我正在尝试在CSRF保护的同时在不同的主机(即www.example.com和api.example.com)上设置UI和API。
我遵循了MSFT文档(https://docs.microsoft.com/en-us/aspnet/core/security/anti-request-forgery?view=aspnetcore-2.2#configure-antiforgery-features-with-iantiforgery)并遵循了Angular
ConfigureServices
services.AddAntiforgery(options =>
{
options.HeaderName = "X-XSRF-TOKEN";
});
services.AddCors(o => o.AddPolicy("CorsPolicy", builder =>
{
builder.WithOrigins("https://www.example.com")
.AllowAnyMethod()
.AllowAnyHeader()
.AllowCredentials();
}));
配置
app.UseCors("CorsPolicy");
app.Use(next => context =>
{
if (context.Request.Path.Value.IndexOf("/api", StringComparison.OrdinalIgnoreCase) != -1)
{
var tokens = antiforgery.GetAndStoreTokens(context);
context.Response.Cookies.Append("XSRF-TOKEN", tokens.RequestToken,
new CookieOptions()
{
HttpOnly = false
});
}
context.Response.Headers.Remove("Server");
return next(context);
});