设置HTTP响应头保护⾃⼰的Web
Do you know most the security vulnerabilities can be fixed by implementing necessary headers in the response header?
Security is as essential as content and SEO of your website, and thousands of due to misconfiguration or lack of protection.
If you are a website owner or security engineer and looking to from Clickjacking, code injection, MIME types, XSS, etc. attacks then this guide will help you.
In this article, I will talk about various HTTP Header to implement in multiple web servers, network edge & CDN provider for . Notes:
You are advised to take a backup of configuration file prior making changes
Some of the headers may not be supported on all the browsers, so before the implementation.
Mod_headers must be enabled in Apache to implement these headers. Ensure the following line uncommented
f file.
LoadModule headers_module modules/mod_headers.so
Post-implementation, you can use to verify the results.
If you are using , then you don’t have to worry about adding these manually on your web server as most of them are automatically enabled.
HTTP Headers List
X-XSS-Protection
X-XSS-Protection header can prevent some level of XSS (cross-site-scripting) attacks, and this is compatible with IE 8+, Chrome, Opera, Safari & Android.
Google, Facebook, Github use this header, and most of the penetration testing consultancy will ask you to implement this. There are four possible ways you can configure this header.
Parameter Value Meaning
0XSS filter disabled
1XSS filter enabled and sanitized the page if attack detected
XSS filter enabled and prevented rendering the page if attack
1;mode=block XSS filter enabled and prevented rendering the page if attack detected
1;report=example/report_URI XSS filter enabled and reported the violation if attack detected Let’s implement 1;mode=block in the following web servers.
Apache HTTP Server
Add the following entry f of your Apache webserver
Header set X-XSS-Protection "1; mode=block"
Restart the apache to verify
Nginx
Add the following f under http block
add_header X-XSS-Protection "1; mode=block";
Nginx restart is needed to get this reflected on your web page response header.
MaxCDN
If you are using , then adding header is easy and on-the-fly.
Go to Edge Rules >> click “New Rule” and select “Add X-XSS-Protection Header” from the drop-down.
edgerules
Microsoft IIS
Open IIS Manager
Select the Site you need to enable the header for
Go to “HTTP Response Headers.”
Click “Add” under actions
Enter name, value and click Ok
iis-x-xss-protection
Restart IIS to see the results
HTTP Strict Transport Security
HSTS (HTTP Strict Transport Security) header to ensure all communication from a browser is sent over HTTPS (HTTP Secure). This prevents HTTPS click through prompts and redirects HTTP requests to HTTPS.
Before implementing this header, you must ensure all your website page is accessible over HTTPS else they will be blocked.
HSTS header is supported on all the major latest version of a browser like IE, Firefox, Opera, Safari, and Chrome. There are three parameters configuration.
Parameter Value Meaning
max-age Duration (in seconds) to tell a browser that requests are available only over HTTPS.
includeSubDomains Configuration is valid for subdomain as well.
preload Use if you would like your domain to be included in the
So let’s take an example of having HSTS configured for one year including preload for domain and . Apache HTTP Server
You can implement HSTS in Apache by adding the following entry f file
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
Restart apache to see the results
Nginx
To configure HSTS in Nginx, add the next entry f under server (SSL) directive
add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';
As usual, you will need to restart Nginx to verify
chrome直接下载Cloud Flare
If you are using Cloud Flare, then you can enable HSTS in just a few clicks.
Log in to and select the site
Go to the “Crypto” tab and click “Enable HSTS.”
Select the settings the one you need and changes will be applied on the fly.
Microsoft IIS
Launch the IIS Manager and add the header by going to “HTTP Response Headers” for the respective site.
Restart the site
X-Frame-Options
Use the X-Frame-Options header to prevent Clickjacking vulnerability on your website. By implementing this header, you instruct the browser not to embed your web page in frame/iframe. This has some limitation in browser support, so you got to check before implementing it.
You can configure the following three parameters.
Parameter Value Meaning
SAMEORIGIN Frame/iframe of content is only allowed from the same site origin.
DENY Prevent any domain to embed your content using frame/iframe.
ALLOW-FROM Allow framing the content only on particular URI.
Let’s take a look at how to implement “DENY” so no domain embeds the web page.
Apache
Add the following line f and restart the webserver to verify the results.
Header always append X-Frame-Options DENY
Nginx
Add the following f under server directive/block.
add_header X-Frame-Options “DENY”;
Restart to verify the results
F5 LTM
Create an iRule with the following and associated with the respective virtual server.
when HTTP_RESPONSE {
HTTP::header insert "X-FRAME-OPTIONS" "DENY"
}
You don’t need to restart anything, changes are reflected in the air.
WordPress
You can get this header implemented through WordPress too. Add the following in a wp-config.php file
header('X-Frame-Options: DENY);
If you are not comfortable editing the file, then you can use a .
Microsoft IIS
Add the header by going to “HTTP Response Headers” for the respective site.
版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系QQ:729038198,我们将在24小时内删除。
发表评论