我修改了web.config以防止mime嗅探。
<configuration>
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="X-Content-Type-Options" value="nosniff" />
</customHeaders>
</httpProtocol>
</system.webServer>
</configuration>
但是代码扫描工具仍然告诉我global.asax.cs有漏洞
Application_BeginRequest is either empty or does not include a function call to set the X-Content-Type-Options to nosniff or attempts to remove that header.
那么如何在Global.asax.cs中设置X-Content-Type-Options:nosniff?
答案 0 :(得分:3)
在Web.Config中使用
要添加这些标头,请转到之前添加的<customHeaders>节点,并在<customHeaders>节点内添加这些标头。
<httpprotocol>
<customheaders>
<add name="X-Content-Type-Options" value="nosniff "/>
</customheaders>
</httpprotocol>
使用global.asax.cs
protected void Application_PreSendRequestHeaders(Object source, EventArgs e) {
HttpContext.Current.Request.Headers.Add("X-Content-Type-Options", "nosniff");
}