FixVibe
Covered by FixVibemedium

Ndị isi nchekwa HTTP: Na-emejuputa CSP na HSTS maka nchekwa ihe nchọgharị

Nchọpụta a na-enyocha ọrụ dị oke mkpa nke ndị isi nchekwa HTTP, kpọmkwem Amụma Nchekwa Ọdịnaya (CSP) na HTTP Strict Transport Security (HSTS), na-echebe ngwa weebụ site na ọghọm nkịtị dị ka Cross-Site Scripting (ZXCVFIXVIBETOVKEN0) na ọgụ prograde.

CWE-1021CWE-79CWE-319

Ọrụ nke ndị isi nchekwa

Ndị isi nchekwa HTTP na-enye usoro ahaziri ahazi maka ngwa weebụ iji kụziere ndị nchọgharị ka ha manye amụma nchekwa akọwapụtara n'oge nnọkọ [S1] [S2]. Ndị nkụnye eji isi mee ihe na-arụ ọrụ dị ka ihe nchekwa dị oke egwu nke omimi, na-ebelata ihe egwu ndị nwere ike ọ gaghị ekwupụta n'ụzọ zuru ezu site na mgbagha ngwa naanị.

Amụma Nchekwa Ọdịnaya (CSP)

Amụma Nchekwa Ọdịnaya (CSP) bụ nchekwa nchekwa na-enyere aka ịchọpụta na ibelata ụdị ọgụ ụfọdụ, gụnyere Cross-Site Scripting (XSS) yana mwakpo injection data [S1]. Site n'ịkọwa amụma nke na-akọwapụta akụrụngwa dị ike ekwenyere ka ibu, CSP na-egbochi ihe nchọgharị ahụ ime scripts ọjọọ nke onye mwakpo [S1] gbanyere. Nke a na-amachibido mmezu koodu na-enyeghị ikike ọ bụrụgodị na adịghị ike injection dị na ngwa ahụ.

Nchekwa ụgbọ njem HTTP siri ike (HSTS)

Nchekwa njem njem HTTP siri ike (HSTS) bụ usoro na-enye ohere ka webụsaịtị gwa ndị nchọgharị na ọ ga-eji HTTPS nweta ya, karịa HTTP [S2]. Nke a na-echebe megide mwakpo downgrade protocol na ịweta kuki site n'ịhụ na ezoro ezo nkwurịta okwu niile dị n'etiti onye ahịa na ihe nkesa [S2]. Ozugbo ihe nchọgharị nwetara nkụnye eji isi mee nke a, ọ ga-agbanwe ngwa ngwa niile mbọ iji nweta saịtị ahụ site na HTTP ka ọ bụrụ arịrịọ HTTPS.

Mmetụta nchekwa nke nkụnye eji isi mee na-efu

Ngwa ndị na-emezughị nkụnye eji isi mee ndị a nọ n'ihe egwu dị elu nke ukwuu nke nbibi n'akụkụ ndị ahịa. Enweghị Iwu Nchekwa Ọdịnaya na-enye ohere maka igbu nke ederede na-akwadoghị, nke nwere ike iduga n'igbu oge, mkpochapụ data na-enweghị ikike, ma ọ bụ mebie [S1]. N'otu aka ahụ, enweghị isi nke HSTS na-eme ka ndị ọrụ nwee ike ịbanye na mwakpo mmadụ na etiti (MITM), ọkachasị n'oge usoro njikọ mbụ, ebe onye na-awakpo nwere ike igbochi okporo ụzọ wee ziga onye ọrụ gaa na ụdị saịtị ọjọọ ma ọ bụ ezoro ezo [S2].

Kedu ka FixVibe si nwalee ya

FixVibe agụnyelarị nke a dị ka nlele nyocha na-agafe agafe. headers.security-headers na-enyocha metadata nzaghachi HTTP ọha maka ọnụnọ na ike nke Content-Security-Policy, Strict-Transport-Security, X-Frame-Options ma ọ bụ ZXCVFIXVIBETOKEN4ZXVICV. Referrer-Policy, na Permissions-Policy. Ọ na-akọ ụkpụrụ efu ma ọ bụ na-adịghị ike na-enweghị nyocha nyocha, yana nrụzi ozugbo na-enye ihe atụ nke nkụnye eji isi mee ihe maka ngwa nkịtị na ntọala CDN.

Ntuzi Mgbanwe

Iji kwalite ọnọdụ nchekwa, a ga-ahazi sava weebụ iji weghachi nkụnye ndị a n'ụzọ niile mmepụta. Ekwesịrị ahaziri CSP siri ike dabere na akụrụngwa akụrụngwa nke ngwa a chọrọ, na-eji ntuziaka dị ka script-src na object-src iji kpachie gburugburu mkpochapụ ederede ZXCVFIXVIBETOVKEN4ZXCV Maka nchekwa ụgbọ njem, ekwesịrị ịgbanye nkụnye eji isi mee Strict-Transport-Security yana ntuziaka max-age kwesịrị ekwesị iji hụ na nchekwa na-adịgide adịgide n'ofe oge onye ọrụ [S2].