asp .net core 3 的 Web 安全审计问题
Web security audit issues with asp .net core 3
我正在尝试以 B 或 A 的成绩通过 http://observatory.mozilla.org,我正在获得 'C' 的成绩。我实现了中间件来设置安全 headers 和 cookie,但仍然不明白如何解决一些问题。我所有的脚本和 javascript 都是通过 src 标签加载的,没有内联样式。有人可以给我一些想法来解决我遇到的各种问题,我似乎找不到解决办法吗?
我的 content-security-policy 是 default-src https: 'self'; object-src 'none'; frame-ancestors 'none'; base-uri 'none'; font-src https: 数据:
我的 cookie 显示:.AspNetCore.Antiforgery.GOAuSILz_xU=CfDJ8D3hsoQ239JIszuJwoP5ibPL-N9p62srnnwCdREtuQ0bGMft1N7bQulP3alJ4DsTVOUX_i76TbLdQtUjp1UgKAFup-FCj46R5vBSBujuDbXJDSbtQ2xgICsW_CofHqShdiLQj8xefPjmQvYYQMEL2d0;路径=/;同一站点=严格; httponly
这是我的代码:
public void ConfigureServices(IServiceCollection services)
{
services.AddControllersWithViews();
services.Configure<CookiePolicyOptions>(options =>
{
// This lambda determines whether user consent for non-essential cookies is needed for a given request.
options.CheckConsentNeeded = context => true;
options.MinimumSameSitePolicy = SameSiteMode.Strict;
options.Secure = HostingEnvironment.IsDevelopment() ? CookieSecurePolicy.SameAsRequest : CookieSecurePolicy.Always;
options.HttpOnly = Microsoft.AspNetCore.CookiePolicy.HttpOnlyPolicy.None;
});
services.AddSession(opts =>
{
opts.Cookie.IsEssential = true; // make the session cookie Essential,
opts.Cookie.HttpOnly = false;
opts.Cookie.SecurePolicy = HostingEnvironment.IsDevelopment() ? CookieSecurePolicy.SameAsRequest : CookieSecurePolicy.Always;
});
services.AddSession();
services.Configure<Credentials>(Configuration.GetSection("Credentials"));
}
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
if (env.IsDevelopment())
{
app.UseBrowserLink();
app.UseDeveloperExceptionPage();
}
else
{
app.UseExceptionHandler("/Home/Error");
// The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
app.UseHsts();
}
app.UseSecurityHeadersMiddleware(
new SecurityHeadersBuilder()
.AddDefaultSecurePolicy());
app.UseSession();
app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseRouting();
//app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
endpoints.MapControllerRoute(
name: "default",
pattern: "{controller=Home}/{action=Index}/{id?}");
});
}
这里web.config需要的话
<system.webServer>
<httpProtocol>
<customHeaders>
<clear />
<add name="X-UA-Compatible" value="IE=edge" />
<add name="Cache-Control" value="public, max-age=31536000" />
</customHeaders>
</httpProtocol>
</system.webServer>
配置服务:
services.Configure<CookiePolicyOptions>(opts =>
{
opts.CheckConsentNeeded = _ => true;
opts.HttpOnly = Microsoft.AspNetCore.CookiePolicy.HttpOnlyPolicy.Always;
opts.Secure = Microsoft.AspNetCore.Http.CookieSecurePolicy.Always;
opts.MinimumSameSitePolicy = Microsoft.AspNetCore.Http.SameSiteMode.Strict;
});
services.AddSession(opts =>
{
opts.Cookie.IsEssential = true;
opts.Cookie.HttpOnly = true;
opts.Cookie.SecurePolicy = Microsoft.AspNetCore.Http.CookieSecurePolicy.Always;
opts.Cookie.SameSite = Microsoft.AspNetCore.Http.SameSiteMode.Strict;
});
别忘了添加 UseCookiePolicy 中间件:
app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseCookiePolicy(); //here
app.UseSession();
app.UseRouting();
我正在尝试以 B 或 A 的成绩通过 http://observatory.mozilla.org,我正在获得 'C' 的成绩。我实现了中间件来设置安全 headers 和 cookie,但仍然不明白如何解决一些问题。我所有的脚本和 javascript 都是通过 src 标签加载的,没有内联样式。有人可以给我一些想法来解决我遇到的各种问题,我似乎找不到解决办法吗?
我的 content-security-policy 是 default-src https: 'self'; object-src 'none'; frame-ancestors 'none'; base-uri 'none'; font-src https: 数据:
我的 cookie 显示:.AspNetCore.Antiforgery.GOAuSILz_xU=CfDJ8D3hsoQ239JIszuJwoP5ibPL-N9p62srnnwCdREtuQ0bGMft1N7bQulP3alJ4DsTVOUX_i76TbLdQtUjp1UgKAFup-FCj46R5vBSBujuDbXJDSbtQ2xgICsW_CofHqShdiLQj8xefPjmQvYYQMEL2d0;路径=/;同一站点=严格; httponly
这是我的代码:
public void ConfigureServices(IServiceCollection services)
{
services.AddControllersWithViews();
services.Configure<CookiePolicyOptions>(options =>
{
// This lambda determines whether user consent for non-essential cookies is needed for a given request.
options.CheckConsentNeeded = context => true;
options.MinimumSameSitePolicy = SameSiteMode.Strict;
options.Secure = HostingEnvironment.IsDevelopment() ? CookieSecurePolicy.SameAsRequest : CookieSecurePolicy.Always;
options.HttpOnly = Microsoft.AspNetCore.CookiePolicy.HttpOnlyPolicy.None;
});
services.AddSession(opts =>
{
opts.Cookie.IsEssential = true; // make the session cookie Essential,
opts.Cookie.HttpOnly = false;
opts.Cookie.SecurePolicy = HostingEnvironment.IsDevelopment() ? CookieSecurePolicy.SameAsRequest : CookieSecurePolicy.Always;
});
services.AddSession();
services.Configure<Credentials>(Configuration.GetSection("Credentials"));
}
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
if (env.IsDevelopment())
{
app.UseBrowserLink();
app.UseDeveloperExceptionPage();
}
else
{
app.UseExceptionHandler("/Home/Error");
// The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
app.UseHsts();
}
app.UseSecurityHeadersMiddleware(
new SecurityHeadersBuilder()
.AddDefaultSecurePolicy());
app.UseSession();
app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseRouting();
//app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
endpoints.MapControllerRoute(
name: "default",
pattern: "{controller=Home}/{action=Index}/{id?}");
});
}
这里web.config需要的话
<system.webServer>
<httpProtocol>
<customHeaders>
<clear />
<add name="X-UA-Compatible" value="IE=edge" />
<add name="Cache-Control" value="public, max-age=31536000" />
</customHeaders>
</httpProtocol>
</system.webServer>
配置服务:
services.Configure<CookiePolicyOptions>(opts =>
{
opts.CheckConsentNeeded = _ => true;
opts.HttpOnly = Microsoft.AspNetCore.CookiePolicy.HttpOnlyPolicy.Always;
opts.Secure = Microsoft.AspNetCore.Http.CookieSecurePolicy.Always;
opts.MinimumSameSitePolicy = Microsoft.AspNetCore.Http.SameSiteMode.Strict;
});
services.AddSession(opts =>
{
opts.Cookie.IsEssential = true;
opts.Cookie.HttpOnly = true;
opts.Cookie.SecurePolicy = Microsoft.AspNetCore.Http.CookieSecurePolicy.Always;
opts.Cookie.SameSite = Microsoft.AspNetCore.Http.SameSiteMode.Strict;
});
别忘了添加 UseCookiePolicy 中间件:
app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseCookiePolicy(); //here
app.UseSession();
app.UseRouting();