X-Frame-Options SAMEORIGIN
There was a task with CWE-693: Protection Mechanism Failure
I added security headers for strong security.
Useful links
https://www.keycdn.com/blog/http-security-headers
https://devdocs.magento.com/guides/v2.3/config-guide/secy/secy-xframe.html
magento 1 since 1.9.2 version
Tested the site headers via https://securityheaders.com/
Added to nginx.conf in
http block
add_header x-xss-protection "1; mode=block" always;
to vhost.conf in
server block
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header x-content-type-options "nosniff" always;
add_header feature-policy "autoplay 'none'; camera 'none'" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
Links related Referrer-Policy
https://scotthelme.co.uk/a-new-security-header-referrer-policy/
http://okiseleva.blogspot.com/2018/07/referrer-policy.html
It's the most difficult security header Content-Security-Policy
add_header Content-Security-Policy "default-src 'self'; img-src * 'self' data:; style-src 'self' 'unsafe-inline'; script-src * 'unsafe-inline' 'unsafe-eval'; frame-src *; object-src *; connect-src *; media-src *; font-src *;";
Links related Content-Security-Policy
https://benjaminhorn.io/code/content-security-policy-what-it-is-what-it-does-and-how-to-implement-it/
https://ole.michelsen.dk/blog/secure-your-website-with-content-security-policy.html
Error with img-src https://forum.framework7.io/t/content-security-policy-directive-img-src-self-data-https/5678
Short instruction for setting Content-Security-Policy header parameters:
Set to default-src 'none';Open develop panel F12, check console log and add rules with all supported directives
security headers
ОтветитьУдалить