html5 mime sniffing fortify asp net

今天來談談fortify 的html5 mime sniffing 部分修正,如下所示:

停用自動 MIME 探查

如果應用程式是由 Internet Information Services (IIS) 7 或更新版本所裝載，請在 web.config 檔案中新增標頭

<system.webServer>

<httpProtocol>

<customHeaders>

<add name="X-Content-Type-Options" value="nosniff"/>

</customHeaders>

</httpProtocol>

</system.webServer>

透過全域 Application_BeginRequest 新增標頭(Global_asax

void Application_BeginRequest(object sender, EventArgs e)

{

this.Response.Headers["X-Content-Type-Options"] = "nosniff";

})

 Sub Application_BeginRequest(ByVal sender As Object, ByVal e As EventArgs)

        Me.Response.Headers("X-Content-Type-Options") = "nosniff"

 End Sub

資料來源:http://b00.tw/J1Kuo