'x-content-type-options' header is not specified

dotnet / aspnetcore

ASP.NET Core is a cross-platform .NET framework for building modern cloud-based web applications on Windows, Mac, or Linux.

https://asp.net

MIT License

35.45k stars 10.03k forks source link

'x-content-type-options' header is not specified #5418

Closed ghost closed 5 years ago

ghost commented 6 years ago

default ASP.NET Core Web Application using Kestrel

<script src="/lib/bootstrap/dist/js/bootstrap.js"></script>
<link rel="stylesheet" href="/css/site.css">
<link rel="stylesheet" href="/lib/bootstrap/dist/css/bootstrap.css">
<script src="/lib/jquery/dist/jquery.js"></script>
<script src="/js/site.js?v=ji3-IxbEzYWjzzLCGkF1KDjrT2jLbbrSYXw-AhMPNIA"></script>

Require X-Content-Type-Options HTTP response header

blowdart commented 6 years ago

As a work around, you can do it right now via middleware with

public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
{
    app.Use(async (context, next) =>
    {
        context.Response.Headers.Add("X-Content-Type-Options", "nosniff");
        await next();
    });

    app.UseMvc();
}

Or via nwebsec, which also includes a bunch of security headers.

This may well call for a better header middleware in basic middleware so some of the more common security headers, without undercutting nwebsec.

RehanSaeed commented 6 years ago

Why not advocate the use of NWebSec like JSON.NET?

As an aside, I saw your thread in the MVP mailing list about SRI. I wrote a tag helper to help with that.

mkArtakMSFT commented 6 years ago

So the work here will be to update the templates to consume the new middleware (referenced https://github.com/aspnet/BasicMiddleware/issues/323).

ryanbrandenburg commented 6 years ago

@mkArtakMSFT can we triage aspnet/BasicMiddleware#323 so we have a better idea of when we'll be able to do this?

ryanbrandenburg commented 6 years ago

@mkArtakMSFT still can't move on this item until aspnet/BasicMiddleware#323 is done, can we triage it?

mkArtakMSFT commented 6 years ago

yeah, that one will most probably land in 3.0. So pushing this out.

ryanbrandenburg commented 5 years ago

Seems this issue ought to be on the Backlog since the issue it depends on is.

ryanbrandenburg commented 5 years ago

Oh, aspnet/Docs doesn't use the same milestones as us. I still think it might belong on the backlog, but I'll leave it up to the managers.

mkArtakMSFT commented 5 years ago

We're closing this issue as external. As pointed out in the referenced issue, there will be docs article on how to do this.