添加expires标头
Well that sucks.
好吧,那太烂了。
That's my podcast website with an F rating from SecurityHeaders.com. What's the deal? I took care of this months ago!
那是我的播客网站,获得SecurityHeaders.com的F评级。 这是怎么回事? 我几个月前已经照顾好了!
Turns out, recently I moved from Windows to Linux on Azure.
事实证明,最近我从Windows迁移到Azure上Linux。
If I am using IIS on Windows, I can (and did) make a section in my web.config that looks something like this.
如果我在Windows上使用IIS,则可以(并且确实)在web.config中创建一个类似于以下内容的部分。
Do note that I've added a few custom things and you'll want to make sure you DON'T just copy paste this. Make yours, yours.
请注意,我添加了一些自定义内容,并且您将要确保不要只是复制粘贴此内容。 做你的,你的。
Note that I've whitelisted a bunch of domains to make sure my site works. Also note that I have a number of "unsafe-inlines" that are not idea.
请注意,我已将一堆域名列入白名单,以确保我的网站正常运行。 另请注意,我有许多“不安全内联”的想法。
<configuration>
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Strict-Transport-Security" value="max-age=31536000"/>
<add name="X-Content-Type-Options" value="nosniff"/>
<add name="X-Xss-Protection" value="1; mode=block"/>
<add name="X-Frame-Options" value="SAMEORIGIN"/>
<add name="Content-Security-Policy" value="default-src https:; img-src * 'self' data: https:; style-src 'self' 'unsafe-inline' www.google.com platform.twitter.com cdn.syndication.twimg.com fonts.googleapis.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' www.google.com cse.google.com cdn.syndication.twimg.com platform.twitter.com platform.instagram.com www.instagram.com cdn1.developermedia.com cdn2.developermedia.com apis.google.com www.googletagservices.com adservice.google.com securepubads.g.doubleclick.net ajax.aspnetcdn.com ssl.google-analytics.com az416426.vo.msecnd.net/;"/>
<add name="Referrer-Policy" value="no-referrer-when-downgrade"/>
<add name="Feature-Policy" value="geolocation 'none';midi 'none';notifications 'none';push 'none';sync-xhr 'none';microphone 'none';camera 'none';magnetometer 'none';gyroscope 'none';speaker 'self';vibrate 'none';fullscreen 'self';payment 'none';"/>
<remove name="X-Powered-By" />
<remove name="X-AspNet-Version" />
<remove name="Server" />
</customHeaders>
</httpProtocol>
...
But, if I'm NOT using IIS - meaning I'm running my ASP.NET app in a container or on Linux - this will be ignored. Since I recently moved to Linux, I assumed (my bad for no tests here) that it would just work.
但是,如果我不使用IIS(即我在容器中或Linux上运行ASP.NET应用程序),则将被忽略。 自从我最近迁移到Linux以来,我以为(这对我没有进行任何测试很不利)它可以正常工作。
My site is hosted on Azure App Service for Linux, so I want these headers to be output the same way. There are several great choices in the form of Open Source NuGet libraries to help. If I use the ASP.NET Core middleware pipeline then these headers will be output and work the SAME on both Windows AND Linux.
我的网站托管在Linux的Azure应用服务上,因此我希望这些标头以相同的方式输出。 开源NuGet库的形式有很多不错的选择可以提供帮助。 如果我使用ASP.NET Core中间件管道,则将输出这些标头,并且在Windows和Linux上都可以使用SAME。
I'll be using the NWebsec Security Libraries for ASP.NET Core. They offer a simple fluent way to add the headers I want.
我将使用ASP.NET Core的NWebsec安全性库。 他们提供了一种简单流畅的方法来添加我想要的标题。
TO BE CLEAR: Yes I, or you, can add these headers manually with AddHeader but these simple libraries ensure that our commas and semicolons are correct. They also offer a strongly typed middleware that is fast and easy to use.
明确说明:是的,我或您可以使用AddHeader手动添加这些标头,但是这些简单的库确保我们的逗号和分号正确。 他们还提供了一种快速且易于使用的强类型中间件。
Taking the same web.config above and translating it to Startup.cs's Configure Pipeline with NWebSec looks like this:
使用上面相同的web.config并将其转换为Startup.cs的NWebSec配置管道如下所示:
app.UseHsts(options => options.MaxAge(days: 30));
app.UseXContentTypeOptions();
app.UseXXssProtection(options => options.EnabledWithBlockMode());
app.UseXfo(options => options.SameOrigin());
app.UseReferrerPolicy(opts => opts.NoReferrerWhenDowngrade());
app.UseCsp(options => options
.DefaultSources(s => s.Self()
.CustomSources("data:")
.CustomSources("https:"))
.StyleSources(s => s.Self()
.CustomSources("www.google.com","platform.twitter.com","cdn.syndication.twimg.com","fonts.googleapis.com")
.UnsafeInline()
)
.ScriptSources(s => s.Self()
.CustomSources("www.google.com","cse.google.com","cdn.syndication.twimg.com","platform.twitter.com" ... )
.UnsafeInline()
.UnsafeEval()
)
);
There is one experimental HTTP header that NWebSec doesn't support (yet) called Feature-Policy. It's a way that your website can declare at the server-side "my site doesn't allow use of the webcam." That would prevent a bad guy from injecting local script that uses the webcam, or some other client-side feature.
NWebSec目前尚不支持一个实验性HTTP标头,称为Feature-Policy 。 您的网站可以通过这种方式在服务器端声明“我的网站不允许使用网络摄像头”。 这样可以防止坏人注入使用网络摄像头或其他客户端功能的本地脚本。
I'll do it manually both to make the point that I can, but also that you aren't limited by your security library of choice.
我将手动进行此操作,以尽我所能,同时也确保您不受所选安全库的限制。
NOTE: Another great security library is Andrew Lock's NetEscapades that includes Feature-Policy as well as some other great features.
注意:另一个很棒的安全性库是Andrew Lock的NetEscapades ,它包括功能策略以及其他一些很棒的功能。
Here's my single Middleware that just adds the Feature-Policy header to all responses.
这是我的一个中间件,仅将Feature-Policy标头添加到所有响应中。
//Feature-Policy
app.Use(async (context, next) =>
{
context.Response.Headers.Add("Feature-Policy", "geolocation 'none';midi 'none';notifications 'none';push 'none';sync-xhr 'none';microphone 'none';camera 'none';magnetometer 'none';gyroscope 'none';speaker 'self';vibrate 'none';fullscreen 'self';payment 'none';");
await next.Invoke();
});
Now I'll commit, build, and deploy (all automatic for me using Azure DevOps) and scan the site again:
现在,我将提交,生成和部署(使用Azure DevOps对我来说都是自动的),然后再次扫描该站点:
That was pretty straightforward and took less than an hour. Your mileage may vary but that's the general idea!
那很简单,花了不到一个小时。 您的行驶里程可能会有所不同,但这是基本思路!
Sponsor: Protect your apps from reverse engineering and tampering with PreEmptive, makers of Dotfuscator. Dotfuscator has been in-the-box with Microsoft Visual Studio since 2003. Mention HANSELMAN for savings on a professional license!
赞助商:保护您的应用程序免受逆向工程的破坏,并防止Dotfuscator的制造商PreEmptive对其进行篡改。 自2003年以来,Dotfuscator就与Microsoft Visual Studio集成在一起。提及HANSELMAN可以节省专业许可证!
添加expires标头
1万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
