FixVibe
Covered by FixVibemedium

Maganganun Tsaro na HTTP: Aiwatar da CSP da HSTS don Kariyar-Burace.

Wannan binciken yana bincika muhimmiyar rawar da shugabannin tsaro na HTTP suke, musamman Manufofin Tsaro na Abun ciki (CSP) da Tsaron Sufuri na HTTP (HSTS), don kare aikace-aikacen yanar gizo daga raunin gama gari kamar Rubutun Rubutun Cross-Site (ZXCVFIXVIBETOVKEN0) da prograde prograde.

CWE-1021CWE-79CWE-319

Matsayin Shugabannin Tsaro

Maganganun tsaro na HTTP suna samar da daidaitaccen tsari don aikace-aikacen yanar gizo don ba da umarni ga masu bincike don tilasta takamaiman manufofin tsaro yayin zaman [S1] [S2]. Waɗannan masu kanun labarai suna aiki azaman muhimmin matakin tsaro-zurfin-zurfin, rage haɗarin waɗanda ƙila ba za a iya magance su ta hanyar dabaru kaɗai ba.

Manufar Tsaron Abun ciki (CSP)

Manufofin Tsaro na Abun ciki (CSP) wani shingen tsaro ne wanda ke taimakawa ganowa da rage wasu nau'ikan hare-hare, gami da Rubutun Wurin Wuta (XSS) da harin allurar bayanai [S1]. Ta hanyar ayyana manufar da ta fayyace waɗanne albarkatu masu ƙarfi da aka yarda su yi lodi, CSP yana hana mai binciken aiwatar da mugayen rubutun da maharin [S1] ya yi. Wannan yana hana aiwatar da lambar mara izini yadda yakamata koda kuwa akwai raunin allura a cikin aikace-aikacen.

HTTP Tsananin Tsaron Sufuri (HSTS)

HTTP Strict Transport Security (HSTS) wata hanya ce da ke ba gidan yanar gizon damar sanar da masu bincike cewa ya kamata a shiga ta hanyar HTTPS kawai, maimakon HTTP [S2]. Wannan yana karewa daga hare-haren rage darajar yarjejeniya da satar kuki ta hanyar tabbatar da cewa duk sadarwa tsakanin abokin ciniki da uwar garken an rufaffen ɓoye [S2]. Da zarar mai bincike ya karɓi wannan rubutun, zai canza ta atomatik duk ƙoƙarin shiga shafin ta hanyar HTTP zuwa buƙatun HTTPS.

Tasirin Tsaro na Bacewar Shugabanni

Saukewa: ZXCVFIXVIBESEG10 Aikace-aikacen da suka kasa aiwatar da waɗannan kanun labarai suna cikin haɗari mafi girma na sasantawa da abokin ciniki. Rashin Tsarin Tsaro na Abun ciki yana ba da izinin aiwatar da rubutun da ba a ba da izini ba, wanda zai iya haifar da satar lokaci, ɓarna bayanai mara izini, ko lalata [S1]. Hakazalika, rashin madaidaicin HSTS yana barin masu amfani da saukin kai ga hare-haren mutum-in-tsakiyar (MITM), musamman a lokacin farkon haɗin gwiwa, inda maharin zai iya katse zirga-zirga tare da tura mai amfani zuwa sigar shafin yanar gizon [S2].

Saukewa: ZXCVFIXVIBESEG11

Yadda FixVibe yayi gwajinsa

Saukewa: ZXCVFIXVIBESEG12 FixVibe ya riga ya haɗa da wannan a matsayin duban sikelin mai wucewa. headers.security-headers yana bincika metadata amsa HTTP na jama'a don kasancewar da ƙarfin Content-Security-Policy, Strict-Transport-Security, X-Frame-Options ko ZXCVFIXVIBETOKEN4ZXVICV5, headers.security-headers. Referrer-Policy, da Permissions-Policy. Yana bayar da rahoton ɓacewa ko ƙarancin ƙima ba tare da yin amfani da bincike ba, kuma saurin gyara shi yana ba da misalan shirye-shiryen kai don aikace-aikacen gama gari da saitin CDN.

Saukewa: ZXCVFIXVIBESEG13

Jagorar Gyara

Saukewa: ZXCVFIXVIBESEG14 Don inganta yanayin tsaro, dole ne a saita sabar yanar gizo don dawo da waɗannan kanun labarai akan duk hanyoyin samarwa. CSP mai ƙarfi ya kamata a keɓance shi da takamaiman buƙatun albarkatun aikace-aikacen, ta amfani da umarni kamar script-src da object-src don iyakance yanayin aiwatar da rubutun ZXCVFIXVIBETOVKEN4ZXC Don tsaro na sufuri, ya kamata a kunna taken Strict-Transport-Security tare da madaidaiciyar umarnin max-age don tabbatar da kariya mai dorewa a duk zaman mai amfani [S2].