Security Header

最後更新: 2021-05-11

目錄

  • HSTS
  • CSP
  • X-Content-Type-Options
  • X-Frame-Options

 


HSTS(RFC 6797)

 

HSTS = HTTP Strict Transport Security

[功能]

It against man-in-the-middle attacks

(prevent protocol downgrade attacks and cookie hijacking)

It forces browsers to open websites with secure HTTPS connections only.
(unlike any other SSL error, users can’t bypass the HSTS error pages
by clicking on "Proceed to x.y (unsafe)")

[運作]

A header over an HTTPS connection (HSTS headers over HTTP are ignored)

http header

 - "Strict-Transport-Security"
 - "Strict-Transport-Security: max-age=31536000"

[前題]

Trust on first use

If your browser has stored HSTS settings for a domain and
you later try to connect over HTTP or a broken HTTPS connection, you will receive an error.

[cleanup hsts on domain]

chrome://net-internals/#hsts

Scroll down the page to the "Delete domain security policies" section.

Input domain name

"HSTS preloaded list"

解決 "The initial request remains unprotected"

which is a list that contains known sites supporting HSTS.

 


CSP

 

Content-Security-Policy

For Name: Content-Security-Policy
For Value: default-src 'self' 'unsafe-inline'

default-src

self

unsafe-inline

CSP 強迫開發者必須把所有 inline 程式碼移到外部檔案

 


X-Content-Type-Options

 

helps prevent browsers from trying to sniff the MIME type

 = instructs browsers to disable "Content or MIME sniffing"

MIME sniffing

In the absence of a MIME type, or in certain cases where browsers believe they are incorrect,

browsers may perform MIME sniffing — guessing the correct MIME type by looking at the bytes of the resource.

Setting

Header set X-Content-Type-Options "nosniff"

 


X-Frame-Options

 

sameorigin