该文章是翻译自Brian Jackson的文章——https://www.keycdn.com/blog/http-security-headers
There are a lot of things to consider to when securing your website or web application, but a good place to start is to explore your HTTP security headers and ensure you are keeping up with best practices.
对于加强网站和web应用有很多东西需要思考,但是探索HTTP安全头和确保最佳的练习是好的开始方向;
In many cases they are very easy to implement and only require a slight web server configuration change.
很多时候这很容易实现,只需要修改一个小小的web服务的配置即可;
HTTP security headers provide yet another layer of security by helping to mitigate attacks and security vulnerabilities.
HTTP安全头通过帮助缓解攻击和安全漏洞,提供了另一层安全防护;
In this post we will explore some of them to help you better understand their purpose and how to implement them.
在这篇文章中,我们将探索其中的一部分内容帮助你更好地理解它们的目的以及如何实现它们;
What are HTTP security headers?
Whenever a browser requests a page from a web server, the server responds with the content along with HTTP response headers.
每当浏览器从Web服务器请求页面时,服务器都会响应内容和HTTP响应头;
Some of these headers contain content meta data such as the Content-Encoding, Cache-Control, status codes, etc.
这些头中包含内容元数据,例如内容编码,缓存控制,状态码等;
Along with these are also HTTP security headers that tell your browser how to behave when handling your website's content.
此外,还有HTTP安全头会告诉浏览器在处理网站内容的时候该如何展现;
For example, by using the Strict-Transport-Security you can force the browser to communicate solely over HTTPS.
例如,通过HTTPStrict-Transport-Security头,可以强制浏览器仅通过 HTTPS 进行通信。
There are six different HTTP security headers that we will explore below (in no particular order) that you should be aware of and we recommend implementing if possible.
有六个不同的 HTTP 安全头,将在下面进行探究,没有特定顺序,众所周知建议尽可能都去实现;
1、Content Security Policy内容安全协议
The Content-Security-Policy header provides an additional layer of security.
Content-Security-Policy头提供了一个额外的安全层;
This policy helps prevent attacks such as Cross Site Scripting (XSS) and other code injection attacks by defining content sources which are approved and thus allowing the browser to load them.
这个协议通过定义已批准的内容源并允许浏览器加载它们,来防止如跨站点脚本 (XSS) 和其他代码注入的攻击;
All major browsers currently offer full or partial [support for content security policy](https://caniuse.com/#search=content security policy).
所有主流的浏览器都为Content-Security-Policy提供了全部或部分的支持;
And it won't break delivery of the content if it does happen to be delivered to an older browser, it will simply not be executed.
并且即使是内容传递给较旧的浏览器也不会中断,它根本不会被执行;
There are many directives that you can use with Content-Security-Policy. This example below allows scripts from both the current domain (defined by 'self') as well as google-analytics.com.
有很多指令可以用于内容安全协议;下面的例子允许当前域以及google-analytics.com的脚本
Content-Security-Policy: script-src 'self' https://www.google-analytics.com
To explore all of the directives, and to see implementation on Nginx and Apache, make sure to check out our in-depth post on Content Security Policy. 要探索所有指令,查看Nginx和Apache的实现,请查看关于Content Security Policy的深入文章;
2、X-XSS-Protection
The X-XSS-Protection header is designed to enable the cross-site scripting (XSS) filter built into modern web browsers.
X-XSS 保护头设计来启用内置在现代 Web 浏览器中的跨站点脚本 (XSS) 过滤器。
This is usually enabled by default, but using it will enforce it. It is supported by Internet Explorer 8+, Chrome, and Safari.
通常是默认启动的,但是使用它就会强制执行.它是由IE8以上,谷歌,和Safari支持;
Here is an example of what the header looks like:
下面这是头的样式示例:
X-XSS-Protection: 1; mode=block
Enable in Nginx
add_header X-XSS-Protection "1; mode=block" always;
Enable in Apache
header always set X-XSS-Protection "1; mode=block"
3、HTTP Strict Transport Security (HSTS)
The Strict-Transport-Security header is a security enhancement that restricts web browsers to access web servers solely over HTTPS.
Strict-Transport-Security头是一种安全增强功能,可限制 Web 浏览器仅通过 HTTPS 访问 Web 服务器。
This ensures the connection cannot be establish through an insecure HTTP connection which could be susceptible to attacks.
这可以确保链接无法通过可能会被攻击的不安全的HTTP进行建立;
All major modern browsers currently support HTTP strict transport security except for Opera Mini and versions previous of Internet Explorer.
所有现代主流的浏览器现在都支持HTTPStrict-Transport-Security头,除了Opera Mini和老版本的IE浏览器;
Here is an example of what the header looks like: You can include the max age, subdomains(子域), and preload(预加载).
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
To read more about this header and see implementation on Nginx and Apache, make sure to check out our in-depth post on HTTP Strict Transport Security.
4、X-Frame-Options
The X-Frame-Options header provides clickjacking protection by not allowing iframes to load on your website.
X-Frame-Options头通过禁止内嵌框架在你的网站上加载来提供点击劫持保护;
It is supported by IE 8+, Chrome 4.1+, Firefox 3.6.9+, Opera 10.5+, Safari 4+. Here is an example of what the header looks like:
X-Frame-Options: SAMEORIGIN
Enable in Nginx
add_header X-Frame-Options "SAMEORIGIN" always;
Enable in Apache
header always set X-Frame-Options "SAMEORIGIN"
5、Expect-CT
The Expect-CT header prevents misissued certificates from being used by allowing websites to report and optionally enforce Certificate Transparency requirements.
Expect-CT头通过允许网站报告和选择性执行证书透明度要求来防止错误颁发证书;
When this header is enabled the website is requesting the browser to verify whether or not the certificate appears in the public CT logs.
当启动这个头之后,网站需要请求浏览器去验证证书是否在公共的CT日志中;
Here is an example of what the header looks like:
Expect-CT: max-age=604800, enforce, report-uri="https://www.example.com/report"
Enable in Nginx
add_header Expect-CT "max-age=604800, enforce, report-uri='https://www.example.com/report' always;
Enable in Apache
header always set Expect-CT "max-age=604800, enforce, report-uri="https://www.example.com/report"
6、X-Content-Type-Options
The X-Content-Type-Options header prevents Internet Explorer and Google Chrome from sniffing a response away from the declared Content-Type.
X-Content-Type-Options头阻止IE和谷歌浏览器从已声明的Content-Type中探测响应;
This helps reduce the danger of drive-by downloads and helps treat the content the right way.
这有助于降低隐蔽强迫下载的风险和以正确的方式对待内容;
Here is an example of what the header looks like:
X-Content-Type-Options: nosniff
Enable in Nginx
add_header X-Content-Type-Options "nosniff" always;
Enable in Apache
header always set X-Content-Type-Options "nosniff"
7、Feature-Policy
The Feature-Policy header grants the ability to allow or deny browser features, whether in its own frame or content within an inline frame element (<iframe>).
Feature-Policy 头授予允许或拒绝浏览器功能的能力,无论是在它自己的框架内或者在内联元素中的内容;
Here is an example of what the header looks like:
Feature-Policy: autoplay 'none'; camera 'none'
Enable in Nginx
add_header Feature-Policy "autoplay 'none'; camera 'none'" always;
Enable in Apache
header always set Feature-Policy "autoplay 'none'; camera 'none'"
How to check your HTTP security headers
Below are three quick and easy ways to check your HTTP security headers, as part of your HTTP response headers.
1、KeyCDN's HTTP Header Checker tool
KeyCDN has an online HTTP Header Checker tool that you can easily use to retrieve which HTTP security headers are currently running on your website.
KeyCDN有一个在线HTTP头检查工具,你可以很容易使用它检索正在你的网站上运行的HTTP安全头;
Simply input the URL you want to check.
It will then return with your HTTP response headers.
2、Chrome DevTools response headers
Another quick and easy way to access your HTTP security headers, as part of your response headers, is to fire up Chrome DevTools.
作为响应头的一部分,另外一种访问HTTP安全头的快速而简单的方法是启动Chrome开发工具;
To run this click into the Network panel press Ctrl + R (Cmd + R) to refresh the page.
运行这个工具要点击进入网路面板按command+R快捷键刷新页面;
Click into your domain's request and you will see a section for your response headers.
单击域名请求,你将看到响应头的一节;
https://www.keycdn.com/vid/blog/chrome-devtools-http-response-headers.mp4
3、Scan your website with Security Headers
A third way to to check your HTTP security headers is to scan your website on Security Headers.
第三种检查HTTP安全头的方法是在Security Headers上扫描你的网站;
This is a handy little little tool that was developed by Scott Helme, an information security consultant.
这是一个方便的小工具,是由Scott Helme一个信息安全顾问开发的;
It gives your website a score, based on present HTTP security headers, from an A+ grade down to an F grade.
它会基于当前HTTP安全头给你的网站打个分,从A+级到F级;
Make sure to bookmark it.Here is an example of an A+ grade on his own website.
Here is an example of an F grade without any of the HTTP security headers present on Citi's corporate website(花旗企业网站).
It spits out both your raw HTTP headers and gives you a nice summary of each HTTP security header and what is missing.
它显示了你的原生HTTP头,并给你一个很好地摘要,关于每个HTTP安全头和它缺少了什么;
Scott also created both a Chrome extension and Firefox extension in which you can scan the HTTP security headers of a website you want to analyze.
Scott也创建了Chrome和Firefox的拓展,你可以扫描任何一个你想分析的网站的HTTP安全头;
He did an analysis in February 2016 of the Alexa top 1 million sites to see what their HTTP security header usage was and the results might surprise you.
他在 2016 年 2 月对 Alexa 前 100 万个站点进行了分析,看看它们 HTTP 安全头的使用情况,结果可能会令人大吃一惊;
The number of sites using the strict-transport-security header nearly doubled.
使用strict-transport-security头的站点数量翻了一倍;
So it appears more people are starting to implement them, especially now that many companies are making the transition to HTTPS.
似乎有更多的人们开始去执行它们,尤其是现在很多公司正在向HTTPS过度;
We recommend during an HTTPS migration to do a full evaluation of your current security policies.
我们建议在HTTPS迁移期间对你现在的安全策略做一个全面的评估;
Content Security Policy (CSP) especially can be a powerful mechanism to prevent Cross Site Scripting (XSS) attacks which accounts for 84% of all security vulnerabilities in web sites.
内容安全策略(CSP)尤其可以成为防止跨站点脚本攻击(XSS)的强力机制,这种攻击占网站所有安全漏洞的84%;
However as you can see above less than 5% of websites are actively using the headers.
但是,正如你在上图看到的,只有不到 5% 的网站在积极使用这些头。
Summary
As you can see HTTP security headers can help harden the security of your website and in most scenarios there is no reason not to use them.
正如你看到的, HTTP 安全头可以帮助加强你的网站的安全性,在大多数情况下,没有理由不使用它们。
If you don't control access to your own web servers we recommend reaching out to your webhost and let them know.
如果你无法访问自己的 Web 服务器,我们建议你联系你的虚拟主机服务并告知他们;
Maybe send them a link from securityheaders.io, an F grade is never a good thing!
也许可以给他们一个securityheaders.io的链接,一个F级从来不是一件好事;
Do you have any thoughts on HTTP security headers? If so, leave us a comment below.
