security setting

最後更新: 2017-11-06

 

目錄

  • Server info.
  • SSL
  • X-Frame
  • PHP Session
  • TRACE

 


Server info.

 

# Setting Location: /etc/httpd/conf/httpd.conf

ServerTokens Prod

Arg: Full / Prod / Major / Minor / Min / OS

  • Prod: Server: Apache               <- 已是最小資料
  • Major: Server: Apache/2
  • ...
  • OS: Server: Apache/2.4.2 (Unix)

 


SSL

 

# Setting Location: /etc/httpd/conf.d/vhosts.conf

SSLProtocol       -ALL +TLSv1.2
SSLCipherSuite    ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256

 


X-Frame

 

Used to indicate whether or not a browser should be allowed to render a page in a

  • <frame>
  • <iframe>
  • <object>

Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.

共有三種值:

  • DENY
  • SAMEORIGIN
  • ALLOW-FROM uri

Apache Settings

i.e.

Header always append X-Frame-Options DENY

HTTP Response Header

X-Frame-Options: DENY

More info.

如果要用其他 Domain 作 iframe 內容, 那就加

Header set X-Frame-Options "ALLOW-FROM https://example.com/"

Allow 同一 Domain iframe

Header always append X-Frame-Options SAMEORIGIN

 


PHP Session

 

Setting Location: /etc/php.ini

# Allows access to session ID cookie only when protocol is HTTPS

session.cookie_secure = 1

# Marks the cookie as accessible only through the HTTP protocol.
# This means that the cookie won't be accessible by scripting languages, such as JavaScript.

session.cookie_httponly = 1

 


TRACE

 

mod: mod_allowmethods

 

Testing for TRACE support with curl

curl -i -X TRACE http://x/

# Specifies a custom request method to use when communicating with the HTTP server.

-X, --request <command>

Disable TRACE

# 1 - Global disable

# Default: on, off => core server and mod_proxy to return "HTTP/1.1 405 Method Not Allowed"

# Setting Location: /etc/httpd/conf/httpd.conf

TraceEnable off

# 2 - restrict

# mod_allowmethods

<Location "/">
   AllowMethods GET POST OPTIONS
</Location>

 


OPTIONS method disable

 

New(IIS 7.X)

IIS Manager  -> Request Filtering

Old IIS

IIS Manager  -> right click, Properties -> Home Directory -> extension, Edit -> Limit To

Test

curl -i -X OPTIONS http://example.org/path

HTTP/1.1 200 OK
Date: Thu, 11 Jun 2020 09:06:17 GMT
Server: Apache
Allow: GET,HEAD,POST,OPTIONS,TRACE
Content-Length: 0
Connection: close
Content-Type: text/html

HTTP OPTIONS method

It is used to describe the communication options for the target resource.

The client can specify a URL for the OPTIONS method

OPTIONS /index.html HTTP/1.1

An asterisk (*) to refer to the entire server.

OPTIONS * HTTP/1.1

-i, --include

Include  the  HTTP  response headers in the output.

The HTTP response headers can include things  like  server  name,  cookies, date of the document, HTTP version and more...

To view the request headers, consider the -v