FixVibe
Covered by FixVibemedium

Ingancin Kanfigareshan Shugaban Tsaro

Aikace-aikacen gidan yanar gizo sau da yawa sun kasa aiwatar da mahimman bayanan kanun tsaro, suna barin masu amfani da fallasa su ga rubutun giciye (XSS), jackjacking, da allurar bayanai. Ta bin ƙa'idodin tsaro na gidan yanar gizo da kuma amfani da kayan aikin dubawa kamar MDN Observatory, masu haɓakawa na iya taurara aikace-aikacen su da yawa akan hare-hare na tushen burauza gama gari.

CWE-693

Tasiri

Rashin shugabanni na tsaro yana bawa maharan damar yin dannawa, satar kukis na zaman, ko aiwatar da rubutun giciye (XSS) [S1]. Idan ba tare da waɗannan umarnin ba, masu bincike ba za su iya tilasta iyakokin tsaro ba, wanda ke haifar da yuwuwar haɓakar bayanai da ayyukan mai amfani mara izini [S2].

Tushen Dalili

Batun ya samo asali ne daga gazawar saita sabar gidan yanar gizo ko tsarin aikace-aikace don haɗa daidaitattun kawukan tsaro na HTTP. Yayin da ci gaba sau da yawa ke ba da fifiko ga HTML da CSS [S1], ana barin saitunan tsaro akai-akai. Kayan aikin tantancewa kamar MDN Observatory an ƙera su don gano waɗannan matakan kariya da suka ɓace da kuma tabbatar da hulɗar tsakanin mai binciken da uwar garken [S2].

Cikakken Bayani

Maganganun tsaro suna ba mai binciken takamaiman umarnin tsaro don rage lahanin gama gari:

  • Manufofin Tsaro na Abun ciki (CSP): Yana sarrafa abin da albarkatun za a iya lodawa, hana aiwatar da rubutun da ba a ba da izini ba da allurar bayanai [S1].

Saukewa: ZXCVFIXVIBESEG10

  • Tsaron-Tsaro-Tsaro (HSTS): Yana tabbatar da mai bincike yana sadarwa ne kawai akan amintattun hanyoyin haɗin HTTPS [S2].

Saukewa: ZXCVFIXVIBESEG11

  • X-Frame-Zaɓuɓɓuka: Yana hana aikace-aikacen yin shi a cikin iframe, wanda shine babban kariya daga dannawa [S1].

Saukewa: ZXCVFIXVIBESEG12

  • X-Nau'in-Zaɓuɓɓuka-Nau'in Abun ciki: Yana Hana mai bincike fassara fayiloli azaman nau'in MIME daban-daban fiye da abin da aka kayyade, yana hana MIME hare-hare [S2].

Saukewa: ZXCVFIXVIBESEG13

Yadda FixVibe yayi gwajinsa

Saukewa: ZXCVFIXVIBESEG14 FixVibe zai iya gano wannan ta hanyar nazarin kanun martanin HTTP na aikace-aikacen yanar gizo. Ta hanyar daidaita sakamakon da aka saba da ka'idodin MDN Observatory [S2], FixVibe na iya tuta bace ko kuskuren rubutun kai kamar CSP, HSTS, da XXCV

Saukewa: ZXCVFIXVIBESEG15

Gyara

Saukewa: ZXCVFIXVIBESEG16 Sabunta sabar gidan yanar gizo (misali, Nginx, Apache) ko aikace-aikacen middleware don haɗa masu kai masu zuwa a cikin duk martani a zaman wani ɓangare na daidaitaccen yanayin tsaro [S1]: Saukewa: ZXCVFIXVIBESEG17

  • Manufa-Tsaron Abun ciki *: Ƙuntata tushen albarkatu zuwa amintattun yankuna.
  • Tsarin-Tsaro-Tsaro-Tsaro: Aiwatar da HTTPS tare da dogon max-age.

Saukewa: ZXCVFIXVIBESEG19

  • X-abun ciki-Nau'in-Zaɓuɓɓuka *: Saita zuwa nosniff [S2].
  • X-Frame-Zaɓuɓɓuka *: Saita zuwa DENY ko SAMEORIGIN don hana dannawa [S1].