Clickjacking 就是讓使用者在瀏覽網頁的點擊動作進行綁架,讓點擊動作產生非使用者所預期的行為,防禦方式就是設定 X-Frame-Options ,讓表頭回應時不受嵌入式網站影響,比方說自已的網站有放廣告的話,這麼設定就可以保護瀏覽 ssorc.tw 的人

OWASP 列出幾個 Header 需要安全性設定及描述,而 這裡 有設定參考

# vi /etc/httpd/conf.d/secure.conf
# Clickjacking protection: allow iframes from same origin
Header always append X-Frame-Options "SAMEORIGIN "
Header always append Frame-Options "SAMEORIGIN"

# Enforce HTTPS connections for all requests, including subdomains
Header always append STRICT-TRANSPORT-SECURITY "max-age=16070400; includeSubDomains"

# IE8+ and variants, XSS Protection
Header always append X-XSS-Protection "1;mode=block"

# Protection from drive-by dynamic/executable IE files
Header always append X-Content-Type-Options "nosniff"

# Strict Content Security Policy, deny all external requests
# for custom CSP headers use: http://cspbuilder.info/
# 這個要小心使用,它會讓網站版面壞掉
Header always append Content-Security-Policy "default-src 'none'; script-src 'self'; connect-src: 'self'; img-src: 'self'; style-src: 'self';"
Header always append X-Content-Security-Policy "default-src 'none'; script-src 'self'; connect-src: 'self'; img-src: 'self'; style-src: 'self';"
Header always append X-WebKit-CSP "default-src 'none'; script-src 'self'; connect-src: 'self'; img-src: 'self'; style-src: 'self';"

另一個減輕 XSS 攻擊的設定是 HttpOnly

# vi /etc/php.ini
session.cookie_httponly = True

或

# vi /etc/httpd/conf.d/secure.conf
# Using HttpOnly and Secure Flag
Header edit Set-Cookie ^(.*)$ $1;HttpOnly; Secure

# or 舊版本
Header set Set-Cookie HttpOnly;Secure

其它的我一併再備註在這裡

關閉 Apache 版本

ServerTokens Prod
ServerSignature Off

防 DOS 攻擊

# vi /etc/httpd/conf.d/secure.conf
# Apache Range Exploit
RequestHeader unset Range
RequestHeader unset Request-Range

隱藏 PHP 版本

# vi /etc/php.ini
expose_php = off

# vi /etc/httpd/conf.d/secure.conf
# hide php version
Header unset X-Powered-By

可用 curl 查看表頭資訊

curl -I http://ssorc.tw/


http://chandank.com/tools/tool.php?id=check-headers

Related posts 相關文章
apache httpd 2.4.58 有些安全性更新
More...
Apache 有 path traversal 目錄遍歷的漏洞
More...
掃網站表頭有沒有安全
More...
CentOS7 透過 systemd 自動讓服務 restart 重啟
More...

作者

留言

作者

# 關閉檔案 list Options -Indexes # 針對不開放的目錄不允許存取 Order Deny,Allow Deny from All # 禁止存取 inode number , multipart MIME boundary , child process FileETag None # 讓 apache service 用 apache user 運作 User apache Group apache # 不允許透過 .htaccess 修改設定 AllowOverride None # Disable Trace HTTP Request TraceEnable off # disable SSI – Server Side Include Options –Indexes -Includes # Disable HTTP 1.0 Protocol RewriteEngine On RewriteCond %{THE_REQUEST} !HTTP/1\.1$ RewriteRule .* – [F] ref : http://chandank.com/webservers/apache/apache-web-server-hardening-security

撰寫回覆或留言

發佈留言必須填寫的電子郵件地址不會公開。