使用 asp .net core 3 的 Web 安全审计问题

Question

我试图在http://observatory.mozilla.org 上以 B 或 A 的成绩通过考试，而我的成绩是“C”。我实现了中间件来设置安全标头和 cookie，但仍然不明白如何解决一些问题。我所有的脚本和 javascript 都是通过 src 标签加载的，没有内联样式。有人可以给我一些想法来解决我遇到的各种我似乎无法解决的问题吗？

我的 content-security-policy 是 default-src https: 'self';对象源“无”；框架祖先“无”；基 uri '无'; font-src https: 数据：

我的饼干所示：.AspNetCore.Antiforgery.GOAuSILz_xU = CfDJ8D3hsoQ239JIszuJwoP5ibPL-N9p62srnnwCdREtuQ0bGMft1N7bQulP3alJ4DsTVOUX_i76TbLdQtUjp1UgKAFup-FCj46R5vBSBujuDbXJDSbtQ2xgICsW_CofHqShdiLQj8xefPjmQvYYQMEL2d0;路径=/;同站点=严格；仅限http

这是我的代码：

public void ConfigureServices(IServiceCollection services)
    {
        services.AddControllersWithViews();

        services.Configure<CookiePolicyOptions>(options =>
        {
            // This lambda determines whether user consent for non-essential cookies is needed for a given request.
            options.CheckConsentNeeded = context => true;
            options.MinimumSameSitePolicy = SameSiteMode.Strict;
            options.Secure = HostingEnvironment.IsDevelopment() ? CookieSecurePolicy.SameAsRequest : CookieSecurePolicy.Always;
            options.HttpOnly = Microsoft.AspNetCore.CookiePolicy.HttpOnlyPolicy.None;
        });

        services.AddSession(opts =>
        {
            opts.Cookie.IsEssential = true; // make the session cookie Essential,
            opts.Cookie.HttpOnly = false;
            opts.Cookie.SecurePolicy = HostingEnvironment.IsDevelopment() ? CookieSecurePolicy.SameAsRequest : CookieSecurePolicy.Always;
        });

        services.AddSession();
        services.Configure<Credentials>(Configuration.GetSection("Credentials"));
    }

    // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
    public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
    {
        if (env.IsDevelopment())
        {
            app.UseBrowserLink();
            app.UseDeveloperExceptionPage();
        }
        else
        {
            app.UseExceptionHandler("/Home/Error");
            // The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
            app.UseHsts();
        }

        app.UseSecurityHeadersMiddleware(
           new SecurityHeadersBuilder()
               .AddDefaultSecurePolicy());

        app.UseSession();
        app.UseHttpsRedirection();
        app.UseStaticFiles();

        app.UseRouting();

        //app.UseAuthorization();

        app.UseEndpoints(endpoints =>
        {
            endpoints.MapControllerRoute(
                name: "default",
                pattern: "{controller=Home}/{action=Index}/{id?}");
        });
    }

如果需要，这里是 web.config

<system.webServer>
    <httpProtocol>
      <customHeaders>
        <clear />
        <add name="X-UA-Compatible" value="IE=edge" />
        <add name="Cache-Control" value="public, max-age=31536000" />
      </customHeaders>
    </httpProtocol>
  </system.webServer>

Answer 1

配置服务：

services.Configure<CookiePolicyOptions>(opts =>
            {
                opts.CheckConsentNeeded = _ => true;
                opts.HttpOnly = Microsoft.AspNetCore.CookiePolicy.HttpOnlyPolicy.Always;
                opts.Secure = Microsoft.AspNetCore.Http.CookieSecurePolicy.Always;
                opts.MinimumSameSitePolicy = Microsoft.AspNetCore.Http.SameSiteMode.Strict;
            });
            services.AddSession(opts =>
            {
                opts.Cookie.IsEssential = true;
                opts.Cookie.HttpOnly = true;
                opts.Cookie.SecurePolicy = Microsoft.AspNetCore.Http.CookieSecurePolicy.Always;
                opts.Cookie.SameSite = Microsoft.AspNetCore.Http.SameSiteMode.Strict;
            });

别忘了添加 UseCookiePolicy 中间件：

app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseCookiePolicy(); //here
app.UseSession();
app.UseRouting();