Make your web applications more secure

Source: Internet
Author: User
Make your web applications more secure
  • X-Frame-Options
  • Cookie of secure and httpOnly
Set X-Frame-Options

Https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options

X-Frame-OptionsMainly to prevent clickjacking)Clickjacking)It is a means to hide malicious code in a webpage under seemingly harmless content (such as buttons) and induce users to click.X-Frame-OptionsThe HTTP header field indicates whether the transmitted resource can be included inOrThe server can declare this policy to ensure that the webpage content is not embedded in other pages. &lt;strong&gt; X-Frame-Options &lt;/strong&gt; has three specific values: &lt;/p&gt; &lt;ul&gt; &lt;li&gt; &lt;p&gt; &lt;strong&gt; DENY &lt;/strong&gt; indicates that the webpage content cannot be embedded in any frame. &lt;/p&gt; &lt;/li&gt; &lt;li&gt; &lt;p&gt; &lt;strong&gt; SAMEORIGIN &lt;/strong&gt; same-origin policy, the declared webpage content can be embedded by frames in the same domain, but cannot be embedded by frames in different domains. &lt;strong&gt; Same source &lt;/strong&gt;: the protocol, domain name, and port are all the same. even if the ip address corresponds to the domain name, it is considered to be in different domains. The following describes the specific situation: http://www.example.com/dir/page.html Comparison: &lt;/p&gt; &lt;/li&gt; &lt;/ul&gt; &lt;table&gt; &lt;tr&gt; &lt;th style = "text-align: center "&gt; Compared URL &lt;/th&gt; &lt;th style =" text-align: center "&gt; Outcome &lt;/th&gt; &lt;th style =" text-align: center "&gt; Reason &lt;/th&gt; &lt;/tr&gt; &lt;td style =" text-align: center "&gt; http://www.example.com/dir/page2.html &lt;/Td&gt; &lt;td style = "text-align: center"&gt; Same source &lt;/td&gt; &lt;td style = "text-align: center "&gt; same protocol host port &lt;/td&gt; &lt;/tr&gt; &lt;td style =" text-align: center "&gt; http://www.example.com/dir2/other.html &lt;/Td&gt; &lt;td style = "text-align: center"&gt; Same source &lt;/td&gt; &lt;td style = "text-align: center "&gt; same protocol host port &lt;/td&gt; &lt;/tr&gt; &lt;td style =" text-align: center "&gt; http://username:password@www.example.com/dir2/other.html &lt;/Td&gt; &lt;td style = "text-align: center"&gt; Same source &lt;/td&gt; &lt;td style = "text-align: center "&gt; same protocol host port &lt;/td&gt; &lt;/tr&gt; &lt;td style =" text-align: center "&gt; http://www.example.com:81/dir/other.html &lt;/Td&gt; &lt;td style = "text-align: center"&gt; Different sources &lt;/td&gt; &lt;td style = "text-align: center "&gt; ports are different &lt;/td&gt; &lt;/tr&gt; &lt;td style =" text-align: center "&gt; https://www.example.com/dir/other.html &lt;/Td&gt; &lt;td style = "text-align: center"&gt; Different sources &lt;/td&gt; &lt;td style = "text-align: center "&gt; different protocols &lt;/td&gt; &lt;/tr&gt; &lt;td style =" text-align: center "&gt; http://en.example.com/dir/other.html &lt;/Td&gt; &lt;td style = "text-align: center"&gt; Different sources &lt;/td&gt; &lt;td style = "text-align: center "&gt; different host names &lt;/td&gt; &lt;/tr&gt; &lt;td style =" text-align: center "&gt; http://example.com/dir/other.html &lt;/Td&gt; &lt;td style = "text-align: center"&gt; Different origins &lt;/td&gt; &lt;td style = "text-align: center"&gt; different hosts, must match exactly &lt;/td&gt; &lt;/tr&gt; &lt;td style = "text-align: center"&gt; http://v2.www.example.com/dir/other.html &lt;/Td&gt; &lt;td style = "text-align: center"&gt; Different origins &lt;/td&gt; &lt;td style = "text-align: center"&gt; different hosts, must match exactly &lt;/td&gt; &lt;/tr&gt; &lt;td style = "text-align: center"&gt; http://www.example.com:80/dir/other.html &lt;/Td&gt; &lt;td style = "text-align: center"&gt; Depends &lt;/td&gt; &lt;td style = "text-align: center"&gt; Port explicit. depends on implementation in browser &lt;/td&gt; &lt;/tr&gt; &lt;/table&gt; &lt;ul&gt; &lt;li&gt; &lt;strong&gt; ALLOW-FROM &lt;/strong&gt; specifies the specific source &lt;/li&gt; &lt;/ul&gt; configure Apache server &lt;p&gt; add site configuration: &lt;/p&gt; &lt;pre class = "sycode" name = "code"&gt; Header always append X-Frame-Options SAMEORIGIN &lt;/pre&gt; Nginx &lt;p&gt; Add http, server or location configuration &lt;/p&gt; &lt;pre class = "sycode" name = "code"&gt; add _ Header X-Frame-Options SAMEORIGIN; &lt;/pre&gt; IIS &lt;p&gt; added to the Web site. config &lt;/p&gt; &lt;pre class = "sycode" name = "code"&gt; &lt;system. webServer&gt;... <pttpProtocol&gt; &lt;customHeaders&gt; </pttpProtocol&gt;... &lt;/system. webServer&gt; &lt;/pre&gt; HAProxy &lt;p&gt; added to frontend, listen, or backend configuration: &lt;/p&gt; &lt;pre class = "sycode" name = "code"&gt; rspadd X-Frame-Options: \ SAMEORIGIN &lt;/pre&gt; safer Cookie &lt;p&gt; A small text file stored on the client by the browser, used for mutual transmission between the client and the server. we Server B specifies the http header's Set-Cookie. its structure is as follows: &lt;/p&gt; &lt;pre class = "sycode" name = "code"&gt; Set-Cookie: name = value [; expires = date] [; domain = domain] [; path = path] [; secure] [; httpOnly] &lt;/pre&gt; &lt;p&gt;, cookies mainly contain the following fields: &lt;/p&gt; &lt;ul&gt; &lt;li&gt; &lt;strong&gt; name &lt;/strong&gt; &lt;/li&gt; &lt;strong&gt; value &lt;/strong&gt; &lt;/li&gt; &lt;li&gt; &lt;strong&gt; expire &lt;/strong&gt; &lt;/li&gt; &lt;strong&gt; domain &lt;/strong&gt; &lt;/li&gt; &lt;strong&gt; path &lt;/strong&gt; &lt;/ li&gt; &lt;strong&gt; secure &lt;/strong&gt; &lt;/l I&gt; &lt;li&gt; &lt;strong&gt; httpOnly &lt;/strong&gt; &lt;/li&gt; &lt;/ul&gt; &lt;p&gt; Here we mainly discuss secure and httpOnly &lt;/p&gt; httpOnly identifiers &lt;p&gt; used tell the browser that JavaScript document cannot be used. to prevent &lt;strong&gt; XSS attacks) &lt;/strong&gt; &lt;/p&gt; secure ID &lt;p&gt; force the application to transmit cookies over Https &lt;/p&gt; In PHP Yii2, set httpOnly and secure _ csrf &lt;p&gt; Yii2 the default Cookie yii \ web \ Cookie in is httpOnly, &lt;/p&gt; &lt;pre class = "sycode" name = "code"&gt; class Cookie extends \ yii \ base \ Object {public $ name; p Ublic $ value = ''; public $ domain =''; public $ expire = 0; public $ path = '/'; public $ secure = false; public $ httpOnly = true ;}&lt;/pre&gt; &lt;p&gt; use &lt;? = Html: csrf0000ags ()?&gt; A Cookie with name = _ csrf will be generated. the default value is httpOnly, which is changed by injecting request: &lt;/p&gt; &lt;p&gt; In config/main. php &lt;/p&gt; &lt;pre class = "sycode" name = "code"&gt;... 'components' =&gt; ['request' =&gt; ['csrfcookies' =&gt; ['httponly '=&gt; true, 'Secure '=&gt; SECURE_COOKIE,],],...]... &lt;/pre&gt; &lt;p&gt; The httpOnly and secure attribute values injected with csrfCookie &lt;/p&gt; generate the secure Cookie &lt;pre class = "sycode" name = "code"&gt; $ cookies = Yii:: $ app-&gt; response-&gt; cookies; $ cookies-&gt; add (new Co Okie (['name' =&gt; 'access', 'value' =&gt; $ accesstoken, 'expire '=&gt; time () + Token: EXPIRE_TIME, 'Secure '=&gt; SECURE_COOKIE]); &lt;/pre&gt; &lt;p&gt; note that the secure attribute must be updated when the Cookie is updated &lt;/p&gt; &lt;pre class = "sycode" name = "code"&gt; $ cookies = Yii :: $ app-&gt; request-&gt; cookies; if ($ cookie = $ cookies-&gt; get ('accesstoken '))! = Null) {$ cookie-&gt; secure = SECURE_COOKIE; // This is important, otherwise $ cookie-&gt; expire = time () + Token: EXPIRE_TIME; Yii:: $ app-&gt; response-&gt; cookies-&gt; add ($ cookie) ;}&lt;/pre&gt;

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.