网站低危漏洞通过伪静态功能处理方法很多网站通过第三方平台扫描会出现很多低危漏洞,特别是使用绿盟进行安全检测经常会出现。Linux和虚拟主机都会有这个情况,可以通过伪静态的方式进行设置。
l Windows主机 Windows主机需要在wwwroot目录下的web.config里面添加以下规则: <?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<httpCookies httpOnlyCookies="true" requireSSL="true" />
</system.web>
<system.webServer>
<security>
<requestFiltering>
<verbs allowUnlisted="true">
<add verb="OPTIONS" allowed="false"/>
<add verb="TRACE" allowed="false"/>
</verbs>
</requestFiltering>
</security>
<httpProtocol>
<customHeaders>
<!--检测到目标X-Content-Type-Options响应头缺失-->
<add name="X-Content-Type-Options" value="nosniff" />
<!--检测到目标X-XSS-Protection响应头缺失-->
<add name="X-XSS-Protection" value="1;mode=block" />
<!--检测到目标Content-Security-Policy响应头缺失 /-->
<add name="Content-Security-Policy" value="default-src 'self' 'unsafe-inline' ; img-src 'self' data:" />
<!--检测到目标Strict-Transport-Security响应头缺失-->
<add name="Strict-Transport-Security" value="max-age=31536000" />
<!--检测到目标Referrer-Policy响应头缺失-->
<add name="Referrer-Policy" value="origin-when-cross-origin" />
<!--检测到目标X-Permitted-Cross-Domain-Policies响应头缺失-->
<add name="X-Permitted-Cross-Domain-Policies" value="master-only" />
<!--检测到目标X-Download-Options响应头缺失-->
<add name="X-Download-Options" value="noopen" />
<!--点击劫持:X-Frame-Options未配置-->
<add name="X-Frame-Options" value="SAMEORIGIN" />
</customHeaders>
</httpProtocol>
<rewrite>
<outboundRules>
<rule name="Add HttpOnly" preCondition="No HttpOnly">
<match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
<action type="Rewrite" value="{R:0}; HttpOnly" />
<conditions>
</conditions>
</rule>
<preConditions>
<preCondition name="No HttpOnly">
<add input="{RESPONSE_Set_Cookie}" pattern="." />
<add input="{RESPONSE_Set_Cookie}" pattern="; HttpOnly" negate="true" />
</preCondition>
</preConditions>
</outboundRules>
</rewrite>
</system.webServer>
</configuration>
请注意规则必须要添加的节点,如果添加错误会导致网站无法打开。
l Linux主机 在wwwroot目录下的.htaccess中添加以下规则:
<IfModule mod_headers.c>
Header set X-Content-Type-Options "nosniff"
Header set X-XSS-Protection "1; mode=block"
Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' ; img-src 'self' data:"
Header set Strict-Transport-Security: "max-age=31536000 ; includeSubDomains ;"
Header set Referrer-Policy: strict-origin-when-cross-origin
Header set X-Permitted-Cross-Domain-Policies "master-only"
Header set X-Download-Options "noopen"
Header set X-Frame-Options "SAMEORIGIN"
</IfModule>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(TRACE|OPTIONS)
RewriteRule .* - [F]# .htaccess只能管的了静态文件,php动态程序是要php代码中设置。 <?php
// 全局设置Session Cookie的Secure属性,需要部署https
// ini_set("session.cookie_secure", "1");
// 同时设置HttpOnly
ini_set("session.cookie_httponly", "1");
header("X-Content-Type-Options: nosniff");
header("X-XSS-Protection: 1; mode=bloc");
header("Content-Security-Policy: default-src 'self' 'unsafe-inline' ; img-src 'self' data:");
header("Strict-Transport-Security: max-age=31536000 ; includeSubDomains ;");
header("Referrer-Policy: strict-origin-when-cross-origin");
header("X-Permitted-Cross-Domain-Policies: master-only");
header("X-Download-Options: noopen");
header("X-Frame-Options: SAMEORIGIN");
?>NGINX规则 添加到站点配置文件server里 add_header Cross-Origin-Opener-Policy "same-origin"; add_header Cross-Origin-Embedder-Policy "require-corp"; add_header Cross-Origin-Resource-Policy "same-origin"; add_header Clear-Site-Data '"cache", "cookies", "storage"'; add_header Permissions-Policy "camera=(self), microphone=(self), autoplay=(self), picture-in-picture=(self), fullscreen=(self), display-capture=(), geolocation=()"; add_header Referrer-Policy "strict-origin-when-cross-origin"; add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' ; img-src 'self' data:"; add_header X-Download-Options "noopen"; add_header X-Content-Type-Options "nosniff"; add_header X-Frame-Options "SAMEORIGIN"; add_header X-Permitted-Cross-Domain-Policies "none"; add_header X-XSS-Protection "1; mode=block"; 注意:无论windows还是Linux主机,添加规则即可生效不需要做其他设置。
|
|||||
| >> 相关文章 | |||||
-
-
关注我们
最新动态
-
新浪微博
交流互动
