笔测试器已为我们的一位客户标记为,我们构建的网站未针对302、500和403响应返回正确的标题。我对此进行了测试,在提琴手中,我看到从302返回的标头确实与正常的200响应不同。我已经检查了配置文件,可以看到所有标头都在配置文件中。
为什么标题不同,我需要做什么来解决此问题?
笔测试仪的响应如下:
The following HTTP security headers were found to be missing from 403, 302 and 500 responses:
• HTTP Strict Transport Security (HSTS) – The header ensures that supported browsers should only interact with it using HTTPS protocol, rejecting the insecure HTTP protocol, protecting against protocol downgrade attacks and cookie hijacking.
• X-Frame-Options – The header ensures that the browser must not display the transmitted content in frames of other web pages, protecting against Clickjacking attacks.
• X-XSS-Protection – The header will force the browser to enable any available Cross-Site Scripting filter, providing an additional defence against Cross-Site Scripting attacks.
• X-Content-Type-Options – The header will prevent the browser from interpreting files as something else other than what is declared by the content type, which can help protect against some Cross-Site Scripting attacks.
• Referrer Policy – The header governs which referrer information is sent in the Referer header along with requests.
我的Web配置文件是:
<add name="Vary" value="Accept-Encoding"/>
<add name="X-UA-Compatible" value="IE=edge"/>
<add name="P3P" value="policyref="/w3c/p3p.xml", CP="This is not a privacy policy!""/>
<add name="E-TAG" value=""/>
<add name="Arr-Disable-Session-Affinity" value="True"/>
<add name="Access-Control-Allow-Origin" value="*"/>
<add name="Access-Control-Allow-Methods" value="*"/>
<add name="Access-Control-Allow-Headers" value="*"/>
<add name="Strict-Transport-Security" value="max-age=31536000;includeSubDomains"/>
<add name="Referrer-Policy" value="strict-origin"/>
<add name="x-Content-Type-Options" value="nosniff"/>
<nwebsec>
<httpHeaderSecurityModule xsi:noNamespaceSchemaLocation="NWebsecConfig/HttpHeaderSecurityModuleConfig.xsd" xmlns="http://nwebsec.com/HttpHeaderSecurityModuleConfig.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<redirectValidation enabled="false" />
<securityHttpHeaders>
<x-Frame-Options policy="Deny" />
<strict-Transport-Security max-age="365" includeSubdomains="true" httpsOnly="true" preload="true" />
<x-Content-Type-Options enabled="true" />
<x-Download-Options enabled="true" />
<x-XSS-Protection policy="FilterEnabled" blockMode="true" />
<content-Security-Policy enabled="false" />
</securityHttpHeaders>
</httpHeaderSecurityModule>
</nwebsec>
并返回200响应:
Vary: Accept-Encoding
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Frame-Options: Deny
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-XSS-Protection: 1; mode=block
X-UA-Compatible: IE=edge
P3P: policyref="/w3c/p3p.xml", CP="This is not a privacy policy!"
E-TAG: True
Arr-Disable-Session-Affinity: *
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: *
Access-Control-Allow-Headers: max-age=31536000;includeSubDomains
Strict-Transport-Security: strict-origin
Referrer-Policy: nosniff
但是302返回:-
Vary: Accept-Encoding
X-UA-Compatible: IE=edge
P3P: policyref="/w3c/p3p.xml", CP="This is not a privacy policy!"
E-TAG: True
Arr-Disable-Session-Affinity: *
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: *
Access-Control-Allow-Headers: max-age=31536000;includeSubDomains
Strict-Transport-Security: strict-origin
Referrer-Policy: nosniff
在我看来,所有x- *标头都丢失了吗?
答案 0 :(得分:0)
不是权威性的答案,但:我看不到X标头带有302的点,或者在正常情况下看不到403或500的点。它们指示您的浏览器如何处理返回页面的各个方面, (通常)没有返回带有这些响应代码的页面。 与在https://security.stackexchange.com/questions/188134/x-frame-options-header-on-redirect
上回答的一般想法相同我还没有发现将HSTS应用于这些回应的任何体面讨论。我建议在大多数情况下将HSTS包括在内实际上是无关紧要的,但从理论上讲是理想的(除了URL缩短器始终是重定向的例外,因此,如果您未将30X包括在内,大多数访问者就不会获得HSTS指令)。>
对于每个https://www.w3.org/TR/referrer-policy/#set-requests-referrer-policy-on-redirect,似乎应将Referrer-Policy包含在重定向中。 403和500似乎无关紧要(同样,除非您包含包含这些回复的页面)。
再一次,而不是权威,尽管进行了相当多的搜索,但我还没有找到令人信服的答案,因此,仅将其作为一种意见。