众所周知,.netcore中间件基本取代了framework过滤器,此例记录一下中间件为每个http请求加请求头,应用扩展方法。
扩展方法的定义:
using Microsoft.AspNetCore.Builder;
using System.Diagnostics.CodeAnalysis;
namespace Code.Middleware.Extensions
{
public static class ApplicationSecurityStandard
{
/// <summary>
/// Enables all application security standards.
/// ContentSinffingMiddleware
/// CacheControlMiddleware
/// ContentSecurityPolicyMiddleware
/// XFrameOptionsMiddleware
/// XSSProtectionMiddleware
/// </summary>
/// <param name="builder"></param>
/// <returns></returns>
[ExcludeFromCodeCoverage]
public static IApplicationBuilder EnableApplicationSecurityStandards(this IApplicationBuilder builder)
{
return builder
.UseMiddleware<ContentSinffingMiddleware>()
.UseMiddleware<CacheControlMiddleware>()
.UseMiddleware<XSSProtectionMiddleware>()
.UseMiddleware<ContentSecurityPolicyMiddleware>()
.UseMiddleware<XFrameOptionsMiddleware>()
.UseMiddleware<HSTSMiddleware>()
.UseMiddleware<OtherHTTPHeadersMiddleware>();
}
}
}
其中一个中间件的定义:
using Microsoft.AspNetCore.Http;
using System;
using System.Threading.Tasks;
namespace Code.Evergreen.Middleware
{
public class HSTSMiddleware
{
private readonly RequestDelegate _next;
public HSTSMiddleware(RequestDelegate next)
{
_next = next ?? throw new ArgumentNullException(nameof(next));
}
public async Task InvokeAsync(HttpContext httpContext)
{
if (!httpContext.Response.Headers.ContainsKey("Strict-Transport-Security"))
{
httpContext.Response.Headers.Add("Strict-Transport-Security", "max-age=31536000;includeSubDomains");
}
await _next(httpContext);
}
}
}
Startup.cs的引用
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
...
app.EnableApplicationSecurityStandards();
...
}