当前位置:theitroad>C# 向 MVC 4 应用程序中的所有页面添加 X-Frame-Options 标头

C# 向 MVC 4 应用程序中的所有页面添加 X-Frame-Options 标头

声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow 原文地址: http://stackoverflow.com/questions/16484293/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me): StackOverFlow

提示:将鼠标放在中文语句上可以显示对应的英文。显示中英文
时间:2020-08-10 01:07:40  来源:igfitidea点击:

Adding X-Frame-Options header to all pages in MVC 4 application

c#asp.net-mvcasp.net-mvc-4http-headersx-frame-options

提问by Xaxum

I am trying to add the X-Frame-Options header (with value set to "DENY") into my MVC 4 application. I looked around and it seems thisis the cleanest way to add for all pages.

我正在尝试将 X-Frame-Options 标头(值设置为“DENY”)添加到我的 MVC 4 应用程序中。我环顾四周,似乎是为所有页面添加的最干净的方式。

However when I add this code it will not build. With an error on OnResultExecutingof

但是,当我添加此代码时,它不会构建。随着对错误OnResultExecuting

"no suitable method found to override."

“找不到合适的方法来覆盖。”

public class XframeOptions : ActionFilterAttribute
{
    public override void OnResultExecuting(
          System.Web.Mvc.ResultExecutingContext filterContext)
    {
        filterContext.HttpContext.Response.AddHeader(
            "X-Frame-Options", "DENY");
    }
}

If this is the cleanest way to do this how can I resolve this error? Is there a better way to handle this in an MVC 4 application?

如果这是最干净的方法,我该如何解决这个错误?在 MVC 4 应用程序中是否有更好的方法来处理这个问题?

采纳答案by Darin Dimitrov

Make sure you inherit from the correct class:

确保您继承自correct class

public class XframeOptions : System.Web.Mvc.ActionFilterAttribute

In ASP.NET MVC 4 there's the Web API which has different namespace and since you haven't explicitly specified the namespace I guess that the compiler is picking the wrong class:

在 ASP.NET MVC 4 中有具有不同命名空间的 Web API,并且由于您没有明确指定命名空间,我猜编译器选择了错误的类:

System.Web.Http.Filters.ActionFilterAttribute

回答by Vikas Kumar

You are getting this error because you are using the wrong method name instead of OnResultExecutinguse OnResultExecuted. You should write your method like this:

您收到此错误是因为您使用了错误的方法名称而不是OnResultExecutinguse OnResultExecuted。你应该这样写你的方法:

public class XframeOptionsFilter : System.Web.Mvc.ActionFilterAttribute
{
    public override void OnResultExecuted(System.Web.Mvc.ResultExecutedContext filterContext)
    {
        filterContext.HttpContext.Response.AddHeader("x-frame-options", "Deny");
    }
}

回答by shimron

There is another way to do that. create a custom HttpModule like below:

还有另一种方法可以做到这一点。创建一个自定义 HttpModule 如下所示:

    public class XframeOptionsModule : IHttpModule
{
    public void Dispose()
    {

    }

    public void Init(HttpApplication context)
    {
        context.PreSendRequestHeaders += this.OnPreSendRequestHeaders;
    }
    private void OnPreSendRequestHeaders(object sender, EventArgs e)
    {
        HttpContext.Current.Response.AddHeader("x-frame-options", "Deny");
    }
}

then register this module in web.config

然后在 web.config 中注册这个模块

    <modules >
        <add name ="XframeOptions" type="your module's full type info"/>
    </modules>

回答by robrich

There's no need for a custom HttpModule or ActionFilter if you need it for every page. https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Optionsdetails a much simpler solution:

如果每个页面都需要自定义 HttpModule 或 ActionFilter ,则不需要它。 https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options详细介绍了一个更简单的解决方案:

To configure IIS to send the X-Frame-Options header, add this your site's Web.config file:

要将 IIS 配置为发送 X-Frame-Options 标头,请添加您站点的 Web.config 文件:

<system.webServer>
  <!-- ... -->

  <httpProtocol>
    <customHeaders>
      <add name="X-Frame-Options" value="SAMEORIGIN" />
    </customHeaders>
  </httpProtocol>

  <!-- ... -->
</system.webServer>

回答by Diganta Kumar

To add deny "x-frame-options" header to all MVC app you can do the following to avoid a ClickHymaning attack.

要将拒绝“x-frame-options”标头添加到所有 MVC 应用程序,您可以执行以下操作以避免点击劫持攻击。

using System;
using System.Web;

namespace Demo.Website.Modules
{
    public class XfoHeaderModule : IHttpModule
    {
        public void Init(HttpApplication context)
        {
            context.PreSendRequestHeaders += ContextPreSendRequestHeaders;
        }

        public void Dispose()
        {
        }

        private void ContextPreSendRequestHeaders(object sender, EventArgs e)
        {
            HttpContext.Current.Response.Headers.Add("X-Frame-Options", "Deny");
        }
    }
}

Add the below to the web.config

将以下内容添加到 web.config

  <system.webServer>
    <modules>
      <add name="XfoHeader" type="Demo.Website.Modules.XfoHeaderModule" />
    </modules>
  </system.webServer>

enter image description here

在此处输入图片说明

回答by klings

NWebsec lets you set this and other security headers through web.config, OWIN middleware, and/or MVC filter attributes: https://github.com/NWebsec/NWebsec/wiki

NWebsec 允许您通过 web.config、OWIN 中间件和/或 MVC 过滤器属性设置此和其他安全标头:https: //github.com/NWebsec/NWebsec/wiki

Disclaimer: I'm the maintainer of the project.

免责声明:我是该项目的维护者。

相关推荐

C# DELETE 语句与实体框架的 SAME TABLE REFERENCE 约束冲突

C# DELETE 语句与实体框架的 SAME TABLE REFERENCE 约束冲突

C# 如何在将字节数组写入文件时添加新行

C# 如何在将字节数组写入文件时添加新行

C# 将 GridView 数据放入 DataTable

C# 将 GridView 数据放入 DataTable

C# 带有 3 个尾随小数位、一个十进制千位分隔符和后面的逗号的格式数字

C# 带有 3 个尾随小数位、一个十进制千位分隔符和后面的逗号的格式数字

相关推荐
最近更新
标签