如何在Global.asax.cs中添加“X-Content-Type-Options:nosniff”来防止mime嗅探

时间:2017-12-19 05:21:55

标签: c# asp.net asp.net-mvc security

我修改了web.config以防止mime嗅探。

<configuration>
   <system.webServer>
      <httpProtocol>
         <customHeaders>
            <add name="X-Content-Type-Options" value="nosniff" />
         </customHeaders>
      </httpProtocol>
   </system.webServer>
</configuration>

但是代码扫描工具仍然告诉我global.asax.cs有漏洞

Application_BeginRequest is either empty or does not include a function call to set the X-Content-Type-Options to nosniff or attempts to remove that header.

那么如何在Global.asax.cs中设置X-Content-Type-Options:nosniff?

1 个答案:

答案 0 :(得分:3)

在Web.Config中使用

要添加这些标头,请转到之前添加的<customHeaders>节点,并在<customHeaders>节点内添加这些标头。

<httpprotocol> 
 <customheaders> 
    <add name="X-Content-Type-Options" value="nosniff "/>
 </customheaders> 
</httpprotocol>

使用global.asax.cs

protected void Application_PreSendRequestHeaders(Object source, EventArgs e) {
   HttpContext.Current.Request.Headers.Add("X-Content-Type-Options", "nosniff");
}