Apache 針對 Header 的安全性設定

Clickjacking 就是讓使用者在瀏覽網頁的點擊動作進行綁架，讓點擊動作產生非使用者所預期的行為，防禦方式就是設定 X-Frame-Options ，讓表頭回應時不受嵌入式網站影響，比方說自已的網站有放廣告的話，這麼設定就可以保護瀏覽 ssorc.tw 的人

OWASP 列出幾個 Header 需要安全性設定及描述，而 這裡 有設定參考

# vi /etc/httpd/conf.d/secure.conf
# Clickjacking protection: allow iframes from same origin
Header always append X-Frame-Options "SAMEORIGIN "
Header always append Frame-Options "SAMEORIGIN"

# Enforce HTTPS connections for all requests, including subdomains
Header always append STRICT-TRANSPORT-SECURITY "max-age=16070400; includeSubDomains"

# IE8+ and variants, XSS Protection
Header always append X-XSS-Protection "1;mode=block"

# Protection from drive-by dynamic/executable IE files
Header always append X-Content-Type-Options "nosniff"

# Strict Content Security Policy, deny all external requests
# for custom CSP headers use: http://cspbuilder.info/
# 這個要小心使用，它會讓網站版面壞掉
Header always append Content-Security-Policy "default-src 'none'; script-src 'self'; connect-src: 'self'; img-src: 'self'; style-src: 'self';"
Header always append X-Content-Security-Policy "default-src 'none'; script-src 'self'; connect-src: 'self'; img-src: 'self'; style-src: 'self';"
Header always append X-WebKit-CSP "default-src 'none'; script-src 'self'; connect-src: 'self'; img-src: 'self'; style-src: 'self';"

另一個減輕 XSS 攻擊的設定是 HttpOnly

# vi /etc/php.ini
session.cookie_httponly = True

或

# vi /etc/httpd/conf.d/secure.conf
# Using HttpOnly and Secure Flag
Header edit Set-Cookie ^(.*)$ $1;HttpOnly; Secure

# or 舊版本
Header set Set-Cookie HttpOnly;Secure

其它的我一併再備註在這裡

關閉 Apache 版本

ServerTokens Prod
ServerSignature Off

防 DOS 攻擊

# vi /etc/httpd/conf.d/secure.conf
# Apache Range Exploit
RequestHeader unset Range
RequestHeader unset Request-Range

隱藏 PHP 版本

# vi /etc/php.ini
expose_php = off

# vi /etc/httpd/conf.d/secure.conf
# hide php version
Header unset X-Powered-By

可用 curl 查看表頭資訊

curl -I http://ssorc.tw/

或
http://chandank.com/tools/tool.php?id=check-headers