marthijn/Sidio.Web.Security

GitHub: marthijn/Sidio.Web.Security

为 ASP.NET Core 应用提供基于 Mozilla Web 安全指南的安全标头中间件和测试工具的库。

Stars: 3 | Forks: 0

# ASP.NET Core Web 安全 # 项目目标本项目旨在提供一组服务、辅助函数和中间件，可用于保护 ASP.NET Core 应用程序。所有功能均基于 [Mozilla Web 安全指南](https://infosec.mozilla.org/guidelines/web_security)。 # 程序包 ## Sidio.Web.Security.AspNetCore [Sidio.Web.Security.AspNetCore](https://www.nuget.org/packages/Sidio.Web.Security.AspNetCore/) 提供 ASP.NET Core 服务和中间件。该项目面向 .NET 8.0 及更高版本。 [![build](https://static.pigsec.cn/wp-content/uploads/repos/2026/04/e2261dc122103856.svg)](https://github.com/marthijn/Sidio.Web.Security/actions/workflows/build.yml) [![NuGet Version](https://img.shields.io/nuget/v/Sidio.Web.Security.AspNetCore)](https://www.nuget.org/packages/Sidio.Web.Security.AspNetCore/) ## Sidio.Web.Security.Testing [Sidio.Web.Security.Testing](https://www.nuget.org/packages/Sidio.Web.Security.AspNetCore.Mvc/) 提供测试功能，可用于验证安全标头是否正确设置。 [![build](https://static.pigsec.cn/wp-content/uploads/repos/2026/04/e2261dc122103856.svg)](https://github.com/marthijn/Sidio.Web.Security/actions/workflows/build.yml) [![NuGet Version](https://img.shields.io/nuget/v/Sidio.Web.Security.Testing)](https://www.nuget.org/packages/Sidio.Web.Security.Testing/) ## .NET Framework 支持：Sidio.Web.Security [Sidio.Web.Security](https://www.nuget.org/packages/Sidio.Web.Security/) 提供核心功能。可用于面向 .NET Standard 2.0 的项目。如果仍在使用 .NET Framework，使用此程序包会很有用。否则，请使用 [Sidio.Web.Security.AspNetCore](https://www.nuget.org/packages/Sidio.Web.Security.AspNetCore/)。请注意，此程序包不包含 ASP.NET Core 程序包提供的中间件和服务。欢迎为该项目做出贡献或创建面向 .NET Framework 的分支。 [![build](https://static.pigsec.cn/wp-content/uploads/repos/2026/04/e2261dc122103856.svg)](https://github.com/marthijn/Sidio.Web.Security/actions/workflows/build.yml) [![NuGet Version](https://img.shields.io/nuget/v/Sidio.Web.Security)](https://www.nuget.org/packages/Sidio.Web.Security/) ## 代码质量 [![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=marthijn_Sidio.Web.Security&metric=alert_status)](https://sonarcloud.io/summary/new_code?id=marthijn_Sidio.Web.Security) [![Coverage](https://sonarcloud.io/api/project_badges/measure?project=marthijn_Sidio.Web.Security&metric=coverage)](https://sonarcloud.io/summary/new_code?id=marthijn_Sidio.Web.Security) # 文档请参阅 [维基文档](https://github.com/marthijn/Sidio.Web.Security/wiki/HTTP-headers)。 # 功能 ## HTTP 标头 - Content-Security-Policy：[文档](https://github.com/marthijn/Sidio.Web.Security/wiki/Content%E2%80%90Security%E2%80%90Policy） - Referrer-Policy：[文档](https://github.com/marthijn/Sidio.Web.Security/wiki/Referrer%E2%80%90Policy） - Report-To：[文档](https://github.com/marthijn/Sidio.Web.Security/wiki/Report%E2%80%90To） - Strict-Transport-Security (HSTS)：[文档](https://github.com/marthijn/Sidio.Web.Security/wiki/Strict%E2%80%90Transport%E2%80%90Security-(HSTS） - X-Content-Type-Options：[文档](https://github.com/marthijn/Sidio.Web.Security/wiki/X%E2%80%90Content%E2%80%90Type%E2%80%90Options） - X-Frame-Options：[文档](https://github.com/marthijn/Sidio.Web.Security/wiki/X%E2%80%90Frame%E2%80%90Options）在 [维基文档](https://github.com/marthijn/Sidio.Web.Security/wiki/HTTP-headers) 中了解更多。 ### 示例 ``` builder.Services .AddContentSecurityPolicy(); ``` ``` app.UseXFrameOptions(); app.UseXContentTypeOptions(); app.UseStrictTransportSecurity(); app.UseContentSecurityPolicy( (services, b) => { b.AddDefaultSrc(x => x.AllowSelf()); b.AddScriptSrc(x => x.AddNonce(services).AllowUnsafeInline().AllowUrl("https://cdn.example.com")); b.AddStyleSrc(x => x.AddNonce(services)); }); ``` 请参阅 [入门指南](https://github.com/marthijn/Sidio.Web.Security/wiki/Getting-started) 和 [推荐的 ASP.NET Core 配置](https://github.com/marthijn/Sidio.Web.Security/wiki/Recommended-configuration-for-ASP.NET-Core)。 ### 报告 API 报告 API 可用于报告内容安全策略违规。在 [维基文档](https://github.com/marthijn/Sidio.Web.Security/wiki/Reporting-API) 中了解更多。 ## 默认策略 - [安全 Cookie 策略](https://github.com/marthijn/Sidio.Web.Security/wiki/Cookies） ## 测试 [Sidio.Web.Security.Testing](https://www.nuget.org/packages/Sidio.Web.Security.AspNetCore.Mvc/) 程序包提供一组可用于测试 ASP.Net Core 应用程序安全配置的函数。[了解更多](https://github.com/marthijn/Sidio.Web.Security/wiki/Testing）。 ## 升级到 2.x 版本在 2.x 版本中，`IDistributedCache` 被 `HybridCache` 取代： - `SubresourceIntegrityOptions`：`AbsoluteExpiration` 属性被移除，取而代之的是 `LocalCacheExpiration` 和 `CacheExpiration` # 贡献欢迎贡献！欢迎创建 Pull Request 或提交 Issue。 # 许可证本项目根据 [MIT 许可证](LICENSE) 授权。本项目中使用的文本（包括本自述文件、代码文档和维基页面）可能来自或基于 [MDN Web Docs](https://developer.mozilla.org/en-US/docs/MDN/)。 [Mozilla 贡献者](https://developer.mozilla.org/en-US/docs/MDN/Community/Roles_teams#contributor) 编写的文档根据 [CC-BY-SA 2.5](https://creativecommons.org/licenses/by-sa/2.5/) 授权。

标签：ASP.NET Core, CORS, CSRF防护, GitHub Advanced Security, HSTS, HTTP安全头, meg, Mozilla Web Security, Web安全, XSS防护, 中间件, 信息安全, 安全加固, 安全头, 安全测试, 攻击性安全, 网络安全, 蓝队分析, 防护框架, 隐私保护