偵測到漏洞 HSTS Missing From HTTPS Server (RFC 6797)
原本網站的 Startup.cs 的HTTPS Redirect寫成
public void Configure(IApplicationBuilder app, IWebHostEnvironment env) {app.UseForwardedHeaders();app.Use(async (context, next) =>{if (context.Request.IsHttps || context.Request.Headers["X-Forwarded-Proto"] == Uri.UriSchemeHttps){await next();}else{string queryString = context.Request.QueryString.HasValue ? context.Request.QueryString.Value : string.Empty;var https = "https://" + context.Request.Host + context.Request.Path + queryString;context.Response.Redirect(https);}});if (env.IsDevelopment()){app.UseDeveloperExceptionPage();}else{app.UseExceptionHandler("/Home/Error");// The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.app.UseHsts();}app.UseHttpsRedirection();app.UseStaticFiles();}
改成
services.Configure<ForwardedHeadersOptions>(options =>{options.ForwardedHeaders =ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto;options.KnownNetworks.Clear();options.KnownProxies.Clear();});services.AddHttpsRedirection(opt => opt.HttpsPort = 443);//其他省略}public void Configure(IApplicationBuilder app, IWebHostEnvironment env){app.UseForwardedHeaders();app.Use(async (context, next) =>{context.Response.Headers.Add("X-Frame-Options", "SAMEORIGIN"); // Or thisawait next();});if (env.IsDevelopment()){app.UseDeveloperExceptionPage();}else{app.UseExceptionHandler("/Home/Error");// The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.app.UseHsts();}app.UseHttpsRedirection();app.UseStaticFiles();//其他省略}
然後就正常了
沒有留言:
張貼留言