301重定向响应中缺少标头

时间:2018-09-06 15:29:49

标签: response-headers

笔测试器已为我们的一位客户标记为,我们构建的网站未针对302、500和403响应返回正确的标题。我对此进行了测试,在提琴手中,我看到从302返回的标头确实与正常的200响应不同。我已经检查了配置文件,可以看到所有标头都在配置文件中。

为什么标题不同,我需要做什么来解决此问题?

笔测试仪的响应如下:

The following HTTP security headers were found to be missing from 403, 302 and 500 responses:
• HTTP Strict Transport Security (HSTS) – The header ensures that supported browsers should only interact with it using HTTPS protocol, rejecting the insecure HTTP protocol, protecting against protocol downgrade attacks and cookie hijacking.
• X-Frame-Options – The header ensures that the browser must not display the transmitted content in frames of other web pages, protecting against Clickjacking attacks.
• X-XSS-Protection – The header will force the browser to enable any available Cross-Site Scripting filter, providing an additional defence against Cross-Site Scripting attacks.
• X-Content-Type-Options – The header will prevent the browser from interpreting files as something else other than what is declared by the content type, which can help protect against some Cross-Site Scripting attacks.
• Referrer Policy – The header governs which referrer information is sent in the Referer header along with requests.

我的Web配置文件是:

    <add name="Vary" value="Accept-Encoding"/>
    <add name="X-UA-Compatible" value="IE=edge"/>
    <add name="P3P" value="policyref=&quot;/w3c/p3p.xml&quot;, CP=&quot;This is not a privacy policy!&quot;"/>
    <add name="E-TAG" value=""/>
    <add name="Arr-Disable-Session-Affinity" value="True"/>
    <add name="Access-Control-Allow-Origin" value="*"/>
    <add name="Access-Control-Allow-Methods" value="*"/>
    <add name="Access-Control-Allow-Headers" value="*"/>
    <add name="Strict-Transport-Security" value="max-age=31536000;includeSubDomains"/>
    <add name="Referrer-Policy" value="strict-origin"/>
    <add name="x-Content-Type-Options" value="nosniff"/>

<nwebsec>
        <httpHeaderSecurityModule xsi:noNamespaceSchemaLocation="NWebsecConfig/HttpHeaderSecurityModuleConfig.xsd" xmlns="http://nwebsec.com/HttpHeaderSecurityModuleConfig.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <redirectValidation enabled="false" />
            <securityHttpHeaders>
                <x-Frame-Options policy="Deny" />
                <strict-Transport-Security max-age="365" includeSubdomains="true" httpsOnly="true" preload="true" />
                <x-Content-Type-Options enabled="true" />
                <x-Download-Options enabled="true" />
                <x-XSS-Protection policy="FilterEnabled" blockMode="true" />
                <content-Security-Policy enabled="false" />
            </securityHttpHeaders>
        </httpHeaderSecurityModule>
    </nwebsec>

并返回200响应:

Vary: Accept-Encoding
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Frame-Options: Deny
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-XSS-Protection: 1; mode=block
X-UA-Compatible: IE=edge
P3P: policyref="/w3c/p3p.xml", CP="This is not a privacy policy!"
E-TAG: True
Arr-Disable-Session-Affinity: *
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: *
Access-Control-Allow-Headers: max-age=31536000;includeSubDomains
Strict-Transport-Security: strict-origin
Referrer-Policy: nosniff

但是302返回:-

Vary: Accept-Encoding
X-UA-Compatible: IE=edge
P3P: policyref="/w3c/p3p.xml", CP="This is not a privacy policy!"
E-TAG: True
Arr-Disable-Session-Affinity: *
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: *
Access-Control-Allow-Headers: max-age=31536000;includeSubDomains
Strict-Transport-Security: strict-origin
Referrer-Policy: nosniff

在我看来,所有x- *标头都丢失了吗?

1 个答案:

答案 0 :(得分:0)

不是权威性的答案,但:我看不到X标头带有302的点,或者在正常情况下看不到403或500的点。它们指示您的浏览器如何处理返回页面的各个方面, (通常)没有返回带有这些响应代码的页面。 与在https://security.stackexchange.com/questions/188134/x-frame-options-header-on-redirect

上回答的一般想法相同

我还没有发现将HSTS应用于这些回应的任何体面讨论。我建议在大多数情况下将HSTS包括在内实际上是无关紧要的,但从理论上讲是理想的(除了URL缩短器始终是重定向的例外,因此,如果您未将30X包括在内,大多数访问者就不会获得HSTS指令)。

对于每个https://www.w3.org/TR/referrer-policy/#set-requests-referrer-policy-on-redirect,似乎应将Referrer-Policy包含在重定向中。 403和500似乎无关紧要(同样,除非您包含包含这些回复的页面)。

再一次,而不是权威,尽管进行了相当多的搜索,但我还没有找到令人信服的答案,因此,仅将其作为一种意见。