Secure Your Site with the Right Security Headers
•
0 likes•687 views
Z prezentace zjistíte jaké bezpečnostní hlavičky máme, co dělají a proti čemu chrání. Zároveň pochytíte, jak si je nastavit na vašich stránkách.
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Secure Your Site with the Right Security Headers
Similar to Secure Your Site with the Right Security Headers (20)
More from PeckaDesign.cz
More from PeckaDesign.cz (20)
Recently uploaded
Recently uploaded (20)
Secure Your Site with the Right Security Headers
- 3. Proč? Bezpečnost Ochrana uživatele a jeho soukromí Může zlepšit SEO
- 4. Jaké hlavičky máme? Strict-Transport-Security Content Security Policy Referrer-Policy X-Frame-Options X-Content-Type-Options X-XSS-Protection Feature-Policy Set-Cookie Content-Type Server Accept Cache-Control Method
- 5. Jaké hlavičky máme? Strict-Transport-Security Content-Security-Policy Referrer-Policy X-Frame-Options X-Content-Type-Options X-XSS-Protection Feature-Policy Set-Cookie Content-Type Server Accept Cache-Control Method bezpečnostní hlavičky
- 7. OBSERVATORY
- 8. Referrer-policy ● určuje jestli a jaká URL se bude posílat v hlavičce Referer Referrer-policy: no-referrer Referrer-policy: same-origin Referrer-policy: strict-origin Referrer-policy: strict-origin-when-cross-origin
- 9. Referrer-policy .htaccess Header always set Referrer-Policy "strict-origin-when-cross-origin" Nette
- 10. OBSERVATORY
- 11. X-XSS-Protection ● povoluje filtry proti XSS (cross-site scripting attacks), které jsou v prohlížeči X-XSS-Protection: 0 X-XSS-Protection: 1 X-XSS-Protection: 1; mode=block
- 12. X-XSS-Protection
- 13. X-XSS-Protection .htaccess Header always set X-XSS-Protection "1; mode=block" Nette
- 14. OBSERVATORY
- 15. X-Frame-Options ● zakazuje/povoluje zobrazení vaší stránky v <frame>, <iframe> nebo <object> ● ochrana proti Clickjacking X-Frame-Options: DENY X-Frame-Options: SAMEORIGIN X-Frame-Options: ALLOW-FROM https://example.com
- 16. X-Frame-Options .htaccess Header always set X-Frame-Options "DENY" Nette
- 17. OBSERVATORY
- 18. X-Content-Type-Options ● prohlížeč ověřuje, zda zdroj má v hlavičce správně nastavený MIME type ● ochrana proti XSS X-Content-Type-Options: nosniff
- 20. X-Content-Type-Options .htaccess Header always set X-Content-Type-Options "nosniff" Nette
- 21. OBSERVATORY
- 22. Feature-Policy ● přibyla minulý rok ● povoluje/zakazuje přístup k API prohlížeče Feature-Policy: camera *; geolocation ‘none’; cookie: ‘self’ https://example.com <iframe src="https://example.com..." allow="fullscreen"></iframe>
- 24. Feature-Policy ● API pro zjištění nastavení Featury Policy ● experimentální funkce const policy = document.featurePolicy; interface FeaturePolicy { boolean allowsFeature(DOMString feature, optional DOMString origin); sequence<DOMString> features(); sequence<DOMString> allowedFeatures(); sequence<DOMString> getAllowlistForFeature(DOMString feature); };
- 25. Feature-Policy
- 26. Feature-Policy .htaccess Header always set Feature-Policy "microphone 'none'; payment 'none'" Nette (2.4)
- 27. Set-Cookie ● nastaví cookie v prohlížeči Secure: cookie se může posílat pouze přes HTTPS HttpOnly: cookie není dostupná v document.cookie SameSite: značí, jestli bude prohlížeč spolu s requestem na vaší stránku posílat cookie Lax: pošle při kliknutí na odkaz, odeslání formuláře přes GET a link s prerender Strict: nikdy nepošle
- 28. Set-Cookie Type request Example code Cookie sents Link <a href="..."></a> Normal, Lax Prerender <link rel="prerender" href=".."/> Normal, Lax Form GET <form method="GET" action="..."> Normal, Lax Form POST <form method="POST" action="..."> Normal iframe <iframe src="..."></iframe> Normal AJAX $.get("...") Normal Image <img src="..."> Normal https://www.netsparker.com/blog/web-security/same-site-cookie-attribute-prevent-cross-site-request-forgery
- 29. Set-Cookie .htaccess Header always set Set-Cookie "myCookie=1; path=/; Secure; HttpOnly; SameSite=Lax" Nette
- 30. OBSERVATORY
- 31. Strict-Transport-Security ● vynucuje komunikaci jen přes HTTPS protokol Strict-Transport-Security: max-age=31536000 Strict-Transport-Security: max-age=31536000; includeSubDomains Strict-Transport-Security: max-age=31536000; includeSubDomains; preload https://hstspreload.org
- 32. Strict-Transport-Security - bez preload
- 33. Strict-Transport-Security - s preload
- 34. Strict-Transport-Security - redirect http://example.com https://example.com https://www.example.com
- 35. Strict-Transport-Security .htaccess Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains" Nette
- 36. OBSERVATORY
- 37. Content-Security-Policy ● dovoluje kontrolovat odkud budou načítány zdroje (obrázky, skripty, styly) na web ● ochrana proti XSS Content-Security-Policy: default-src https:;
- 39. Content-Security-Policy - nástroje pro reportování https://report-uri.com https://www.uriports.com report-uri: https://example.com
- 40. Content-Security-Policy .htaccess Header always set Content-Security-Policy "default-src 'none'; img-src 'self'; script-src 'self'; style-src 'self'; report-uri: https://example.com" Nette
- 41. OBSERVATORY
- 42. .htaccess Header always set Referrer-Policy "strict-origin-when-cross-origin" Header always set X-XSS-Protection "1; mode=block" Header always set X-Frame-Options "SAMEORIGIN" Header always set X-Content-Type-Options "nosniff" Header always set Feature-Policy "microphone 'none'; payment 'none'" Header always set Set-Cookie "myCookie=1; path=/; Secure; HttpOnly; SameSite=Lax" Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains" Header always set Content-Security-Policy "default-src 'none'; img-src 'self'; script-src 'self'; style-src 'self'"
- 43. Nette