Make your web applications more secure

Make your web applications more secure

• X-Frame-Options
• Cookie of secure and httpOnly

Set X-Frame-Options

Https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options

X-Frame-OptionsMainly to prevent clickjacking)Clickjacking)It is a means to hide malicious code in a webpage under seemingly harmless content (such as buttons) and induce users to click.X-Frame-OptionsThe HTTP header field indicates whether the transmitted resource can be included inOrThe server can declare this policy to ensure that the webpage content is not embedded in other pages. &lt;strong&gt; X-Frame-Options &lt;/strong&gt; has three specific values: &lt;/p&gt; &lt;ul&gt; &lt;li&gt; &lt;p&gt; &lt;strong&gt; DENY &lt;/strong&gt; indicates that the webpage content cannot be embedded in any frame. &lt;/p&gt; &lt;/li&gt; &lt;li&gt; &lt;p&gt; &lt;strong&gt; SAMEORIGIN &lt;/strong&gt; same-origin policy, the declared webpage content can be embedded by frames in the same domain, but cannot be embedded by frames in different domains. &lt;strong&gt; Same source &lt;/strong&gt;: the protocol, domain name, and port are all the same. even if the ip address corresponds to the domain name, it is considered to be in different domains. The following describes the specific situation: http://www.example.com/dir/page.html Comparison: &lt;/p&gt; &lt;/li&gt; &lt;/ul&gt; &lt;table&gt; &lt;tr&gt; &lt;th style = "text-align: center "&gt; Compared URL &lt;/th&gt; &lt;th style =" text-align: center "&gt; Outcome &lt;/th&gt; &lt;th style =" text-align: center "&gt; Reason &lt;/th&gt; &lt;/tr&gt; &lt;td style =" text-align: center "&gt; http://www.example.com/dir/page2.html &lt;/Td&gt; &lt;td style = "text-align: center"&gt; Same source &lt;/td&gt; &lt;td style = "text-align: center "&gt; same protocol host port &lt;/td&gt; &lt;/tr&gt; &lt;td style =" text-align: center "&gt; http://www.example.com/dir2/other.html &lt;/Td&gt; &lt;td style = "text-align: center"&gt; Same source &lt;/td&gt; &lt;td style = "text-align: center "&gt; same protocol host port &lt;/td&gt; &lt;/tr&gt; &lt;td style =" text-align: center "&gt; http://username:password@www.example.com/dir2/other.html &lt;/Td&gt; &lt;td style = "text-align: center"&gt; Same source &lt;/td&gt; &lt;td style = "text-align: center "&gt; same protocol host port &lt;/td&gt; &lt;/tr&gt; &lt;td style =" text-align: center "&gt; http://www.example.com:81/dir/other.html &lt;/Td&gt; &lt;td style = "text-align: center"&gt; Different sources &lt;/td&gt; &lt;td style = "text-align: center "&gt; ports are different &lt;/td&gt; &lt;/tr&gt; &lt;td style =" text-align: center "&gt; https://www.example.com/dir/other.html &lt;/Td&gt; &lt;td style = "text-align: center"&gt; Different sources &lt;/td&gt; &lt;td style = "text-align: center "&gt; different protocols &lt;/td&gt; &lt;/tr&gt; &lt;td style =" text-align: center "&gt; http://en.example.com/dir/other.html &lt;/Td&gt; &lt;td style = "text-align: center"&gt; Different sources &lt;/td&gt; &lt;td style = "text-align: center "&gt; different host names &lt;/td&gt; &lt;/tr&gt; &lt;td style =" text-align: center "&gt; http://example.com/dir/other.html &lt;/Td&gt; &lt;td style = "text-align: center"&gt; Different origins &lt;/td&gt; &lt;td style = "text-align: center"&gt; different hosts, must match exactly &lt;/td&gt; &lt;/tr&gt; &lt;td style = "text-align: center"&gt; http://v2.www.example.com/dir/other.html &lt;/Td&gt; &lt;td style = "text-align: center"&gt; Different origins &lt;/td&gt; &lt;td style = "text-align: center"&gt; different hosts, must match exactly &lt;/td&gt; &lt;/tr&gt; &lt;td style = "text-align: center"&gt; http://www.example.com:80/dir/other.html &lt;/Td&gt; &lt;td style = "text-align: center"&gt; Depends &lt;/td&gt; &lt;td style = "text-align: center"&gt; Port explicit. depends on implementation in browser &lt;/td&gt; &lt;/tr&gt; &lt;/table&gt; &lt;ul&gt; &lt;li&gt; &lt;strong&gt; ALLOW-FROM &lt;/strong&gt; specifies the specific source &lt;/li&gt; &lt;/ul&gt; configure Apache server &lt;p&gt; add site configuration: &lt;/p&gt; &lt;pre class = "sycode" name = "code"&gt; Header always append X-Frame-Options SAMEORIGIN &lt;/pre&gt; Nginx &lt;p&gt; Add http, server or location configuration &lt;/p&gt; &lt;pre class = "sycode" name = "code"&gt; add _ Header X-Frame-Options SAMEORIGIN; &lt;/pre&gt; IIS &lt;p&gt; added to the Web site. config &lt;/p&gt; &lt;pre class = "sycode" name = "code"&gt; &lt;system. webServer&gt;... <pttpProtocol&gt; &lt;customHeaders&gt; </pttpProtocol&gt;... &lt;/system. webServer&gt; &lt;/pre&gt; HAProxy &lt;p&gt; added to frontend, listen, or backend configuration: &lt;/p&gt; &lt;pre class = "sycode" name = "code"&gt; rspadd X-Frame-Options: \ SAMEORIGIN &lt;/pre&gt; safer Cookie &lt;p&gt; A small text file stored on the client by the browser, used for mutual transmission between the client and the server. we Server B specifies the http header's Set-Cookie. its structure is as follows: &lt;/p&gt; &lt;pre class = "sycode" name = "code"&gt; Set-Cookie: name = value [; expires = date] [; domain = domain] [; path = path] [; secure] [; httpOnly] &lt;/pre&gt; &lt;p&gt;, cookies mainly contain the following fields: &lt;/p&gt; &lt;ul&gt; &lt;li&gt; &lt;strong&gt; name &lt;/strong&gt; &lt;/li&gt; &lt;strong&gt; value &lt;/strong&gt; &lt;/li&gt; &lt;li&gt; &lt;strong&gt; expire &lt;/strong&gt; &lt;/li&gt; &lt;strong&gt; domain &lt;/strong&gt; &lt;/li&gt; &lt;strong&gt; path &lt;/strong&gt; &lt;/ li&gt; &lt;strong&gt; secure &lt;/strong&gt; &lt;/l I&gt; &lt;li&gt; &lt;strong&gt; httpOnly &lt;/strong&gt; &lt;/li&gt; &lt;/ul&gt; &lt;p&gt; Here we mainly discuss secure and httpOnly &lt;/p&gt; httpOnly identifiers &lt;p&gt; used tell the browser that JavaScript document cannot be used. to prevent &lt;strong&gt; XSS attacks) &lt;/strong&gt; &lt;/p&gt; secure ID &lt;p&gt; force the application to transmit cookies over Https &lt;/p&gt; In PHP Yii2, set httpOnly and secure _ csrf &lt;p&gt; Yii2 the default Cookie yii \ web \ Cookie in is httpOnly, &lt;/p&gt; &lt;pre class = "sycode" name = "code"&gt; class Cookie extends \ yii \ base \ Object {public $ name; p Ublic $ value = ''; public $ domain =''; public $ expire = 0; public $ path = '/'; public $ secure = false; public $ httpOnly = true ;}&lt;/pre&gt; &lt;p&gt; use &lt;? = Html: csrf0000ags ()?&gt; A Cookie with name = _ csrf will be generated. the default value is httpOnly, which is changed by injecting request: &lt;/p&gt; &lt;p&gt; In config/main. php &lt;/p&gt; &lt;pre class = "sycode" name = "code"&gt;... 'components' =&gt; ['request' =&gt; ['csrfcookies' =&gt; ['httponly '=&gt; true, 'Secure '=&gt; SECURE_COOKIE,],],...]... &lt;/pre&gt; &lt;p&gt; The httpOnly and secure attribute values injected with csrfCookie &lt;/p&gt; generate the secure Cookie &lt;pre class = "sycode" name = "code"&gt; $ cookies = Yii:: $ app-&gt; response-&gt; cookies; $ cookies-&gt; add (new Co Okie (['name' =&gt; 'access', 'value' =&gt; $ accesstoken, 'expire '=&gt; time () + Token: EXPIRE_TIME, 'Secure '=&gt; SECURE_COOKIE]); &lt;/pre&gt; &lt;p&gt; note that the secure attribute must be updated when the Cookie is updated &lt;/p&gt; &lt;pre class = "sycode" name = "code"&gt; $ cookies = Yii :: $ app-&gt; request-&gt; cookies; if ($ cookie = $ cookies-&gt; get ('accesstoken '))! = Null) {$ cookie-&gt; secure = SECURE_COOKIE; // This is important, otherwise $ cookie-&gt; expire = time () + Token: EXPIRE_TIME; Yii:: $ app-&gt; response-&gt; cookies-&gt; add ($ cookie) ;}&lt;/pre&gt;