近期主管機關會拿 SecurityHeaders 網站來檢測網站,因此調整了一下 Apache 和 PHP 的設定

以下為 Apache 的設定,原則上以下設定有做完應該就可以拿到 A+ 的等級了

<IfModule headers_module>

    #

    # Avoid passing HTTP_PROXY environment to CGI's on this or any proxied

    # backend servers which have lingering "httpoxy" defects.

    # 'Proxy' request header is undefined by the IETF, not listed by IANA

    #

    RequestHeader unset Proxy early

 

    #HTTP Strict Transport Security (HSTS)

    Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"

 

    #Content-Security-Policy (CSP)

    Header set Content-Security-Policy "frame-ancestors 'self';"

 

    #X-XSS-Protection

    Header set X-XSS-Protection "1; mode=block"

 

    #X-Content-Type-Options

    Header set X-Content-Type-Options nosniff

 

    #Permissions-Policy

    Header always set Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()"

 

    #X-Frame-Options

    Header always append X-Frame-Options SAMEORIGIN

 

    #Referrer-Policy

    #Header set Referrer-Policy "no-referrer-when-downgrade"

    Header set Referrer-Policy "strict-origin-when-cross-origin"

</IfModule>

另外 PHP 也可以優化一下,要設定 php.ini

; Whether to use cookies.

; http://php.net/session.use-cookies

session.use_cookies = 1

 

; http://php.net/session.cookie-secure

session.cookie_secure = 1

 

; This option forces PHP to fetch and use a cookie for storing and maintaining

; the session id. We encourage this operation as it's very helpful in combating

; session hijacking when not specifying and managing your own session id. It is

; not the be-all and end-all of session hijacking defense, but it's a good start.

; http://php.net/session.use-only-cookies

session.use_only_cookies = 1

 

; Whether or not to add the httpOnly flag to the cookie, which makes it

; inaccessible to browser scripting languages such as JavaScript.

; http://php.net/session.cookie-httponly

session.cookie_httponly = True

 

; Add SameSite attribute to cookie to help mitigate Cross-Site Request Forgery (CSRF/XSRF)

; Current valid values are "Strict", "Lax" or "None". When using "None",

; make sure to include the quotes, as `none` is interpreted like `false` in ini files.

; https://tools.ietf.org/html/draft-west-first-party-cookies-07

session.cookie_samesite = Lax

 

參考資料

[1] DEVCORE - HTTP Headers 的資安議題 (1)

[2] 增加安全的 HTTP Headers

arrow
arrow
    全站熱搜

    Bojack 發表在 痞客邦 留言(0) 人氣()

    E-mail轉寄