×ðÁú¿­Ê±¹ÙÍøµÇ¼

NginxЧÀÍÆ÷µÄ¿çÕ¾ÇëÇóαÔ죨CSRF£©ºÍ¿çÕ¾¾ç±¾¹¥»÷£¨XSS£©Ìá·À¼¼ÇÉ

nginxЧÀÍÆ÷µÄ¿çÕ¾ÇëÇóαÔ죨csrf£©ºÍ¿çÕ¾¾ç±¾¹¥»÷£¨xss£©Ìá·À¼¼ÇÉ

Ëæ×Å»¥ÁªÍøµÄѸÃÍÉú³¤ £¬WebÓ¦ÓóÌÐò³ÉΪÁ˸÷ÈËÉúÑĺÍÊÂÇéÖеÄÖ÷Òª×é³É²¿·Ö¡£È»¶ø £¬WebÓ¦ÓóÌÐòÒ²ÃæÁÙ×ÅÇå¾²Íþв £¬ÆäÖпçÕ¾ÇëÇóαÔ죨CSRF£©ºÍ¿çÕ¾¾ç±¾¹¥»÷£¨XSS£©ÊÇ×î³£¼ûµÄÁ½ÖÖ¹¥»÷·½·¨¡£ÎªÁË°ü¹ÜWebÓ¦ÓóÌÐòµÄÇå¾²ÐÔ £¬ÎÒÃÇÐèÒªÔÚNginxЧÀÍÆ÷ÉϽÓÄÉÏìÓ¦µÄÌá·À²½·¥¡£

Ò»¡¢Ìá·À¿çÕ¾ÇëÇóαÔ죨CSRF£©¹¥»÷

¿çÕ¾ÇëÇóαÔì¹¥»÷ÊÇÖ¸¹¥»÷Õßͨ¹ýαװÕýµ±Óû§µÄÇëÇó £¬ÓÕʹÓû§ÔÚ²»ÖªÇéµÄÇéÐÎϾÙÐÐijЩ²Ù×÷ £¬ÀýÈç·¢ËÍÓʼþ¡¢×ªÕË¡¢ÐÞ¸ÄÃÜÂëµÈ¡£ÎªÁ˱ÜÃâCSRF¹¥»÷ £¬ÎÒÃÇ¿ÉÒÔÔÚNginxЧÀÍÆ÷ÉÏÌí¼ÓCSRFÁîÅÆÑéÖ¤µÄÖÐÑë¼þ¡£

ÒÔÏÂÊÇÒ»¸öʾÀý´úÂ룺

ÔÚNginxÉèÖÃÎļþÖÐ £¬Ìí¼ÓÒÔÏ´úÂ룺

location / {
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options "nosniff";

    if ($request_method !~ ^(GET|HEAD|POST)$) {
        return 444;
    }

    if ($http_referer !~ ^(https?://(www.)?example.com)) {
        return 403;
    }

    if ($http_cookie !~ "csrf_token=([^;]+)(?:;|$)") {
        return 403;
    }

    # ÔÚ´Ë´¦¾ÙÐÐÆäËû´¦Àí
}

µÇ¼ºó¸´ÖÆ

ÔÚWebÓ¦ÓóÌÐòÖÐ £¬ÌìÉúCSRFÁîÅƲ¢½«Æä°üÀ¨ÔÚÿ¸ö±íµ¥ÖУº

<form method="post" action="/submit">
    <input type="hidden" name="csrf_token" value="{{ csrf_token }}">
    <input type="submit" value="Ìá½»">
</form>

µÇ¼ºó¸´ÖÆ

ÉÏÊö´úÂëÖеÄcsrf_token¿ÉÒÔÊÇËæ»úÌìÉúµÄ×Ö·û´® £¬´æ´¢ÔÚÓû§»á»°ÖÐ £¬ÔÚÿ¸ö±íµ¥Ìá½»µÄʱ¼ä¶¯Ì¬ÌìÉú²¢Ìí¼ÓÔÚ±íµ¥ÖС£

¶þ¡¢Ìá·À¿çÕ¾¾ç±¾¹¥»÷£¨XSS£©

¿çÕ¾¾ç±¾¹¥»÷ÊÇÖ¸¹¥»÷ÕßÔÚÍøÒ³ÖÐǶÈë¶ñÒâ¾ç±¾ £¬µ±Óû§»á¼û¸ÃÍøҳʱ £¬¶ñÒâ¾ç±¾»á±»Ö´ÐÐ £¬´Ó¶øµ¼ÖÂÓû§µÄÐÅÏ¢±»ÇÔÈ¡¡£ÎªÁ˱ÜÃâXSS¹¥»÷ £¬ÎÒÃÇ¿ÉÒÔÔÚNginxЧÀÍÆ÷ÉÏÌí¼ÓX-XSS-ProtectionÍ· £¬ÒÔ¼°ÆäËûÏà¹ØµÄÇ徲ͷ¡£

ÒÔÏÂÊÇÒ»¸öʾÀý´úÂ룺

ÔÚNginxÉèÖÃÎļþÖÐ £¬Ìí¼ÓÒÔÏ´úÂ룺

location / {
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options "nosniff";

    # ÔÚ´Ë´¦¾ÙÐÐÆäËû´¦Àí
}

µÇ¼ºó¸´ÖÆ

ÉÏÊö´úÂëÖеÄadd_headerÖ¸Áî»áÔÚHTTPÏìÓ¦ÖÐÌí¼ÓÏìÓ¦µÄÍ·²¿ÐÅÏ¢ £¬ÆäÖÐX-XSS-ProtectionÍ·²¿¿ÉÒÔ¿ªÆôä¯ÀÀÆ÷ÄÚÖõÄXSS¹ýÂËÆ÷ £¬×èÖ¹¶ñÒâ¾ç±¾µÄÖ´ÐС£

ÔÚWebÓ¦ÓóÌÐòÖжÔÓû§ÊäÈë¾ÙÐкÏÊʵĹýÂ˺ÍתÒå´¦Àí£º

ÀýÈç £¬¿ÉÒÔʹÓÃHTMLתÒ庯Êý¶ÔÓû§µÄÊäÈë¾ÙÐÐתÒå £¬½«ÌØÊâ×Ö·ûת»»ÎªÊµÌå±àÂ룺

function escapeHtml(input) {
    return input.replace(/&/g, '&')
                .replace(/</g, '<')
                .replace(/>/g, '>')
                .replace(/"/g, '"')
                .replace(/'/g, ''');
}

µÇ¼ºó¸´ÖÆ

ÔÚÊä³öÓû§ÊäÈëµÄµØ·½ £¬Å²Óøú¯Êý¶ÔÓû§µÄÊäÈë¾ÙÐÐתÒå´¦Àí¡£

×ÛÉÏËùÊö £¬Í¨¹ýÔÚNginxЧÀÍÆ÷ÉÏÌí¼ÓCSRFÁîÅÆÑéÖ¤ÖÐÑë¼þºÍÏìÓ¦µÄÇ徲ͷ £¬ÒÔ¼°ÔÚWebÓ¦ÓóÌÐòÖжÔÓû§ÊäÈë¾ÙÐкÏÊʵĴ¦Àí £¬¿ÉÒÔÓÐÓÃÌá·À¿çÕ¾ÇëÇóαÔìºÍ¿çÕ¾¾ç±¾¹¥»÷¡£ËäÈ» £¬Õâ½ö½öÊÇһЩ»ù±¾µÄÌá·À²½·¥ £¬Õë¶Ô²î±ðµÄÓ¦Óó¡¾°»¹ÐèҪƾ֤ÏêϸÇéÐνÓÄÉÔ½·¢ÖÜÈ«ºÍ¸öÐÔ»¯µÄÇå¾²²½·¥¡£

ÒÔÉϾÍÊÇNginxЧÀÍÆ÷µÄ¿çÕ¾ÇëÇóαÔ죨CSRF£©ºÍ¿çÕ¾¾ç±¾¹¥»÷£¨XSS£©Ìá·À¼¼ÇɵÄÏêϸÄÚÈÝ £¬¸ü¶àÇë¹Ø×¢±¾ÍøÄÚÆäËüÏà¹ØÎÄÕ£¡

ÃâÔð˵Ã÷£ºÒÔÉÏչʾÄÚÈÝȪԴÓÚÏàÖúýÌå¡¢ÆóÒµ»ú¹¹¡¢ÍøÓÑÌṩ»òÍøÂçÍøÂçÕûÀí £¬°æȨÕùÒéÓë±¾Õ¾ÎÞ¹Ø £¬ÎÄÕÂÉæ¼°¿´·¨Óë¿´·¨²»´ú±í×ðÁú¿­Ê±¹ÙÍøµÇ¼ÂËÓÍ»úÍø¹Ù·½Ì¬¶È £¬Çë¶ÁÕß½ö×ö²Î¿¼¡£±¾ÎĽӴýתÔØ £¬×ªÔØÇë˵Ã÷À´ÓÉ¡£ÈôÄúÒÔΪ±¾ÎÄÇÖÕ¼ÁËÄúµÄ°æȨÐÅÏ¢ £¬»òÄú·¢Ã÷¸ÃÄÚÈÝÓÐÈκÎÉæ¼°ÓÐÎ¥¹«µÂ¡¢Ã°·¸Ö´·¨µÈÎ¥·¨ÐÅÏ¢ £¬ÇëÄúÁ¬Ã¦ÁªÏµ×ðÁú¿­Ê±¹ÙÍøµÇ¼ʵʱÐÞÕý»òɾ³ý¡£

Ïà¹ØÐÂÎÅ

ÁªÏµ×ðÁú¿­Ê±¹ÙÍøµÇ¼

18523999891

¿É΢ÐÅÔÚÏß×Éѯ

ÊÂÇéʱ¼ä£ºÖÜÒ»ÖÁÖÜÎå £¬9:30-18:30 £¬½ÚãåÈÕÐÝÏ¢

QR code
ÍøÕ¾µØͼ