北京工作居住证续签收紧_收紧网站的安全带：HTTP安全标题

北京工作居住证续签收紧

With the enhancement in technology and security, modern browsers now provide something that is known as, HTTP Headers that can improve applications against some common attacks such as clickjacking, cross-site scripting, and many more. Let us explore some methods you can tighten the security belt of your website.

随着技术和安全性的增强，现代浏览器现在提供了称为HTTP标头的功能，可以改进应用程序以抵抗某些常见的攻击，例如点击劫持，跨站点脚本编写等。 让我们探讨一些方法，可以拉紧您网站的安全带。

了解HTTP安全标头 (Understanding HTTP Security Headers)

Whenever a user requests a page from a server, it responds with the content along with some HTTP response header. Some of them consist of information such as content, encoding, status code, cache control, and many more. Along with these, there are some security headers that instruct your browser on how to behave when handling your website’s content, which is known as HTTP Security Header. It helps to preserve the privacy of your website as well as it’s users. It also helps mitigate some of the potential security vulnerabilities as well.

w ^ henever用户从服务器请求一个页面，它与一些HTTP响应头沿内容进行响应。 其中一些包含内容，编码，状态代码，缓存控制等信息。 伴随着这些，还有一些安全标头指示您的浏览器处理网站内容时的行为，称为HTTP安全标头。 它有助于保护您的网站及其用户的隐私。 它还有助于缓解某些潜在的安全漏洞。

Let us now discuss some of the important HTTP Security headers that help you to tighten up the security belt of your website.

现在让我们讨论一些重要的HTTP安全标头，这些标头可以帮助您加强网站的安全带。

1. HTTP严格传输安全性(HSTS) (1. HTTP Strict Transport Security (HSTS))

Let suppose you own a website and you just installed SSL/TLS certificate and migrated your site from HTTP website to HTTPS. The “S” stands for security so you might think that your website is secured now. Now, the question is, what if your website is still available in HTTP? Now, this is where HSTS comes into action. What it does it, is forcing the browser to communicate over secure HTTPS, eliminating HTTP.

假设您拥有一个网站，而您刚刚安装了SSL / TLS证书，并将您的网站从HTTP网站迁移到HTTPS。 “ S”代表安全性，因此您可能会认为您的网站已受到保护。 现在，问题是，如果您的网站仍然可以使用HTTP怎么办？ 现在，这就是HSTS起作用的地方。 它的作用是迫使浏览器通过安全的HTTPS进行通信，从而消除了HTTP。

If the browser knows that the site has enabled HSTS, no matter what it only uses HTTPS connection even if the user entered HTTP or did not specify any header

如果浏览器知道站点已启用HSTS，则即使用户输入HTTP或未指定任何标头，无论站点仅使用HTTPS连接

There are semantically distinct ways to send HSTS headers, which are,

发送HSTS标头在语义上有不同的方式，

• Applied only to the domain of HSTS host issuing it and remains in effect for one year.
  仅适用于发布它的HSTS主机的域，并且有效期为一年。

Strict-Transport-Security: max-age=31536000

• Applied to the domain of the issuing host as well as its subdomains effected for one year.
  适用于发行主机的域及其生效的子域。

Strict-Transport-Security: max-age=31536000; includeSubDomains

• Directs the browser to delete the entire policy.
  指示浏览器删除整个策略。

Strict-Transport-Security: max-age=0

2.内容安全策略(CSP) (2. Content Security Policy (CSP))

Enabling Content Security Policy( CSP) header allows admin to specify which data sources should be permitted in your web application.

启用内容安全策略(CSP)标头可让管理员指定您的Web应用程序应允许使用哪些数据源。

Can help mitigate or reduce the attack surface of Cross-Site Scripting (XSS) attacks. However, later versions of the spec also protect against other forms of attack such as ClickJacking

可以帮助减轻或减少跨站点脚本(XSS)攻击的攻击面。 但是，该规范的更高版本也可以防止其他形式的攻击，例如ClickJacking

Syntax:

句法：

Content-Security-Policy: <policy-directive>; <policy-directive>

3. X框架选项 (3. X-Frame-Options)

It tells the browser how to behave when handling the site’s content. This also provided clickjacking protection by not allowing the rendering of a page in a frame by whether or defining whether or not a browser should be allowed to render a page in a <frame>, <iframe>, <embed> or <object>.

它告诉浏览器处理网站内容时的行为。 通过是否允许或定义是否应允许浏览器在<frame>，<iframe>，<embed>或<object>中呈现页面，这也提供了点击劫持保护，从而不允许在框架中呈现页面。

Syntax:

句法：

X-Frame-Options: Deny

This “deny” instructs the site not to allow any domain to display this page within a frame. Some of the famous sites using this header are Facebook and Github.

此“ 拒绝 ”指示站点不允许任何域在框架中显示此页面。 一些使用此标题的著名网站是Facebook和Github。

There are some other values allowed for the X-Frame-Options header which you can use, they are:

X-Frame-Options标头还允许使用其他一些值，它们是：

SAMEORIGIN — allows the current page to be displayed in a frame on another page, but only within the current domain. Some of the most famous sites using this header are Twitter, Amazon, and eBay.

SAMEORIGIN —允许当前页面显示在另一页面的框架中，但只能显示在当前域中。 使用此标头的一些最著名的网站是Twitter，Amazon和eBay。

ALLOW-FROM URI — allows the current page to be displayed in a frame, but only in a specific URI

ALLOW-FROM URI-允许当前页面显示在框架中，但仅显示在特定的URI中

4. Expect-CT标头 (4. Expect-CT Header)

Expect-CT Header prevents the usage of the wrongly issued certificate of a site by allowing sites to report or enforce certificate transparency requirements. The available directories are:

Expect-CT标头通过允许站点报告或强制执行证书透明性要求，防止使用错误发行的站点证书。 可用目录为：

Syntax

句法

Expect-CT: max-age=86400, enforce, 
    report-uri="https://ex.com/report"

Here, “enforce” instructed to refuse connections that violate Certificate Transparency policy. The “report-URI” directive indicates a location for reporting failures. And the “max-age” directive specifies the number of seconds that the browser should cache and apply the received policy for, whether enforced or report-only.

在这里，“ 强制 ”指示拒绝违反证书透明策略的连接。 “ report-URI ”指令指示报告失败的位置。 “ max-age ”指令指定浏览器应缓存并应用接收到的策略的秒数，无论是强制的还是仅报告的。

5.缓存控制头 (5. Cache-Control Header)

Cache-Control Header is used to enable browser caching policies in both client requests and server responses. This includes policies such as how a resource is cached, where it’s cached and its maximum age before expiring.

缓存控制标头用于在客户端请求和服务器响应中启用浏览器缓存策略。 这包括策略，例如资源的缓存方式，缓存的位置以及过期之前的最长期限。

Syntax:

句法：

cache-control: private, max-age: 266637262;

The “public” in the syntax indicates that a resource is user-specific, which means it can still be cached, but only on a client device. And, the “max-age” indicates, the amount of time it takes for a cached copy to expire. Once expired, the browser must refresh its version. There are other different directives, that can help tighten up privacy. You can find the list here.

语法中的“ public ”表示资源是用户特定的，这意味着它仍可以缓存，但只能在客户端设备上。 并且，“最大年龄”表示缓存的副本到期所花费的时间。 过期后，浏览器必须刷新其版本。 还有其他不同的指令，可以帮助加强隐私。 您可以在此处找到列表。

6.清除站点数据头 (6. Clear-Site-Data Header)

Clear-Site-Data header ensures that no important confidential information from a website is not stored by the browser once the user logs out.

Clear-Site-Data标头可确保一旦用户注销，浏览器就不会存储来自网站的重要机密信息。

Syntax:

句法：

Clear-Site-Data: "*"

This will clear all the browsing data related to the site.

这将清除与该站点有关的所有浏览数据。

7.推荐人政策标头 (7. Referer Policy Header)

The referer header consists of the information on your previous page. Such as the address of the previous web page from linked with the currently requested page. This could be used to track or steal information, or sometimes even inadvertently leak sensitive information.

引荐来源标头包含您上一页中的信息。 例如前一个网页的地址与当前请求页面的链接。 这可用于跟踪或窃取信息，有时甚至会无意间泄漏敏感信息。

Referer Policy header defines how much referer information must be included in the request.

Referer Policy标头定义了请求中必须包含多少参照信息。

Syntax:

句法：

Referrer-Policy: origin-when-cross-origin

This syntax, the browser will only reveal complete referrer information for same-origin requests. You can find some other list of headers you can use here.

使用这种语法，浏览器将仅显示相同来源请求的完整引荐来源信息。 您可以在此处找到其他标题列表。

Conclusion: HTTP Headers could be one of the ways to tighten up the seat belt of your website security. By enabling such headers, you are protecting both your website and your user’s privacy. Setting and updating them correctly can reduce the amount of risk mitigation actions needed in the future.

Çonclusion：HTTP头可能是收紧你的网站的安全性安全带的方法之一。 通过启用此类标题，可以保护您的网站和用户的隐私。 正确设置和更新它们可以减少将来所需的风险缓解措施。

翻译自: https://medium.com/digital-diplomacy/tighten-the-security-belt-of-your-website-http-security-headers-8da586bef789

北京工作居住证续签收紧