灰灰心好累
灰灰心好累

翻译自Brian Jackson的文章:Hardening Your HTTP Security Headers

该文章是翻译自Brian Jackson的文章——https://www.keycdn.com/blog/http-security-headers

There are a lot of things to consider to when securing your website or web application, but a good place to start is to explore your HTTP security headers and ensure you are keeping up with best practices.

对于加强网站和web应用有很多东西需要思考,但是探索HTTP安全头和确保最佳的练习是好的开始方向;

In many cases they are very easy to implement and only require a slight web server configuration change.

很多时候这很容易实现,只需要修改一个小小的web服务的配置即可;

HTTP security headers provide yet another layer of security by helping to mitigate attacks and security vulnerabilities.

HTTP安全头通过帮助缓解攻击和安全漏洞,提供了另一层安全防护;

In this post we will explore some of them to help you better understand their purpose and how to implement them.

在这篇文章中,我们将探索其中的一部分内容帮助你更好地理解它们的目的以及如何实现它们;

What are HTTP security headers?

Whenever a browser requests a page from a web server, the server responds with the content along with HTTP response headers.

每当浏览器从Web服务器请求页面时,服务器都会响应内容和HTTP响应头;

Some of these headers contain content meta data such as the Content-Encoding, Cache-Control, status codes, etc.

这些头中包含内容元数据,例如内容编码,缓存控制,状态码等;

image.png

Along with these are also HTTP security headers that tell your browser how to behave when handling your website's content.

此外,还有HTTP安全头会告诉浏览器在处理网站内容的时候该如何展现;

For example, by using the Strict-Transport-Security you can force the browser to communicate solely over HTTPS.

例如,通过HTTPStrict-Transport-Security头,可以强制浏览器仅通过 HTTPS 进行通信。

There are six different HTTP security headers that we will explore below (in no particular order) that you should be aware of and we recommend implementing if possible.

有六个不同的 HTTP 安全头,将在下面进行探究,没有特定顺序,众所周知建议尽可能都去实现;

1、Content Security Policy内容安全协议

The Content-Security-Policy header provides an additional layer of security.

Content-Security-Policy头提供了一个额外的安全层;

This policy helps prevent attacks such as Cross Site Scripting (XSS) and other code injection attacks by defining content sources which are approved and thus allowing the browser to load them.

这个协议通过定义已批准的内容源并允许浏览器加载它们,来防止如跨站点脚本 (XSS) 和其他代码注入的攻击;

image.png

All major browsers currently offer full or partial [support for content security policy](https://caniuse.com/#search=content security policy).

所有主流的浏览器都为Content-Security-Policy提供了全部或部分的支持;

And it won't break delivery of the content if it does happen to be delivered to an older browser, it will simply not be executed.

并且即使是内容传递给较旧的浏览器也不会中断,它根本不会被执行;

image.png

There are many directives that you can use with Content-Security-Policy. This example below allows scripts from both the current domain (defined by 'self') as well as google-analytics.com.

有很多指令可以用于内容安全协议;下面的例子允许当前域以及google-analytics.com的脚本

Content-Security-Policy: script-src 'self' https://www.google-analytics.com

To explore all of the directives, and to see implementation on Nginx and Apache, make sure to check out our in-depth post on Content Security Policy. 要探索所有指令,查看Nginx和Apache的实现,请查看关于Content Security Policy的深入文章;

2、X-XSS-Protection

The X-XSS-Protection header is designed to enable the cross-site scripting (XSS) filter built into modern web browsers.

X-XSS 保护头设计来启用内置在现代 Web 浏览器中的跨站点脚本 (XSS) 过滤器。

This is usually enabled by default, but using it will enforce it. It is supported by Internet Explorer 8+, Chrome, and Safari.

通常是默认启动的,但是使用它就会强制执行.它是由IE8以上,谷歌,和Safari支持;

Here is an example of what the header looks like:

下面这是头的样式示例:

X-XSS-Protection: 1; mode=block

Enable in Nginx

add_header X-XSS-Protection "1; mode=block" always;

Enable in Apache

header always set X-XSS-Protection "1; mode=block"

3、HTTP Strict Transport Security (HSTS)

The Strict-Transport-Security header is a security enhancement that restricts web browsers to access web servers solely over HTTPS.

Strict-Transport-Security头是一种安全增强功能,可限制 Web 浏览器仅通过 HTTPS 访问 Web 服务器。

This ensures the connection cannot be establish through an insecure HTTP connection which could be susceptible to attacks.

这可以确保链接无法通过可能会被攻击的不安全的HTTP进行建立;

image.png

All major modern browsers currently support HTTP strict transport security except for Opera Mini and versions previous of Internet Explorer.

所有现代主流的浏览器现在都支持HTTPStrict-Transport-Security头,除了Opera Mini和老版本的IE浏览器;

image.png

Here is an example of what the header looks like: You can include the max age, subdomains(子域), and preload(预加载).

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

To read more about this header and see implementation on Nginx and Apache, make sure to check out our in-depth post on HTTP Strict Transport Security.

4、X-Frame-Options

The X-Frame-Options header provides clickjacking protection by not allowing iframes to load on your website.

X-Frame-Options头通过禁止内嵌框架在你的网站上加载来提供点击劫持保护;

It is supported by IE 8+, Chrome 4.1+, Firefox 3.6.9+, Opera 10.5+, Safari 4+. Here is an example of what the header looks like:

X-Frame-Options: SAMEORIGIN

Enable in Nginx

add_header X-Frame-Options "SAMEORIGIN" always;

Enable in Apache

header always set X-Frame-Options "SAMEORIGIN"

5、Expect-CT

The Expect-CT header prevents misissued certificates from being used by allowing websites to report and optionally enforce Certificate Transparency requirements.

Expect-CT头通过允许网站报告和选择性执行证书透明度要求来防止错误颁发证书;

When this header is enabled the website is requesting the browser to verify whether or not the certificate appears in the public CT logs.

当启动这个头之后,网站需要请求浏览器去验证证书是否在公共的CT日志中;

Here is an example of what the header looks like:

Expect-CT: max-age=604800, enforce, report-uri="https://www.example.com/report"

Enable in Nginx

add_header Expect-CT "max-age=604800, enforce, report-uri='https://www.example.com/report' always;

Enable in Apache

header always set Expect-CT "max-age=604800, enforce, report-uri="https://www.example.com/report"

6、X-Content-Type-Options

The X-Content-Type-Options header prevents Internet Explorer and Google Chrome from sniffing a response away from the declared Content-Type.

X-Content-Type-Options头阻止IE和谷歌浏览器从已声明的Content-Type中探测响应;

This helps reduce the danger of drive-by downloads and helps treat the content the right way.

这有助于降低隐蔽强迫下载的风险和以正确的方式对待内容;

Here is an example of what the header looks like:

X-Content-Type-Options: nosniff

Enable in Nginx

add_header X-Content-Type-Options "nosniff" always;

Enable in Apache

header always set X-Content-Type-Options "nosniff"

7、Feature-Policy

The Feature-Policy header grants the ability to allow or deny browser features, whether in its own frame or content within an inline frame element (