Content-security-policy (CSP) Content Security Policy
The primary goal of the CSP is to reduce and report XSS attacks
Refer to the link
Developer.mozilla.org/zh-CN/docs/…
example
The web page displays an online picture, which is normal before CSP is set.
<img src="FM = https://t7.baidu.com/it/u=1819248061, 230866778 & 193 & f = GIF" />
Copy the code- If default-src ‘self’ is set, the image will not display properly
<meta http-equiv="Content-Security-Policy" content="default-src 'self'">
Copy the codeRefused to load the image 'FM = https://t7.baidu.com/it/u=1819248061, 230866778 & 193 & f = GIF'
because it violates the following Content Security Policy directive: "default-src 'self'".
Note that 'img-src' was not explicitly set, so 'default-src' is used as a fallback
Copy the code- Set default-src ‘self’ and img-src * to display images normally
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; img-src *;">
Copy the codeHTTP Public Key Pinning (HPKP)
HTTP public key locking (HPKP) is a security feature that tells A Web client to associate a specific encrypted public key with a Web server to reduce the risk of MITM attacks using forged certificates.
The Web server first tells the client which Public keys belong to it through special HTTP headers (public-key-pins). The client stores this message for a given period of time. When the client visits the server again, it expects at least one certificate in the certificate chain to contain a Public Key whose fingerprint is known through HPKP. If the server provides an unknown public key, the client should warn the client.
Man-in-the-middle Attack (MITM)
By intercepting normal network traffic, tampering with it and sniffing it out, without the knowledge of either party.
HTTP Strict Transport Security (HSTS)
HSTS is a security feature that tells the browser to access the current resource only through HTTPS, not HTTP
Why do we use HSTS
Some sites have HTTPS enabled, but for the sake of user experience (because users are always lazy, they do not actively type HTTPS, but directly enter the domain name, the default is HTTP access) and also support HTTP access, when the user HTTP access, will return the user a 302 redirect. Redirecting to an HTTPS address and then using HTTPS for subsequent access may seem like a good way to communicate, but a closer look reveals that there is a risk that the 302 redirect could be hijacked and tampered with, possibly to a malicious or phishing HTTPS site.
For attacks that modify 302, it is recommended that the server enable HTTP Strict Transport Security.
HSTS meaning
When the user has safely visited a site that has HSTS enabled (sites that support HSTS will insert the following in the response header: Strict-transport-security), hSTs-enabled browsers automatically add the domain name to the HSTS list, and the next time a user accesses the site using HTTP, the hSTs-enabled browser automatically sends an HTTPS request instead of HTTP. Redirect to HTTPS, which prevents the 302 redirect URL from being tampered with halfway through, further improving communication security.
The shortage of HSTS
A user visiting a site for the first time is not protected by HSTS. This is because the browser has not yet received the HSTS when it is first accessed, so it is still possible to access it through plaintext HTTP. There are two solutions to solve this problem. One is the preset HSTS domain name list in the browser. The second is to add HSTS information to the DNS record.
HTTP Cookies
X-Content-Type-Options
X-content-type-options THE HTTP header is a hint that the server uses to tell the client to adhere to the MIME Type set in the content-Type header rather than modify it. This disables the MIME type sniffing behavior of the client
X-Frame-Options
The X-frame-options HTTP response header is a flag used to indicate to the browser whether a page is allowed to be displayed in Frame, iframe, Embed, and Object. Sites can avoid clickJacking attacks by ensuring that the site is not embedded in someone else’s site.
- Deny indicates that pages are not allowed to be displayed in frame, even if they are nested in pages of the same domain name.
- SameOrigin says pages can be displayed in frames within the same domain name.
- Allow-from URI indicates that the page can be displayed in the frame of the specified source.
var ele = document.createElement('frame')
ele.setAttribute('style'."width:100vw; height:100vh; background:red; z-index:1000;")
document.body.append(ele)
ele.setAttribute('src'.'https://www.baidu.com')
chrome-error://chromewebdata/:1
Refused to display 'https://www.baidu.com/' in a frame because it set 'X-Frame-Options' to 'sameorigin'.
Copy the codeClickjacking
Click hijacking is also known as interface hijacking or UI-overlay attack.
Interface to hijack attacks, in fact, a kind of based on visual cheat web session hijacking attack, the core is to use the transparent attribute in the tag, he through visible on the web page input space was covered a invisible box, allowing users mistook the operating visible controls, but in fact the operation of the user behavior was hijacked by invisible box, perform invisible box of malicious code, To steal information, control sessions, implant Trojan horses and other purposes.
Because the first hijacking is the user’s mouse click operation, so named click hijacking. The main target of hijacking is the page containing important session interaction, such as bank transaction page, background management page, etc.
X-XSS-Protection
When a cross-site scripting attack (XSS) is detected, the browser stops loading the page.