Http headers Linux上的Azure Webapp网站,Kestrel未接收Web.config更改
我已经在Linux上的Azure Webapp网站上托管了react应用程序。它使用红隼作为web服务器。我想向webapp添加安全标题。但是我为此添加的Web.config文件没有显示更改 我在Azure Windows Webapp上创建了另一个web应用程序,并在添加安全标题时更新了web.config文件,如下所示 但在Azure Linux Webapp中,此文件不起作用 我正在使用的Web.config文件Http headers Linux上的Azure Webapp网站,Kestrel未接收Web.config更改,http-headers,azure-web-app-service,content-security-policy,kestrel-http-server,kestrel,Http Headers,Azure Web App Service,Content Security Policy,Kestrel Http Server,Kestrel,我已经在Linux上的Azure Webapp网站上托管了react应用程序。它使用红隼作为web服务器。我想向webapp添加安全标题。但是我为此添加的Web.config文件没有显示更改 我在Azure Windows Webapp上创建了另一个web应用程序,并在添加安全标题时更新了web.config文件,如下所示 但在Azure Linux Webapp中,此文件不起作用 我正在使用的Web.config文件 <?xml version="1.0" encoding="U
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<httpRuntime enableVersionHeader="false" />
</system.web>
<system.webServer>
<!-- START x-xss protection -->
<httpProtocol>
<customHeaders>
<!-- Protects against Clickjacking attacks. ref.: http://stackoverflow.com/a/22105445/1233379 -->
<add name="X-Frame-Options" value="SAMEORIGIN" />
<!-- Protects against Clickjacking attacks. ref.: https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet -->
<add name="Strict-Transport-Security" value="max-age=31536000; includeSubDomains"/>
<!-- Protects against XSS injections. ref.: https://www.veracode.com/blog/2014/03/guidelines-for-setting-security-headers/ -->
<add name="X-XSS-Protection" value="1; mode=block" />
<!-- Protects against MIME-type confusion attack. ref.: https://www.veracode.com/blog/2014/03/guidelines-for-setting-security-headers/ -->
<add name="X-Content-Type-Options" value="nosniff" />
<!-- CSP modern XSS directive-based defence, used since 2014. ref.: http://content-security-policy.com/ -->
<add name="Content-Security-Policy" value="default-src 'self'; font-src *;img-src * data:; script-src *; style-src *;" />
<!-- Prevents from leaking referrer data over insecure connections. ref.: https://scotthelme.co.uk/a-new-security-header-referrer-policy/ -->
<add name="Referrer-Policy" value="strict-origin" />
<add name="Feature-Policy" value="accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none'" />
<remove name="X-Powered-By" />
</customHeaders>
</httpProtocol>
<!-- END x-xss protection -->
<rewrite>
<rules>
<!-- BEGIN rule TAG FOR HTTPS REDIRECT -->
<rule name="Force HTTPS" enabled="true">
<match url="(.*)" ignoreCase="false" />
<conditions>
<add input="{HTTPS}" pattern="off" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" appendQueryString="true" redirectType="Permanent" />
</rule>
<!-- END rule TAG FOR HTTPS REDIRECT -->
</rules>
<outboundRules>
<rule name="Add Strict-Transport-Security only when using HTTPS" enabled="true">
<match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" />
<conditions>
<add input="{HTTPS}" pattern="on" ignoreCase="true" />
</conditions>
<action type="Rewrite" value="max-age=31536000; includeSubdomains; preload" />
</rule>
<rule name="CSP">
<match serverVariable="RESPONSE_Content-Security-Policy" pattern=".*" />
</rule>
</outboundRules>
</rewrite>
</system.webServer>
</configuration>
在Linux WebApp上,您必须使用.htaccess config,它与Web.config稍有不同,但允许您设置类似的设置。
Web.config仅在基于IIS/Windows的环境中使用。我已对此在.htaccess中进行了更改,但它不工作不使用htaccess