我有一个身份服务器和angular客户端,我想添加安全标头,并在添加以下代码后,检查会话iframe发出错误,以包括“ script-src'self''unsafe-inline';”它可能是有害的,搜索后我发现应该使用随机数或sha-,但是如果有任何示例或解释,我不知道要使用它 这是我的代码
app.Use(async (context, next) =>
{
if (!context.Response.Headers.ContainsKey("X-Content-Type-Options"))
{
context.Response.Headers.Add("X-Content-Type-Options", "nosniff");
}
if (!context.Response.Headers.ContainsKey("X-Frame-Options"))
{
context.Response.Headers.Add("X-Frame-Options", String.Format("ALLOW-FROM {0}", Configuration["ClientAddress"]));
}
if (!context.Response.Headers.ContainsKey("X-Xss-Protection"))
{
context.Response.Headers.Add("X-Xss-Protection", "1; mode=block");
}
var csp = " img-src 'self' data:;" +
"style-src 'self' ;" +
"script-src 'self' 'unsafe-inline' ;" +
"object-src 'self' *.w3.org;;" +
" sandbox allow-forms allow-same-origin allow-scripts;" +
String.Format("frame-ancestors 'self' {0}", Configuration["ClientAddress"]);
if (!context.Response.Headers.ContainsKey("Content-Security-Policy"))
{
context.Response.Headers.Add("Content-Security-Policy", csp);
}
if (!context.Response.Headers.ContainsKey("X-Content-Security-Policy"))
{
context.Response.Headers.Add("X-Content-Security-Policy", csp);
}
var referrer_policy = "no-referrer";
if (!context.Response.Headers.ContainsKey("Referrer-Policy"))
{
context.Response.Headers.Add("Referrer-Policy", referrer_policy);
}
if (!env.IsEnvironment("Development") || !env.IsEnvironment("DevIIS"))
{
var STS = "max-age=3600 ;includeSubDomains; preload"; // max-age should to be alterd to have a new value ex one year in seconds = 31536000
if (!context.Response.Headers.ContainsKey("Strict-Transport-Security"))
{
context.Response.Headers.Add("Strict-Transport-Security", STS);
}
}
await next();
});