.htaccess 文件中用于保护网站的标头

发布于 2025-01-18 08:59:23 字数 767 浏览 3 评论 0原文

祝大家有美好的一天，周末有一个美好的开始:)

我在 htaccess 文件中设置了下一个标题：

# Security Headers
<IfModule mod_headers.c>
   

 -  Header set Strict-Transport-Security "max-age=31536000" env=HTTPS
 -  Header set X-Permitted-Cross-Domain-Policies "none"
 -  Header set X-XSS-Protection "1; mode=block"
 -  Header set X-Frame-Options "deny"
 -  Header set X-Content-Type-Options "nosniff"
 -  Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
 -  # Header set Content-Security-Policy ...
 -  Header set Referrer-Policy "no-referrer"
 -  Header set Feature-Policy "geolocation 'self'; vibrate 'none'"
</IfModule>

但是当我在“securityheader”上扫描我的网站时，它显示所有标题为红色。这意味着该网站不安全。

如果有人喜欢/可以告诉我错误，我将非常感激？

谢谢你和此致

原文

I wish you all a good day and a nice start in the Weekend :)

I set the next Headers in htaccess-file:

# Security Headers
<IfModule mod_headers.c>
   

 -  Header set Strict-Transport-Security "max-age=31536000" env=HTTPS
 -  Header set X-Permitted-Cross-Domain-Policies "none"
 -  Header set X-XSS-Protection "1; mode=block"
 -  Header set X-Frame-Options "deny"
 -  Header set X-Content-Type-Options "nosniff"
 -  Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
 -  # Header set Content-Security-Policy ...
 -  Header set Referrer-Policy "no-referrer"
 -  Header set Feature-Policy "geolocation 'self'; vibrate 'none'"
</IfModule>

but when i scan my Website on "securityheader" it shows all the headers in red color. It means the website is not secure.

I would be so thankful, if someone likes/can show me the error?

Thank you and
Best regards

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

辞慾 2025-01-25 08:59:23

到目前为止，没人提到，您必须在每个标头之前删除 dashes ！

我可以推荐 immuniweb 用于测试网站安全性。它会告诉您哪个标头不够严格，哪些已经过时以及如何改进。
.htaccess中的配置太多，降低了站点的速度，因此，如果任何标题过时，则在下面的评论。

# Security Headers
<IfModule mod_headers.c>
    Header set Strict-Transport-Security "max-age=31536000" env=HTTPS
    Header set X-Permitted-Cross-Domain-Policies "none"
    Header set X-XSS-Protection "1; mode=block"
    Header set X-Frame-Options "DENY"
    Header set X-Content-Type-Options "nosniff"
    Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
    # Header set Content-Security-Policy ...
    Header set Referrer-Policy "no-referrer"
    Header set Feature-Policy "geolocation 'self'; vibrate 'none'"
</IfModule>

或带有UP2DATE标题：

<IfModule mod_headers.c>
      Header set X-Frame-Options "DENY"
      Header set X-XSS-Protection "1; mode=block"
      Header set X-Content-Type-Options "nosniff"
      Header set X-Permitted-Cross-Domain-Policies "none"
      Header set Strict-Transport-Security "max-age=31536000; includeSubDomains"
      Header set Referrer-Policy "no-referrer"
      Header set Permissions-Policy "accelerometer=()‚ autoplay=(self), camera=(), encrypted-media=(), fullscreen=(), geolocation=(self), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(self), usb=(), interest-cohort=()"
      Header set Content-Security-Policy "default-src 'self'; script-src 'self' https://www.google.com; img-src 'self'; style-src 'self'; font-src 'self'; object-src 'none'; frame-src 'self'; worker-src 'self'; connect-src 'self'; report-uri /security-report.php"
</IfModule>

As so far nobody mentioned it, you have to remove the dashes before each header!

I can recommend Immuniweb for testing the sites security. It will tell you which header is not strict enough, which are outdated and how to improve.
Too many configs in the .htaccess reduce the sites speed, so if anything of the headers is outdated comment it below.

# Security Headers
<IfModule mod_headers.c>
    Header set Strict-Transport-Security "max-age=31536000" env=HTTPS
    Header set X-Permitted-Cross-Domain-Policies "none"
    Header set X-XSS-Protection "1; mode=block"
    Header set X-Frame-Options "DENY"
    Header set X-Content-Type-Options "nosniff"
    Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
    # Header set Content-Security-Policy ...
    Header set Referrer-Policy "no-referrer"
    Header set Feature-Policy "geolocation 'self'; vibrate 'none'"
</IfModule>

or with the up2date headers:

<IfModule mod_headers.c>
      Header set X-Frame-Options "DENY"
      Header set X-XSS-Protection "1; mode=block"
      Header set X-Content-Type-Options "nosniff"
      Header set X-Permitted-Cross-Domain-Policies "none"
      Header set Strict-Transport-Security "max-age=31536000; includeSubDomains"
      Header set Referrer-Policy "no-referrer"
      Header set Permissions-Policy "accelerometer=()‚ autoplay=(self), camera=(), encrypted-media=(), fullscreen=(), geolocation=(self), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(self), usb=(), interest-cohort=()"
      Header set Content-Security-Policy "default-src 'self'; script-src 'self' https://www.google.com; img-src 'self'; style-src 'self'; font-src 'self'; object-src 'none'; frame-src 'self'; worker-src 'self'; connect-src 'self'; report-uri /security-report.php"
</IfModule>

回复收藏 0 原文

~没有更多了~