Clickjacking 就是讓使用者在瀏覽網頁的點擊動作進行綁架,讓點擊動作產生非使用者所預期的行為,防禦方式就是設定 X-Frame-Options ,讓表頭回應時不受嵌入式網站影響,比方說自已的網站有放廣告的話,這麼設定就可以保護瀏覽 ssorc.tw 的人

OWASP 列出幾個 Header 需要安全性設定及描述,而 這裡 有設定參考

# vi /etc/httpd/conf.d/secure.conf
# Clickjacking protection: allow iframes from same origin
Header always append X-Frame-Options "SAMEORIGIN "
Header always append Frame-Options "SAMEORIGIN"

# Enforce HTTPS connections for all requests, including subdomains
Header always append STRICT-TRANSPORT-SECURITY "max-age=16070400; includeSubDomains"

# IE8+ and variants, XSS Protection
Header always append X-XSS-Protection "1;mode=block"

# Protection from drive-by dynamic/executable IE files
Header always append X-Content-Type-Options "nosniff"

# Strict Content Security Policy, deny all external requests
# for custom CSP headers use: http://cspbuilder.info/
# 這個要小心使用,它會讓網站版面壞掉
Header always append Content-Security-Policy "default-src 'none'; script-src 'self'; connect-src: 'self'; img-src: 'self'; style-src: 'self';"
Header always append X-Content-Security-Policy "default-src 'none'; script-src 'self'; connect-src: 'self'; img-src: 'self'; style-src: 'self';"
Header always append X-WebKit-CSP "default-src 'none'; script-src 'self'; connect-src: 'self'; img-src: 'self'; style-src: 'self';"

另一個減輕 XSS 攻擊的設定是 HttpOnly

# vi /etc/php.ini
session.cookie_httponly = True

或

# vi /etc/httpd/conf.d/secure.conf
# Using HttpOnly and Secure Flag
Header edit Set-Cookie ^(.*)$ $1;HttpOnly; Secure

# or 舊版本
Header set Set-Cookie HttpOnly;Secure

其它的我一併再備註在這裡

關閉 Apache 版本

ServerTokens Prod
ServerSignature Off

防 DOS 攻擊

# vi /etc/httpd/conf.d/secure.conf
# Apache Range Exploit
RequestHeader unset Range
RequestHeader unset Request-Range

隱藏 PHP 版本

# vi /etc/php.ini
expose_php = off

# vi /etc/httpd/conf.d/secure.conf
# hide php version
Header unset X-Powered-By

可用 curl 查看表頭資訊

curl -I http://ssorc.tw/


http://chandank.com/tools/tool.php?id=check-headers

最後修改日期: 2014 年 12 月 26 日

作者

留言

作者

# 關閉檔案 list
Options -Indexes

# 針對不開放的目錄不允許存取
Order Deny,Allow
Deny from All

# 禁止存取 inode number , multipart MIME boundary , child process
FileETag None

# 讓 apache service 用 apache user 運作
User apache
Group apache

# 不允許透過 .htaccess 修改設定
AllowOverride None

# Disable Trace HTTP Request
TraceEnable off

# disable SSI – Server Side Include
Options –Indexes -Includes

# Disable HTTP 1.0 Protocol
RewriteEngine On
RewriteCond %{THE_REQUEST} !HTTP/1\.1$
RewriteRule .* – [F]

ref : http://chandank.com/webservers/apache/apache-web-server-hardening-security

[Reply]

撰寫回覆或留言

發佈留言必須填寫的電子郵件地址不會公開。