正确设置你的Http Header,让应用更安全
6个HTTP安全头
1. Content Security Policy
content-security-policy:可以用来防止不受信任的静态资源带来的XSS攻击。响应头的格式如下:content-security-policy: script-src 'self' https://www.google-analytics.com
具体配置可以参考nginx或者apache的文档。
2. X-XSS-Protection
x-xss-protection:用来强制浏览器启用内置的XSS过滤功能,虽然浏览器默认是过滤的,但是这个这个响应头可以强制浏览器执行。浏览器兼容性:IE8+,Chrome,Safari。x-xss-protection: 1; mode=block
Enable in Nginx
add_header x-xss-protection "1; mode=block" always;
Enable in Apache
header always set x-xss-protection "1; mode=block"
3. HTTP Strict Transport Security(HSTS)
strict-transport-security: 强制浏览器使用HTTPS与服务端通信,不接受不安全的HTTP连接。这里给一个响应头的样例,具体配置请阅读相关文档。strict-transport-security: max-age=31536000; includeSubDomains; preload
4. X-Frame-Options
x-frame-options: 是用来防止点击劫持的。响应头样例:x-frame-options: SAMEORIGIN
Enable in Nginx
add_header x-frame-options "SAMEORIGIN" always;
Enable in Apache
header always set x-frame-options "SAMEORIGIN"
5. Public-Key-Pins
public-key-pins: 用来防止通过伪造证书进行中间人攻击。
设置方法:https://scotthelme.co.uk/hpkp-http-public-key-pinning/
响应头样例:public-key-pins: pin-sha256="t/OMbKSZLWdYUDmhOyUzS+ptUbrdVgb6Tv2R+EMLxJM="; pin-sha256="PvQGL6PvKOp6Nk3Y9B7npcpeL40twdPwZ4kA2IiixqA="; pin-sha256="ZyZ2XrPkTuoiLk/BR5FseiIV/diN3eWnSewbAIUMcn8="; pin-sha256="0kDINA/6eVxlkns5z2zWv2/vHhxGne/W0Sau/ypt3HY="; pin-sha256="ktYQT9vxVN4834AQmuFcGlSysT1ZJAxg+8N1NkNG/N8="; pin-sha256="rwsQi0+82AErp+MzGE7UliKxbmJ54lR/oPheQFZURy8="; max-age=600; report-uri="https://www.keycdn.com"
6. X-Content-Type-Options
x-content-type: 防止IE和Chrome去嗅探响应内容的格式。
响应头样例:x-content-type: nosniff
Enable in Nginx
add_header X-Content-Type-Options "nosniff" always;
Enable in Apache
Header always set X-Content-Type-Options "nosniff"