Article directory
-
- 1. The target X-Content-Type-Options response header is detected to be missing
- 2. The target X-XSS-Protection response header is detected to be missing
- 3. Detected that the target Content-Security-Policy response header is missing
- 4. Detected that the target Referrer-Policy response header is missing
- 5. The target X-Permitted-Cross-Domain-Policies response header is detected to be missing
- 6. Detected that the target X-Download-Options response header is missing
- 7. Clickjacking: X-Frame-Options not configured
1. The target X-Content-Type-Options response header is detected to be missing
The X-Content-Type-Options HTTP message header is equivalent to a prompt flag, which is used by the server to prompt the client to follow the MIME type setting in the Content-Type header and not modify it. This disables the client's MIME type sniffing behavior, in other words, it means that webmasters are sure their settings are fine. The absence of the X-Content-Type-Options response header makes the target URL more vulnerable to cross-site scripting attacks.
location / {
add_header X-Content-Type-Options nosniff;
}
2. The target X-XSS-Protection response header is detected to be missing
The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome, and Safari that stops the browser from loading a page when a cross-site scripting (XSS) attack is detected. The absence of the X-XSS-Protection response header makes the target URL more vulnerable to cross-site scripting attacks.
location / {
add_header X-XSS-Protection 1;
}
3. Detected that the target Content-Security-Policy response header is missing
The HTTP response header Content-Security-Policy allows site administrators to control which resources a user agent can load for a given page. With a few exceptions, the set policy primarily involves specifying the server's origin and script endpoints. The absence of the Content-Security-Policy response header makes the target URL more vulnerable to cross-site scripting attacks.
location / {
add_header Content-Security-Policy "default-src 'self'; style-src * 'unsafe-inline'; img-src * data:; object-src 'self'; script-src * 'unsafe-eval' 'unsafe-inline'; font-src * data:; worker-src * blob:;";
}
4. Detected that the target Referrer-Policy response header is missing
The lack of Referrer-Policy in the response header of the web server to the HTTP request will invalidate the security features provided by the browser. When the user clicks a link on the browser, an HTTP request will be generated to obtain the new page content, and the header of the request will contain a Referrer to specify which page the request is to jump from. It is often used to analyze information such as user sources. But it has also become an unsafe factor, so there is a Referrer-Policy, which is used to filter the content of the Referrer header. The optional items are: no-referrer no-referrer-when-downgrade origin origin-when-cross-origin same-origin strict-origin strict-origin-when-cross-origin unsafe-url vulnerability harm: The lack of Referrer-Policy in the response header of the web server to the HTTP request will cause the security features provided by the browser to fail and be more vulnerable to web The impact of front-end hacking.
location / {
add_header Referrer-Policy value;
}
5. The target X-Permitted-Cross-Domain-Policies response header is detected to be missing
The lack of X-Permitted-Cross-Domain-Policies in the response header of the web server to the HTTP request will invalidate the security features provided by the browser. When some online Web Flash needs to load content from other domains, many Webs will control their cross-domain mode by setting a crossdomain.xml file. It is very likely that some developers do not have the permission to modify the crossdomain.xml file, but have the need to share data with cross-domain Flash. In this case, crossdomain can be replaced by setting the X-Permitted-Cross-Domain-Policies header. xml file, the optional values are: none master-only by-content-type by-ftp-filename all Vulnerability: The web server's response header to HTTP requests is missing X-Permitted-Cross-Domain-Policies, which will As a result, the security features provided by the browser are invalid, and they are more vulnerable to web front-end hacker attacks.
location / {
add_header X-Permitted-Cross-Domain-Policies value;
}
6. Detected that the target X-Download-Options response header is missing
The lack of X-Download-Options in the response header of the web server to the HTTP request will invalidate the security features provided by the browser. Vulnerability hazards: The lack of X-Download-Options in the response header of the web server to the HTTP request will lead to the failure of the security features provided by the browser, making it more vulnerable to web front-end hacker attacks.
location / {
add_header X-Download-Options value;
}
7. Clickjacking: X-Frame-Options not configured
Clickjacking is a visual deception. The attacker uses a transparent, invisible iframe, overlayed on a webpage, and then tricks the user into taking action on the webpage, at which point the user will unknowingly click on the transparent iframe page. By adjusting the position of the iframe page, you can trick the user into clicking on some functional button on the iframe page. X-Frame-Options in the HTTP response headers can indicate whether the browser should load a page in an iframe. If there is no X-Frame-Options in the server response header, the website is at risk of ClickJacking attack. Websites can prevent clickjacking by setting X-Frame-Options to prevent pages within the site from being embedded by other pages.
location / {
add_header X-Frame-Options SAMEORIGIN;
}
