__.htaccess-file中的标题用于保护网站__

62o28rlo  于 2023-03-19  发布在  其他
关注(0)|答案(1)|浏览(153)

祝大家有美好的一天,周末有个好的开始:)
我在htaccess-file中设置了下一个头文件:

# Security Headers
<IfModule mod_headers.c>
   

 -  Header set Strict-Transport-Security "max-age=31536000" env=HTTPS
 -  Header set X-Permitted-Cross-Domain-Policies "none"
 -  Header set X-XSS-Protection "1; mode=block"
 -  Header set X-Frame-Options "deny"
 -  Header set X-Content-Type-Options "nosniff"
 -  Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
 -  # Header set Content-Security-Policy ...
 -  Header set Referrer-Policy "no-referrer"
 -  Header set Feature-Policy "geolocation 'self'; vibrate 'none'"
</IfModule>

但是当我在“securitheader”上扫描我的网站时,所有的标题都显示为红色。这意味着网站不安全。
如果有人喜欢/能告诉我错误,我将非常感激?
谢谢你和最好的问候

jaxagkaj

jaxagkaj1#

由于到目前为止还没有人提到它,你必须删除每个标题前的 * 破折号 *!
我可以推荐Immuniweb来测试网站的安全性。它会告诉你哪些头文件不够严格,哪些已经过时,以及如何改进。在.htaccess中太多的配置会降低网站的速度,所以如果任何头文件过时,请在下面评论。

# Security Headers
<IfModule mod_headers.c>
    Header set Strict-Transport-Security "max-age=31536000" env=HTTPS
    Header set X-Permitted-Cross-Domain-Policies "none"
    Header set X-XSS-Protection "1; mode=block"
    Header set X-Frame-Options "DENY"
    Header set X-Content-Type-Options "nosniff"
    Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
    # Header set Content-Security-Policy ...
    Header set Referrer-Policy "no-referrer"
    Header set Feature-Policy "geolocation 'self'; vibrate 'none'"
</IfModule>
  • 或使用up 2date标题:*
<IfModule mod_headers.c>
      Header set X-Frame-Options "DENY"
      Header set X-XSS-Protection "1; mode=block"
      Header set X-Content-Type-Options "nosniff"
      Header set X-Permitted-Cross-Domain-Policies "none"
      Header set Strict-Transport-Security "max-age=31536000; includeSubDomains"
      Header set Referrer-Policy "no-referrer"
      Header set Permissions-Policy "accelerometer=()‚ autoplay=(self), camera=(), encrypted-media=(), fullscreen=(), geolocation=(self), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(self), usb=(), interest-cohort=()"
      Header set Content-Security-Policy "default-src 'self'; script-src 'self' https://www.google.com; img-src 'self'; style-src 'self'; font-src 'self'; object-src 'none'; frame-src 'self'; worker-src 'self'; connect-src 'self'; report-uri /security-report.php"
</IfModule>

相关问题