HTTP Security Header Not Detected未检测到HTTP安全标头
遇到此安全问题,只需修改Web.config文件。
如:
未处理之前配置代码如下:
<httpProtocol>
<customHeaders>
<add name="X-UA-Compatible" value="IE=Edge" />
</customHeaders>
</httpProtocol>
配置之后代码如下:
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="X-Content-Type-Options" value="nosniff"/>
<add name="X-XSS-Protection" value="1;mode=block"/>
<add name="X-Frame-Options" value="SAMEORIGIN"/>
<add name="Content-Security-Policy" value="default-src 'self';script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';"/>
</customHeaders>
</httpProtocol>
</system.webServer>
