Asp.net 预结束到WCF服务输出
我正在使用ASP.NET 4 WCF服务进行一些数据事务。为了防止CSRF(跨站点请求伪造),我想在输出中预先添加一些数据。有什么建议吗Asp.net 预结束到WCF服务输出,asp.net,wcf,csrf,Asp.net,Wcf,Csrf,我正在使用ASP.NET 4 WCF服务进行一些数据事务。为了防止CSRF(跨站点请求伪造),我想在输出中预先添加一些数据。有什么建议吗 [ServiceContract] [AspNetCompatibilityRequirements(RequirementsMode = AspNetCompatibilityRequirementsMode.Allowed)] [ServiceBehavior(InstanceContextMode = InstanceContextMode.PerCal
[ServiceContract]
[AspNetCompatibilityRequirements(RequirementsMode = AspNetCompatibilityRequirementsMode.Allowed)]
[ServiceBehavior(InstanceContextMode = InstanceContextMode.PerCall)]
public class TestService : ServiceBase
{
[WebGet(
ResponseFormat = WebMessageFormat.Json,
UriTemplate = "/test.json")
]
public MyResponse Test ()
{
MyResponse resp;
try
{
Response.Write("for(;;){}"); // <-- Fix needed
resp = new MyResponse();
}
catch (Exception ex)
{
AjaxException aex = new AjaxException() {
message = string.Format("Test failed. Exception: {0}.", ex.Message)
};
throw new WebFaultException<AjaxException>(aex, HttpStatusCode.InternalServerError);
}
return resp;
}
}
[DataContract]
public class MyResponse {
public MyResponse() { }
[DataMember()]
public long time = ServiceUtility.Convert(DateTime.Now);
[DataMember()]
public string secret { get; set; }
}
[服务合同]
[AspNetCompatibilityRequirements(RequirementsMode=AspNetCompatibilityRequirementsMode.Allowed)]
[ServiceBehavior(InstanceContextMode=InstanceContextMode.PerCall)]
公共类TestService:ServiceBase
{
[WebGet(
ResponseFormat=WebMessageFormat.Json,
UriTemplate=“/test.json”)
]
公共MyResponse测试()
{
MyResp;
尝试
{
Response.Write(“for(;){}”);//我建议您避免在WCF操作上使用HTTP GET方法来更改状态。据我所知,当前浏览器不允许使用JSON内容类型进行跨站点POST请求,因此这应该可以防止CSRF攻击
为了获得更高的安全性,您可以检查HTTP Referer标头,查看服务调用是否来自允许的站点