我应该为哪些 Content-Type 设置与安全相关的 HTTP 响应标头?
[英]For which Content-Types should I set security related HTTP response headers?
问题描述
I've built a web application (with my favourite language Fantom !) and am in the process of locking it down from XSS and other such attacks by supplying industry standard HTTP response headers.
我已经构建了一个 Web 应用程序(使用我最喜欢的语言Fantom !),并且正在通过提供行业标准的 HTTP 响应标头将其锁定在 XSS 和其他此类攻击中。
My question is, for which responses should the headers be set?我的问题是,应该为哪些响应设置标题?
I could set the headers for every response, but that seems pretty wasteful given most requests will be for images, fonts, stylesheets, etc.. The Content-Security-Policy header in particular can get quite lengthy.我可以为每个响应设置标头,但鉴于大多数请求将用于图像、字体、样式表等,这似乎非常浪费。尤其是Content-Security-Policy标头可能会变得非常冗长。
As a lot of the headers relate to the owning HTML page (and the Javascript contained within), I get the feeling most of them need only be set for HTML pages.由于许多标题与拥有的 HTML 页面(以及其中包含的 Javascript)有关,我觉得其中的大多数只需要为 HTML 页面设置。
I've looked at various resources such as:我查看了各种资源,例如:
- Content Security Policy内容安全政策
- HSTS - RFC 6797 HSTS - RFC 6797
- X-XSS-Protection X-XSS-保护
- Mozilla Web Security Guidelines Mozilla 网络安全指南
And while they explain what the headers do, they don't explain for which resources they should be used and served for!虽然他们解释了标题的作用,但他们没有解释应该为哪些资源使用和服务!
I've made a list below of HTTP response headers and for which Content-Types I think they should be served with.我在下面列出了 HTTP 响应标头以及我认为应该为其提供哪些Content-Types 。 But does anyone know if this is correct?但有谁知道这是否正确?
HTTP Response Header text/html All Content-Types
------------------------- --------- -----------------
Content-Security-Policy X
Referrer-Policy X
Strict-Transport-Security X
X-Content-Type-Options X
X-Frame-Options X
X-XSS-Protection X
(When I say text/html I also include application/xhtml+xml .) (当我说text/html我还包括application/xhtml+xml 。)
Referrer-Policy is under all content types due to CSS being able to load fonts and images.由于 CSS 能够加载字体和图像, Referrer-Policy在所有内容类型下。
2 个解决方案
解决方案1
3 2019-07-30 15:39:51
Strict-Transport-Security
In the deployment recommendations of "HSTS Preload List" it is stated:在“HSTS Preload List”的部署建议中说明:
Add the
Strict-Transport-Securityheader to all HTTPS responsesStrict-Transport-Security标头添加到所有 HTTPS 响应
In apache this would look like (note I did not include the preload directive, developers should read the HSTS Preload List's deployment recommendations first before adding that):在 apache 中,这看起来像(注意我没有包含preload指令,开发人员应该在添加之前先阅读 HSTS Preload List 的部署建议):
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=16070400; includeSubDomains" "expr=%{HTTPS} == 'on'"
</IfModule>
X-XSS-Protection
If you are using CSP (without allowing 'unsafe-inline' ) then you probably don't need to worry about X-XSS-Protection anymore:如果您正在使用 CSP(不允许'unsafe-inline' ),那么您可能不再需要担心X-XSS-Protection :
- Chrome has an " Intent to Deprecate and Remove the XSS Auditor ". Chrome 有一个“ Intent to Deprecate and Remove the XSS Auditor ”。
- Firefox have not, and will not implement
X-XSS-Protection.Firefox 没有,也不会实现X-XSS-Protection。 - Edge retired their XSS filter Edge 停用了他们的 XSS 过滤器
Content-Security-Policy (and security-related headers in general) Content-Security-Policy (以及一般的安全相关标头)
As a general approach, you'd at least want to add security headers to all (common) MIME-Types that are able to execute scripts:作为一般方法,您至少希望向能够执行脚本的所有(常见)MIME 类型添加安全标头:
- HTML HTML
- XML XML
- JS (Javascript is only executed in a "browsing context", however this applicable due to JS's ability to create Workers, see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#CSP_in_workers ) JS(Javascript 仅在“浏览上下文”中执行,但是由于 JS 能够创建 Workers,这适用,请参阅https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security -政策#CSP_in_workers )
- PDF - Yes really, PDF files can also execute javascript. PDF - 是的,PDF 文件也可以执行 javascript。
Also, IMO consider setting a strict Referrer-Policy for ALL responses.此外,IMO 考虑为所有响应设置严格的Referrer-Policy 。 I hope this helps :)我希望这会有所帮助:)
解决方案2
2 已采纳 2018-01-09 17:16:24
Theoretically, only 'active' documents should need it much like the X-XSS-Protection header ( related answer here from Info Security ).从理论上讲,只有“活动”文档才需要它,就像 X-XSS-Protection 标头一样( 来自 Info Security 的相关答案)。 As long as the policy is set on the main document (even through a Meta tag), external resources should be blocked based on that policy, not the policy on the external resource (easy to see when loading CDN files which almost certainly do not have your CSP, or any CSP, set).只要在主文档上设置策略(即使通过 Meta 标签),外部资源应该基于该策略被阻止,而不是基于外部资源的策略(在加载几乎肯定没有的 CDN 文件时很容易看到您的 CSP 或任何 CSP 集)。
So I would say your estimate is correct;所以我会说你的估计是正确的; text/HTML and XML absolutely should have it, anything that can execute Javascript. text/HTML 和 XML 绝对应该拥有它,任何可以执行 Javascript 的东西。 It shouldn't matter for static resources.对于静态资源应该无关紧要。 They'll be blocked or allowed based on the main Document's CSP.它们将根据主文档的 CSP 被阻止或允许。
I will admit that personally I simply send them on all resources served directly from my server as I'd rather be paranoid than screw something up and the few dozen bytes per request don't appear to be a big impact especially on a site that doesn't serve a great deal of requests.我承认,我个人只是将它们发送到直接从我的服务器提供的所有资源上,因为我宁愿偏执也不愿搞砸,每个请求的几十个字节似乎没有太大影响,尤其是在一个没有不能满足大量请求。 And if your site does serve an extreme amount of requests...usually best to cut down on requests before trying to shrink your headers.如果您的站点确实处理了大量请求……通常最好在尝试缩小标头之前减少请求。
As with anything like this I'd be sure to test your specific implementation and try loading some resources the CSP should block.与任何类似的事情一样,我一定会测试您的具体实现并尝试加载 CSP 应该阻止的一些资源。 You never know when a browser implementation may be flawed (or more frequently, a typo or over/under eager application of your own rules).您永远不知道浏览器实现何时可能存在缺陷(或者更常见的是,拼写错误或过度/不足地应用您自己的规则)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.