Mmetụta
Enwere ike iji nkụnye eji isi mee ihe na-efunahụ iji mee clickjacking, ịde ederede saịtị (XSS), ma ọ bụ kpokọta ozi gbasara gburugburu sava [S2]. Mgbe ndị nkụnye eji isi mee dị ka Content-Security-Policy (CSP) ma ọ bụ X-Frame-Options na-adịghị agbanwe agbanwe etinyere n'ofe ụzọ, ndị na-awakpo nwere ike ịchekwa ụzọ a na-echebeghị kpọmkwem iji gafere saịtị-nchekwa njikwa ZXCVN3ZTOKEC.
Ihe kpatara ya
Next.js na-enye ndị mmepe ohere hazie isi nzaghachi na next.config.js site na iji ihe onwunwe headers [S2]. Nhazi a na-eji ụzọ dakọtara na-akwado kaadị ọhịa na okwu mgbe niile [S2]. Ọdịmma nchekwa na-esitekarị na:
- Ihe mkpuchi ụzọ na-ezughị ezu : Ụdị kaadị anụ ọhịa (dịka,
/path*) nwere ike ọ gaghị ekpuchi subroutes niile echere, na-ahapụ ibe ndị akwụghị ụgwọ na-enweghị isi nchekwa [S2]. - Ngosipụta ozi *: Site na ndabara, Next.js nwere ike ịgụnye isi okwu
X-Powered-By, nke na-ekpughe ụdị usoro ahụ ma ọ bụrụ na enwere nkwarụ n'ụzọ doro anya site na nhazipoweredByHeaderpoweredByHeader. - CORS misconfiguration *: akọwara nke ọma
Access-Control-Allow-Originnkụnye eji isi mee n'imeheadersn'usoro nwere ike na-enye ohere na-enweghị ikike cross-esi nweta mmetụta mmetụta data ZXCVFIZXVIBETOKEN.
Concrete ndozi
- Usoro nyocha *: Gbaa mbọ hụ na usoro
sourceniile dị nanext.config.jsna-eji kaadị anụ ọhịa kwesịrị ekwesị (dịka,/:path*) iji tinye nkụnye eji isi mee n'ụwa niile ebe ọ dị mkpa ZXCVFIX. - Gbanyụọ mkpisi aka *: Tọọ
poweredByHeader: falsenanext.config.jsiji gbochie isi okwuX-Powered-Byizipu [S2]. - Machibido CORS *: Tọọ
Access-Control-Allow-Originna ngalaba ntụkwasị obi akọwapụtara karịa kaadị anụ ọhịa na nhaziheaders[S2].
Kedu ka FixVibe si nwalee ya
FixVibe nwere ike ime nyocha gated na-arụsi ọrụ ike site na ịrara ngwa a na atụnyere ndị isi nchekwa nke ụzọ dị iche iche. Site n'inyocha isi ihe X-Powered-By na nkwụsi ike nke Content-Security-Policy gafee omimi ụzọ dị iche iche, FixVibe nwere ike ịchọpụta ọdịiche nhazi na next.config.js.