安全标头
[英]Headers for security
问题描述
I've been reading articles about the protection of your website and they say to place these 3 headers: 
我一直在阅读有关您的网站保护的文章,他们说要放置这3个标题:
- X-Frame-Options: DENY X-Frame-Options:DENY
- X-XSS-Protection: 1; X-XSS-Protection:1; mode=block 模式=块
- X-Content-Type-Options: nosniff X-Content-Type-Options:nosniff
In my website to protect it from Website attacks, but I dont know how to declare it in my header, can someone help me with this please? 在我的网站中保护它免受网站攻击,但是我不知道如何在标题中声明它,有人可以帮我吗?
Does this goes in the HTML or into the server? 这是进入HTML还是进入服务器?
1 个解决方案
解决方案1
1 已采纳 2015-06-21 20:35:26
You definitely don't want to put them in HTML using <meta> tags, as JavaScript can just remove them, and (correct) browsers will ignore them. 您绝对不希望使用<meta>标签将它们放入HTML中,因为JavaScript可以删除它们,而(正确的)浏览器将忽略它们。
You need to set them as HTTP response headers on the server, and this depends on your server / framework. 您需要将它们设置为服务器上的HTTP响应标头,这取决于您的服务器/框架。 You also don't want to do this on every page, as it's not DRY, so you want to find a centralized solution. 您也不想在每个页面上都这样做,因为它不是DRY,所以您想找到一个集中式解决方案。
You could use modsecurity with Apache httpd or nginx, or just mod_headers . 您可以将modsecurity与Apache httpd或nginx一起使用,或仅与mod_headers一起使用 。
Or if you really don't want to do any sysadmin, use a service like cloudflare. 或者,如果您真的不想执行任何sysadmin,请使用诸如cloudflare之类的服务。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.