网站安全响应头缺失和php配置漏洞_未设置x-download-options响应头

PHP 设置方法

header("X-Frame-Options:SAMEORIGIN;");  // X-Frame-Options 响应头缺失
header("Referrer-Policy:origin;");//Referer-Policy 响应头缺失
header("Content-Security-Policy:frame-ancestors 'self';");//Content-Security-Policy 响应头缺失
header("X-Permitted-Cross-Domain-Policies:'master-only';");//X-Permitted-Cross-Domain-Policies 响应头缺失
header("X-XSS-Protection:1; mode=block;");//X-XSS-Protection 响应头缺失
header("X-Download-Options: SAMEORIGIN;");//X-Download-Options 响应头缺失
header("X-Content-Type-Options:nosniff;");//X-Content-Type-Options 响应头缺失
header("Strict-Transport-Security:max-age=31536000;");//Strict-Transport-Security 响应头缺失
1
2
3
4
5
6
7
8

Nginx配置方法

    add_header X-Frame-Options SAMEORIGIN;
    add_header Referrer-Policy origin;
    add_header Content-Security-Policy "frame-ancestors 'self'";
    add_header X-Permitted-Cross-Domain-Policies  "master-only";
    add_header X-XSS-Protection "1; mode=block;";
    add_header X-Download-Options SAMEORIGIN;
    add_header X-Content-Type-Options nosniff;
    add_header Strict-Transport-Security max-age=31536000;
    add_header Set-Cookie "HttpOnly";
	add_header Set-Cookie "Secure";
1
2
3
4
5
6
7
8
9
10

缺少HTTPOnly和Secure属性解决方案

php.ini 文件开启以下两行，默认大概位于 1390左右

session.cookie_httponly=true
session.cookie_secure =

或者在 php 代码中使用 ini_set 函数设置

@ini_set('session.cookie_httponly',   'On');
@ini_set('session.cookie_secure',      'On');
@ini_set('session.use_only_cookies', 'On');
1
2
3
4
5
6
7
8
9
10