近期网站被攻击,利用owasp ZAP扫描后,发现X-Frame-Options Header Not Set漏洞。
配置 IIS 发送 X-Frame-Options 响应头,添加下面的配置到 Web.config 文件中:
<system.webServer>
...
<httpProtocol>
<customHeaders>
<add name="X-Frame-Options" value="SAMEORIGIN" />
</customHeaders>
</httpProtocol>
...
</system.webServer>
参考文章:Web安全 之 X-Frame-Options响应头配置,https://blog.csdn.net/u013310119/article/details/81064943
Hardening your HTTP response headers,https://scotthelme.co.uk/hardening-your-http-response-headers/#x-content-type-options