Mmetụta
Enweghị isi ihe nchekwa na-enye ndị na-awakpo ohere ịme clickjacking, zuru kuki nnọkọ, ma ọ bụ mebie scripting saịtị (XSS) [S1]. Enweghị ntuziaka ndị a, ihe nchọgharị enweghị ike ịmanye oke nchekwa, na-eduga na mbupụ data nwere ike na omume onye ọrụ na-akwadoghị [S2].
Ihe kpatara ya
Esemokwu a sitere na ọdịda ịhazi sava weebụ ma ọ bụ usoro ngwa iji tinye isi ihe nchekwa HTTP ọkọlọtọ. Ọ bụ ezie na mmepe na-ebutekarị HTML arụ ọrụ na CSS [S1], a na-ahapụkarị nhazi nchekwa. Emebere ngwaọrụ nyocha dị ka MDN Observatory iji chọpụta ọkwa nchekwa ndị a na-efu ma hụ na mmekọrịta dị n'etiti ihe nchọgharị na ihe nkesa echekwara [S2].
Nkọwa nka na ụzụ
Ndị isi nchekwa na-enye ihe nchọgharị ahụ ntuziaka nchekwa akọwapụtara iji belata adịghị ike nkịtị:
- Amụma Nchekwa Ọdịnaya (CSP): Na-achịkwa akụrụngwa nwere ike ibunye, na-egbochi ogbugbu edemede na-akwadoghị na ntinye data [S1].
- Nchekwa ụgbọ njem siri ike (HSTS): Gbaa mbọ hụ na ihe nchọgharị na-akpakọrịta naanị maka njikọ HTTPS echekwara [S2].
- X-Frame-Nhọrọ: Na-egbochi itinye ngwa a n'ime iframe, nke bụ isi ihe nchebe megide ịchichi [S1].
- X-Ọdịnaya-Ụdị-Nhọrọ: Na-egbochi ihe nchọgharị ịsụgharị faịlụ dị ka ụdị MIME dị iche karịa nke akọwapụtara, na-akwụsị mwakpo MIME-sniffing [S2].
Kedu ka FixVibe si nwalee ya
FixVibe nwere ike ịchọpụta nke a site na nyochaa isi nzaghachi HTTP nke ngwa weebụ. Site n'itinye nsonaazụ ya megide ụkpụrụ MDN Observatory [S2], FixVibe nwere ike ọkọlọtọ efu ma ọ bụ na-ahazi nkụnye eji isi mee dị ka CSP, HSTS, na XXCV, na XXCVFIXVIBETOKEN4ZXCV.
Idozi
Melite sava weebụ (dịka, Nginx, Apache) ma ọ bụ ngwa etiti ka ịtinye nkụnye eji isi mee ndị a na nzaghachi niile dịka akụkụ nke ọkọlọtọ ọkọlọtọ [S1]:
- Ọdịnaya-Nchekwa-Atumatu *: Machibido isi mmalite akụrụngwa na ngalaba ntụkwasị obi.
- Nchekwa ụgbọ njem siri ike *: Jiri ogologo
max-agemanye HTTPS. - X-Ọdịnaya-Ụdị-Nhọrọ : Tọọ na
nosniff[S2]. - X-Frame-Nhọrọ : Tọọ na
DENYma ọ bụSAMEORIGINiji gbochie clickjacking [S1].