보안강화를 위한 HTTP헤더 옵션

X-Frame-Options

자신의 페이지가 Frame안에 들어가는것을 방지하게 한다. 클릭재킹을 막을 수 있다.

X-Frame-Options: DENY (프레임 안에 절대 들어가지 못하게 한다)

X-Frame-Options: SAMEORIGIN (같은 origin일 경우에만 허용한다)

X-Frame-Options: ALLOW FROM hxtp://some-domain.com (특정 origin에서만 허용한다)

 

 

가끔 누군가가 자신의 사이트와 비슷한 도메인을 사서 아무 내용도 없이 자신의 사이트를  전체 크기의 프레임으로 넣어서 접근하는 유저를  엄청 끌어모은 다음, 나중에 갑자기 내용을 바꿔서 표시하는게 가능한데. 이런것을 막을 수 있도록 자신의 페이지가 Frame안으로 들어가는 것을 방지하게 해준다.

 

 

X-Content-Type-Options

 

jpg 확장자로 js파일을 올려 우회를 한 후에 script 태그에 src로 넣는 수법을 방지하는 헤더다. 이 헤더를 넣으면 MIMETYPE과 다르게 사용하지 못하게 한다. nosniff를 넣어주면 활성화가 된다.

 

List of useful HTTP headers

From OWASP

Jump to: navigation, search

This page lists useful security-related HTTP headers. In most architectures these headers can be set in web server configuration (Apache, IIS, nginx), without changing actual application's code. This offers significantly faster and cheaper method for at least partial mitigation of existing issues, and an additional layer of defense for new applications.

Header name	Description	Example
Public Key Pinning Extension for HTTP	The Public Key Pinning Extension for HTTP (HPKP) is a security header that tells a web client to associate a specific cryptographic public key with a certain web server to prevent MITM attacks with forged certificates.	Public-Key-Pins: pin-sha256="<sha256>"; pin-sha256="<sha256>"; max-age=15768000; includeSubDomains
Strict-Transport-Security	HTTP Strict-Transport-Security (HSTS) enforces secure (HTTP over SSL/TLS) connections to the server. This reduces impact of bugs in web applications leaking session data through cookies and external links and defends against Man-in-the-middle attacks. HSTS also disables the ability for user's to ignore SSL negotiation warnings.	Strict-Transport-Security: max-age=16070400; includeSubDomains
X-Frame-Options, Frame-Options	Provides Clickjacking protection. Values: deny - no rendering within a frame, sameorigin - no rendering if origin mismatch, allow-from: DOMAIN - allow rendering if framed by frame loaded from DOMAIN	X-Frame-Options: deny
X-XSS-Protection	This header enables the Cross-site scripting (XSS) filter built into most recent web browsers. It's usually enabled by default anyway, so the role of this header is to re-enable the filter for this particular website if it was disabled by the user. This header is supported in IE 8+, and in Chrome (not sure which versions). The anti-XSS filter was added in Chrome 4. Its unknown if that version honored this header.	X-XSS-Protection: 1; mode=block
X-Content-Type-Options	The only defined value, "nosniff", prevents Internet Explorer and Google Chrome from MIME-sniffing a response away from the declared content-type. This also applies to Google Chrome, when downloading extensions. This reduces exposure to drive-by download attacks and sites serving user uploaded content that, by clever naming, could be treated by MSIE as executable or dynamic HTML files.	X-Content-Type-Options: nosniff
Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP	Content Security Policy requires careful tuning and precise definition of the policy. If enabled, CSP has significant impact on the way browser renders pages (e.g., inline JavaScript disabled by default and must be explicitly allowed in policy). CSP prevents a wide range of attacks, including Cross-site scripting and other cross-site injections.	Content-Security-Policy: default-src 'self'
Content-Security-Policy-Report-Only	Like Content-Security-Policy, but only reports. Useful during implementation, tuning and testing efforts.	Content-Security-Policy-Report-Only: default-src 'self'; report-uri http://loghost.example.com/reports.jsp