FixVibe
Covered by FixVibemedium

Izihloko Zokuphepha ze-HTTP: Ukusebenzisa i-CSP kanye ne-HSTS yokuvikela isiphequluli

Lolu cwaningo luhlola indima ebalulekile yezihloko zokuphepha ze-HTTP, ikakhulukazi Inqubomgomo Yokuphepha Kokuqukethwe (CSP) kanye Nokuphepha Okuqinile Kwezokuthutha kwe-HTTP (HSTS), ekuvikeleni izinhlelo zokusebenza zewebhu ekubeni sengozini evamile njenge-Cross-Site Scripting (XSS) kanye nokuhlaselwa kwephrothokholi.

CWE-1021CWE-79CWE-319

Iqhaza Lezihloko Zokuphepha

Izihloko zokuphepha ze-HTTP zihlinzeka ngendlela emisiwe yezinhlelo zokusebenza zewebhu ukuze ziyalele iziphequluli ukuthi zisebenzise izinqubomgomo zokuphepha ezithile phakathi neseshini [S1] [S2]. Lezi zihloko zisebenza njengesendlalelo esibucayi sokuvikela ngokujulile, esinciphisa izingozi okungenzeka zingasingathwa ngokugcwele ngohlelo lokusebenza kuphela.

Inqubomgomo Yokuphepha Kokuqukethwe (CSP)

Inqubomgomo Yokuphepha Kokuqukethwe (CSP) isendlalelo sokuvikela esiza ekutholeni nasekunciphiseni izinhlobo ezithile zokuhlasela, okuhlanganisa i-Cross-Site Scripting (XSS) nokuhlaselwa komjovo wedatha [S1]. Ngokuchaza inqubomgomo ecacisa ukuthi yiziphi izinsiza eziguqukayo ezivunyelwe ukulayishwa, i-CSP ivimbela isiphequluli ekusebenziseni izikripthi ezinonya ezijovwe umhlaseli [S1]. Lokhu kukhawulela ngempumelelo ukusetshenziswa kwekhodi engagunyaziwe ngisho noma kuba sengozini yomjovo kuhlelo lokusebenza.

I-HTTP Strict Transport Security (HSTS)

I-HTTP Strict Transport Security (HSTS) iwumshini ovumela iwebhusayithi ukuthi yazise iziphequluli ukuthi kufanele ifinyelelwe kusetshenziswa i-HTTPS kuphela, kune-HTTP [S2]. Lokhu kuvikela ekuhlaselweni kokwehliswa kwephrothokholi kanye nokudunwa kwekhukhi ngokuqinisekisa ukuthi konke ukuxhumana phakathi kweklayenti neseva kubhalwe ngekhodi [S2]. Uma isiphequluli sithola lesi sihloko, sizoguqula ngokuzenzakalelayo yonke imizamo elandelayo yokufinyelela isayithi nge-HTTP ibe izicelo ze-HTTPS.

Imithelela Yokuphepha Yezihloko Ezingekho

Izinhlelo zokusebenza ezihlulekayo ukusebenzisa lezi zihloko zisengozini enkulu kakhulu yokuthophana ohlangothini lweklayenti. Ukungabikho Kwenqubomgomo Yokuphepha Kokuqukethwe kuvumela ukusetshenziswa kwezikripthi ezingagunyaziwe, okungaholela ekuntshontshweni kweseshini, ukukhishwa kwedatha okungagunyaziwe, noma ukonakala [S1]. Ngokufanayo, ukuntuleka kwesihloko se-HSTS kushiya abasebenzisi besengozini yokuhlaselwa kwe-man-in-the-middle (MITM), ikakhulukazi phakathi nesigaba sokuqala sokuxhuma, lapho umhlaseli engakwazi ukuvimba ithrafikhi futhi aqondise kabusha umsebenzisi kunguqulo enonya noma engabhaliwe yesayithi [S2].

I-FixVibe iyihlolela kanjani

I-FixVibe isivele ifaka lokhu njengesheke lokuskena lokungenzi lutho. I-headers.security-headers ihlola imethadatha yomphakathi yempendulo ye-HTTP ngobukhona namandla e-Content-Security-Policy, Strict-Transport-Security, X-Frame-Options noma frame-ancestors, ZXKCVENFIXVIZBE I-Referrer-Policy, kanye ne-Permissions-Policy. Ibika amanani ashodayo noma abuthaka ngaphandle kokuxhaphaza, futhi ukwaziswa kwayo kokulungiswa kunikeza izibonelo zesihloko ezilungele ukuthunyelwa zokusetha uhlelo lokusebenza oluvamile kanye ne-CDN.

Isiqondiso Sokulungisa

Ukuze uthuthukise ukuma kwezokuphepha, amaseva ewebhu kufanele alungiselelwe ukubuyisela lezi zihloko kuyo yonke imizila yokukhiqiza. I-CSP eqinile kufanele ihambisane nezidingo zensiza ethile yohlelo lokusebenza, kusetshenziswa iziqondiso ezifana ne-script-src kanye ne-object-src ukuze kukhawulelwe izindawo zokusetshenziswa kombhalo [S1]. Ngokuphepha kwezokuthutha, unhlokweni we-Strict-Transport-Security kufanele unikwe amandla ngomyalelo ofanelekile we-max-age ukuze kuqinisekiswe ukuvikelwa okuqhubekayo kuzo zonke izikhathi zomsebenzisi [S2].