# httpheader ver.2 ## 研究目的 探討不同加設網站的方式 --- ## 研究方法 上次使用flask架設網站測試設定header的效果，這次使用apache與php --- ## demo --- ## 實作檢查module 抓取架設網站的封包來判斷是否設定那些防範header --- ## demo --- ## 下次進度 使用nginx架設與其他http header --- ## 未來展望 參考CWE以及別人寫好的工具，進行開發與結果比對 https://cwe.mitre.org/data/definitions/1004.html https://github.com/gildasio/h2t --- ## 參考資料 #### http header 有關安全設定 https://yu-jack.github.io/2017/10/20/secure-header/#x-content-type-options #### XSS跨站腳本攻擊 https://hitcon.org/2017/CMT/slide-files/d2_s3_r4.pdf --- ## 工具參考 #### github https://github.com/gildasio/h2t(有code) https://github.com/koenbuyens/securityheaders https://github.com/search?o=desc&p=2&q=http+security+header&s=stars&type=Repositories #### 網站版 https://securityheaders.com/?q=https%3A%2F%2Fmedium.com%2F%40charming_rust_oyster_221%2Fflask-%25E9%2585%258D%25E7%25BD%25AE-https-%25E7%25B6%25B2%25E7%25AB%2599-ssl-%25E5%25AE%2589%25E5%2585%25A8%25E8%25AA%258D%25E8%25AD%2589-36dfeb609fa8&followRedirects=on --- ## apache https://www.youtube.com/watch?v=BH_2h2ZPVu8 https://kknews.cc/zh-tw/tech/am2rznj.html https://ssorc.tw/5095/apache-%E5%AE%89%E5%85%A8%E6%80%A7%E8%A8%AD%E5%AE%9A/ #### PHP https://www.youtube.com/watch?v=Bib4ozrF57M https://ithelp.ithome.com.tw/articles/10184593 --- ## X-Frame-Options #### 同源政策 https://medium.com/@jaydenlin/same-origin-policy-%E5%90%8C%E6%BA%90%E6%94%BF%E7%AD%96-%E4%B8%80%E5%88%87%E5%AE%89%E5%85%A8%E7%9A%84%E5%9F%BA%E7%A4%8E-36432565a226 #### clickjacking https://blog.miniasp.com/post/2008/10/11/The-latest-cross-browser-exploit-Clickjacking https://blog.darkthread.net/blog/iframe-clickjacking/ --- #### XSS https://blog.csdn.net/qq_27552077/article/details/61671671 #### STRICT-TRANSPORT-SECURITY https://www.itread01.com/content/1545864130.html https://www.defcode01.com/cs105367086/ --- #### X-Content-Type-Options https://blog.camel2243.com/2016/11/23/security-https-header-x-content-type-options%EF%BC%8C%E9%81%BF%E5%85%8D%E7%80%8F%E8%A6%BD%E5%99%A8%E5%9F%B7%E8%A1%8C%E4%B8%8D%E7%AC%A6-content-type-%E7%9A%84%E6%93%8D%E4%BD%9C/ #### content-type https://www.runoob.com/http/http-content-type.html https://www.youtube.com/watch?v=dPYtu0pJEqA ___