افزودن هدرهای Content Security Policy به برنامههای ASP.NET
نویسنده: وحید نصیری
تاریخ: ۱۳۹۲/۰۹/۲۹ ۱۳:۰
آدرس: www.dntips.ir
| مطالب | ۳۶۹۴ |
| نویسندگان | ۲۷۶ |
| گروههای مطالب | ۱۰۲۴ |
| نقشههای راه | ۱۱۹ |
| دورهها | ۱۴ |
| اشتراکها | ۱۷۹۱۴ |
Content-Security-Policy: script-src 'self' X-WebKit-CSP: script-src 'self' X-Content-Security-Policy: script-src 'self'
Content-Security-Policy: script-src 'self' https://youcdn.com X-WebKit-CSP: script-src 'self' https://yourcdn.com X-Content-Security-Policy: script-src 'self' https://yourcdn.com
Content-Security-Policy: default-src 'self' https://youcdn.com X-WebKit-CSP: default-src 'self' https://yourcdn.com X-Content-Security-Policy: default-src 'self' https://yourcdn.com
using System;
using System.Web;
namespace AntiXssHeaders
{
public class SecurityHeadersConstants
{
public static readonly string XXssProtectionHeader = "X-XSS-Protection";
public static readonly string XFrameOptionsHeader = "X-Frame-Options";
public static readonly string XWebKitCspHeader = "X-WebKit-CSP";
public static readonly string XContentSecurityPolicyHeader = "X-Content-Security-Policy";
public static readonly string ContentSecurityPolicyHeader = "Content-Security-Policy";
public static readonly string XContentTypeOptionsHeader = "X-Content-Type-Options";
}
public class ContentSecurityPolicyModule : IHttpModule
{
public void Dispose()
{ }
public void Init(HttpApplication app)
{
app.BeginRequest += AppBeginRequest;
}
void AppBeginRequest(object sender, EventArgs e)
{
var app = (HttpApplication)sender;
var response = app.Context.Response;
setHeaders(response);
}
private static void setHeaders(HttpResponse response)
{
response.Headers.Set(SecurityHeadersConstants.XFrameOptionsHeader, "SameOrigin");
// For IE 8+
response.Headers.Set(SecurityHeadersConstants.XXssProtectionHeader, "1; mode=block");
response.Headers.Set(SecurityHeadersConstants.XContentTypeOptionsHeader, "nosniff");
//todo: Add /Home/Report --> public JsonResult Report() { return Json(true); }
const string cspValue = "default-src 'self';";
// For Chrome 16+
response.Headers.Set(SecurityHeadersConstants.XWebKitCspHeader, cspValue);
// For Firefox 4+
response.Headers.Set(SecurityHeadersConstants.XContentSecurityPolicyHeader, cspValue);
response.Headers.Set(SecurityHeadersConstants.ContentSecurityPolicyHeader, cspValue);
}
}
} //// RegisterGlobalFilters -> filters.Add(new ContentSecurityPolicyFilterAttribute());
public class ContentSecurityPolicyFilterAttribute : ActionFilterAttribute
{
public override void OnActionExecuting(ActionExecutingContext filterContext)
{
var response = filterContext.HttpContext.Response;
response.AddHeader("Content-Security-Policy", "script-src 'self'");
// the rest ...
base.OnActionExecuting(filterContext);
}
} <script type="text/javascript">
$(document).ready(function () {
PopupForm.ShowForm({
renderFormUrl : "/postreply/renderreplyform",
.....
});
});
</script> <script type="text/javascript">
alert('test');
</script> @{
var id = Guid.NewGuid().ToString("N");
var functionName = string.Format("______{0}________()", Guid.NewGuid().ToString("N"));
<script type="text/javascript">
$(function () {
$('#@id').prop('disabled', false);
});
function @functionName{
$('#@id').prop('disabled', true);
$.post("@Model.RefreshUrl", { @Model.TokenParameterName: $('#@Model.TokenElementId').val() }, function () {
$('#@id').prop('disabled', false);
});
return false;
}
</script>
} <system.webServer>
<httpProtocol>
<customHeaders>
<!-- SECURITY HEADERS - https://securityheaders.io/? -->
<!-- Protects against Clickjacking attacks. ref.: http://stackoverflow.com/a/22105445/1233379 -->
<add name="X-Frame-Options" value="SAMEORIGIN" />
<!-- Protects against Clickjacking attacks. ref.: https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet -->
<add name="Strict-Transport-Security" value="max-age=31536000; includeSubDomains"/>
<!-- Protects against XSS injections. ref.: https://www.veracode.com/blog/2014/03/guidelines-for-setting-security-headers/ -->
<add name="X-XSS-Protection" value="1; mode=block" />
<!-- Protects against MIME-type confusion attack. ref.: https://www.veracode.com/blog/2014/03/guidelines-for-setting-security-headers/ -->
<add name="X-Content-Type-Options" value="nosniff" />
<!-- CSP modern XSS directive-based defence, used since 2014. ref.: http://content-security-policy.com/ -->
<add name="Content-Security-Policy" value="default-src 'self'; font-src *;img-src * data:; script-src *; style-src *;" />
<!-- Prevents from leaking referrer data over insecure connections. ref.: https://scotthelme.co.uk/a-new-security-header-referrer-policy/ -->
<add name="Referrer-Policy" value="strict-origin" />
</customHeaders>
</httpProtocol>
</system.webServer>