DevExpress-Examples/asp-net-core-dashboard-antiforgery

GitHub: DevExpress-Examples/asp-net-core-dashboard-antiforgery

演示如何在 DevExpress ASP.NET Core BI 仪表板控件中集成防伪造令牌验证，防止跨站请求伪造（CSRF）攻击。

Stars: 1 | Forks: 0

![](https://img.shields.io/endpoint?url=https://codecentral.devexpress.com/api/v1/VersionRange/381088552/24.2.1%2B) [![](https://img.shields.io/badge/Open_in_DevExpress_Support_Center-FF7200?style=flat-square&logo=DevExpress&logoColor=white)](https://supportcenter.devexpress.com/ticket/details/T1010110) [![](https://img.shields.io/badge/📖_How_to_use_DevExpress_Examples-e9f6fc?style=flat-square)](https://docs.devexpress.com/GeneralInformation/403183) [![](https://img.shields.io/badge/💬_Leave_Feedback-feecdd?style=flat-square)](#does-this-example-address-your-development-requirementsobjectives) # ASP.NET Core 的 BI 仪表板 - 如何防止跨站请求伪造 (CSRF) 攻击以下示例将防伪造请求验证应用于 DevExpress ASP.NET Core 仪表板控件。 ## 示例概述按照以下步骤应用防伪造请求验证。 ### 配置自定义仪表板控制器 1. 创建一个自定义仪表板控制器。如果您已经有自定义控制器，则可以跳过此步骤。 ``` namespace AspNetCoreDashboardPreventCrossSiteRequestForgery.Controllers { public class CustomDashboardController : DashboardController { public CustomDashboardController(CustomDashboardConfigurator configurator, IDataProtectionProvider dataProtectionProvider = null): base(configurator, dataProtectionProvider) { } } } ``` 2. 更改默认路由以使用创建的控制器。 ``` app.UseEndpoints(endpoints => { endpoints.MapDashboardRoute("dashboardControl", "CustomDashboard"); // ... }); ``` 3. 在 Web Dashboard 设置中指定控制器名称。 ``` @(Html.DevExpress().Dashboard("dashboardControl1") ... .ControllerName("CustomDashboard") ) ``` ### 为 AntiforgeryToken 添加验证 1. 添加 `Antiforgery` 服务。 ``` services.AddAntiforgery(options => { // Set Cookie properties using CookieBuilder properties†. options.FormFieldName = "X-CSRF-TOKEN"; options.HeaderName = "X-CSRF-TOKEN"; options.SuppressXFrameOptionsHeader = false; }); ``` 2. 将 `AutoValidateAntiforgeryToken` 属性添加到自定义控制器。 ``` [AutoValidateAntiforgeryToken] public class CustomDashboardController : DashboardController { // ... } ``` 3. 配置 Web Dashboard 控件的后端选项。 ``` @inject Microsoft.AspNetCore.Antiforgery.IAntiforgery Xsrf @(Html.DevExpress().Dashboard("dashboardControl1") ... .ControllerName("CustomDashboard") .BackendOptions(backendOptions => { backendOptions.RequestHttpHeaders(headers => { headers.Add("X-CSRF-TOKEN", Xsrf.GetAndStoreTokens(HttpContext).RequestToken); }); }) ) ``` ## 要查看的文件 * [CustomDashboardController.cs](./CS/AspNetCoreDashboardPreventCrossSiteRequestForgery/Controllers/CustomDashboardController.cs) * [Index.cshtml](./CS/AspNetCoreDashboardPreventCrossSiteRequestForgery/Pages/Index.cshtml) * [Startup.cs](./CS/AspNetCoreDashboardPreventCrossSiteRequestForgery/Startup.cs) ## 文档 - [Web Dashboard - 安全注意事项](https://docs.devexpress.com/Dashboard/118651/web-dashboard/general-information/security-considerations) - [在 ASP.NET Core 中防止跨站请求伪造 (XSRF/CSRF) 攻击](https://docs.microsoft.com/en-us/aspnet/core/security/anti-request-forgery) - [CA3147：使用 ValidateAntiForgeryToken 标记谓词处理程序](https://docs.microsoft.com/en-us/dotnet/fundamentals/code-analysis/quality-rules/ca3147) ## 更多示例 - [ASP.NET MVC Dashboard - 如何防止跨站请求伪造 (CSRF) 攻击](https://github.com/DevExpress-Examples/asp-net-mvc-dashboard-antiforgery) ## 此示例是否满足您的开发需求/目标？ [

](https://www.devexpress.com/support/examples/survey.xml?utm_source=github&utm_campaign=asp-net-core-dashboard-antiforgery&~~~was_helpful=yes) [

](https://www.devexpress.com/support/examples/survey.xml?utm_source=github&utm_campaign=asp-net-core-dashboard-antiforgery&~~~was_helpful=no) （您将被重定向到 DevExpress.com 以提交您的回复）

标签：AntiforgeryToken, ASP.NET Core, BI Dashboard, CISA项目, CSRF防护, DevExpress, GitHub Advanced Security, MVC控制器, ProjectDiscovery, Web安全, XSRF, 中间件, 仪表盘控件, 企业级BI, 安全加固, 开发示例, 数据保护, 蓝队分析, 表单验证, 跨站请求伪造, 身份验证安全, 防伪造请求