.net mvc4 ASP.NET: Reading list of values from web.config How to Bind Settings from Web.config using Ninject in ASP.NET MVC 4? Redirecting an asp.net MVC URL to a specific controller/action/parameter using httpRedirect in web.config web.config with db connection string for asp.net mvc site. DB and site on same server. Need security?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM