Question

我只是查看了我们新的网站后端代码，发现了这一点：

services.AddCors(o => o.AddDefaultPolicy(builder =>
           {
               builder.AllowAnyOrigin()
                   .AllowAnyMethod()
                   .AllowAnyHeader();
           }));


services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme).AddJwtBearer(options =>
{
    options.TokenValidationParameters = new TokenValidationParameters
    {
        ValidateIssuer = true,
        ValidateAudience = true,
        ValidateLifetime = true,
        ValidateIssuerSigningKey = true,
        ValidIssuer = Configuration["Jwt:Issuer"], //--> AppSetting.Json
                    ValidAudience = Configuration["Jwt:Issuer"], //--> AppSetting.Json
                    IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(Configuration["Jwt:Key"]))
    };
});

是否安全？如果允许任何来源，则用户身份验证是否足够？

Answer 1

简短答案：否

长答案：What are the security risks of setting Access-Control-Allow-Origin?

CORS Anyorigin是否被允许安全？

1 个答案: