惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Microsoft Azure Blog
Microsoft Azure Blog
S
Securelist
V
Vulnerabilities – Threatpost
C
Cyber Attacks, Cyber Crime and Cyber Security
Schneier on Security
Schneier on Security
Cyberwarzone
Cyberwarzone
Simon Willison's Weblog
Simon Willison's Weblog
Hacker News - Newest:
Hacker News - Newest: "LLM"
P
Palo Alto Networks Blog
T
Troy Hunt's Blog
SecWiki News
SecWiki News
Security Archives - TechRepublic
Security Archives - TechRepublic
T
The Blog of Author Tim Ferriss
Project Zero
Project Zero
Microsoft Security Blog
Microsoft Security Blog
The Register - Security
The Register - Security
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
J
Java Code Geeks
F
Full Disclosure
阮一峰的网络日志
阮一峰的网络日志
www.infosecurity-magazine.com
www.infosecurity-magazine.com
Attack and Defense Labs
Attack and Defense Labs
Know Your Adversary
Know Your Adversary
WordPress大学
WordPress大学
PCI Perspectives
PCI Perspectives
N
News | PayPal Newsroom
The Last Watchdog
The Last Watchdog
酷 壳 – CoolShell
酷 壳 – CoolShell
P
Privacy & Cybersecurity Law Blog
P
Proofpoint News Feed
V
Visual Studio Blog
C
CERT Recently Published Vulnerability Notes
H
Help Net Security
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
云风的 BLOG
云风的 BLOG
月光博客
月光博客
T
The Exploit Database - CXSecurity.com
I
InfoQ
大猫的无限游戏
大猫的无限游戏
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
U
Unit 42
腾讯CDC
小众软件
小众软件
V2EX - 技术
V2EX - 技术
罗磊的独立博客
Cloudbric
Cloudbric
Recorded Future
Recorded Future
IT之家
IT之家
Google DeepMind News
Google DeepMind News
C
CXSECURITY Database RSS Feed - CXSecurity.com

Homepage on Aditya Telange

One Year with evil-winrm-py - A Retrospective Bypassing LinkedIn's Connection Privacy with a Simple Search Filter Making Dynamic Instrumentation Accessible with Frida UI Breaking Payload Encryption in Web Applications HackTheBox (HTB) - Escape HackTheBox (HTB) - Resolute HackTheBox (HTB) - Certified State of VMWare Workstation (Pro?) on Linux Android App Security Testing Lab with MobSleuth Android phone as a Webcam on Linux Breaking down Reverse shell commands HackTheBox (HTB) - Photobomb Merging AOSP Security Patches into Custom ROMs Primer on HTTP Security Headers Image Zoom-In effect with HUGO HackTheBox (HTB) - Legacy HackTheBox (HTB) - Lame Cryptohack - Keyed Permutations [5 pts] Cryptohack - Resisting Bruteforce [10 pts] Cryptohack - RSA Starter 1 [10 pts] Cryptohack - Base64 [10 pts] Cryptohack - Bytes and Big Integers [10 pts] Cryptohack - Hex [5 pts] Cryptohack- XOR Starter [10 pts] HackTheBox (HTB) - Horizontall HackTheBox (HTB) - Forge HackTheBox (HTB) - Previse HackTheBox (HTB) - BountyHunter HackTheBox (HTB) - Explore HackTheBox (HTB) - Cap HackTheBox (HTB) - Pit HackTheBox (HTB) - Knife HackTheBox (HTB) - Love HackTheBox (HTB) - Tenet HackTheBox (HTB) - Ready Watermarking images with HUGO My Github Project went viral! Cryptohack - ASCII [5 pts] Cryptohack - Finding Flags [2 pts] Cryptohack - Great Snakes [3 pts] Cryptohack - JWT Sessions [10 pts] Cryptohack - Network Attacks [5 pts] Cryptohack - Token Appreciation [5 pts] CAF's Android for MSM Basic Website Analytics with Vercel Github Actions as Temporary File Sharing Platform Addition of prebuilt APK - AOSP Rom Development External Link With target='_blank' in Hugo Markdown Setting Up Build Environment - AOSP Rom Development Getting Started - AOSP Rom Development Education and Certifications Link Tree ↟ | Aditya Telange Personal Projects Resume - Aditya Telange Security Acknowledgements About Me Graph View License Privacy Policy
Using Secure HTTP Headers with Vercel/Zeit
[Aditya Telange](https://x.com/adityatelange) · 2020-01-07 · via Homepage on Aditya Telange

Security HTTP Headers helps your website from attacks such as Clickjacking, code injection, MIME types, Cross Site Scripting (XSS), etc. A typical attack can take place when you include Javascript from a Third-Party Site. If somehow the Javascript from the domain/site you are including in your website is compromized, the script may try to send data/load data from attackersite.com.

These scripts may request access to hardware components available via web browser such as Camera, Microphone, Location, Motion Sensors, etc , voiding the security of users using the site.

Zeit/Vercel supports adding Custom Headers to deployments by adding it as a list of header definitions in now.json

Header object definition:

  • source: A pattern that matches each incoming pathname (excluding querystring).
  • headers: An array of key/value pairs representing each response header.

example now.json

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

{
    "headers": {
        "cache-control": "s-maxage=604800",
        "X-Frame-Options": "sameorigin",
        "X-Content-Type-Options": "nosniff",
        "Feature-Policy": "microphone 'none'; camera 'none'; vibrate 'none'; payment 'none'; gyroscope 'none'; push 'none'; geolocation 'none'",
        "x-xss-protection": "1; mode=block",
        "Referrer-Policy": "no-referrer-when-downgrade",
        "Content-Security-Policy": "default-src 'self'; child-src 'self'; font-src 'self'; form-action 'self'; frame-src 'self'; img-src 'self'; object-src 'none'; style-src 'self' 'unsafe-inline'; script-src 'self' 'sha256-blablah=' "
    }
}

If you are using external domains to include CSS / JS into,

{
  "headers": {
    ...
    "Content-Security-Policy": "... style-src 'self' 'unsafe-inline' cdn.domain.com; ... "
    ...
  }
}

{
  "headers": {
    ...
    "Content-Security-Policy": "...  script-src 'self' cdn.domain.com  ... "
    ...
  }
}

Adding hashes for static files such as .css and .js

After applying the above now.json you may notice that scripts are blocked with a bare bones CSP blocked scripts in console! You can see the error message in Web-Dev tools -> Console.

Copy SHA-256 hash in that error message and change the CSP to do this, make sure these hashed are in between single quotes 'sha256-blablah='

{
  "headers": {
    ...
    "Content-Security-Policy": "...  script-src 'self' cdn.domain.com 'sha256-blablah=' ... "
    ...
  }
}

How to add Custom 404

Here we rely on the filesystem, providing a custom error page if there are no matches, precedence is given to the filesystem, routing only to /404 if there is no match.

In now.json add the following

{
    "version": 2,
    "builds": [{ "src": "package.json", "use": "@now/static-build" }],
    "routes": [
        {
            "src": "/(.*)",
            "dest": "/$1"
        },
        { "handle": "filesystem" },
        {
            "src": "/.*",
            "status": 404,
            "dest": "/404.html"
        }
    ]
}

Visit https://securityheaders.com/ to analyze your site.

Final now.json may look like

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

{
    "version": 2,
    "builds": [{ "src": "package.json", "use": "@now/static-build" }],
    "routes": [
        {
            "src": "/(.*)",
            "headers": {
                "cache-control": "s-maxage=604800",
                "X-Frame-Options": "sameorigin",
                "X-Content-Type-Options": "nosniff",
                "Feature-Policy": "microphone 'none'; camera 'none'; vibrate 'none'; payment 'none'; gyroscope 'none'; push 'none'",
                "x-xss-protection": "1; mode=block",
                "Referrer-Policy": "no-referrer-when-downgrade",
                "Content-Security-Policy": "default-src 'self'; child-src 'self'; font-src 'self'; form-action 'self'; frame-src 'self'; img-src 'self' cdn.domain.com; object-src 'none'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-eval' 'sha256-blablah=' "
            },
            "dest": "/$1"
        },
        { "handle": "filesystem" },
        {
            "src": "/.*",
            "status": 404,
            "dest": "/404.html"
        }
    ]
}

Refrerences:

此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。