时间:2021-07-01 10:21:17 帮助过:18人阅读
https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options
X-Frame-Options 主要是为了防止点击劫持(clickjacking)点击劫持(clickjacking)是一种在网页中将恶意代码等隐藏在看似无害的内容(如按钮)之下,并诱使用户点击的手段。X-Frame-Options HTTP 头部字段用来指示传输的资源是否可以被包含在 或 中,服务端可以声明这个策略来确保自己的网页内容不会被嵌入到其他的页面中.<strong>X-Frame-Options</strong> 具有3个具体的值:</p> <ul> <li><p><strong>DENY</strong>表明网页内容不可以被嵌入到任何frame中</p></li> <li><p><strong>SAMEORIGIN</strong>同源策略,声明网页内容可以被同一域下面的frame嵌入,但不能被不在同一域下面的frame嵌入.<strong>同源</strong>: 协议,域名和端口全部相同,即使是ip与域名对应,也认为是不同域下,下面说明了具体的情况,与: http://www.example.com/dir/page.html对比:</p></li> </ul> <table> <tr> <th style="text-align:center">Compared URL</th> <th style="text-align:center">Outcome</th> <th style="text-align:center">Reason</th> </tr> <tr> <td style="text-align:center">http://www.example.com/dir/page2.html</td> <td style="text-align:center">同源</td> <td style="text-align:center">协议主机端口相同</td> </tr> <tr> <td style="text-align:center">http://www.example.com/dir2/other.html</td> <td style="text-align:center">同源</td> <td style="text-align:center">协议主机端口相同</td> </tr> <tr> <td style="text-align:center">http://username:password@www.example.com/dir2/other.html</td> <td style="text-align:center">同源</td> <td style="text-align:center">协议主机端口相同</td> </tr> <tr> <td style="text-align:center">http://www.example.com:81/dir/other.html</td> <td style="text-align:center">不同源</td> <td style="text-align:center">端口不同</td> </tr> <tr> <td style="text-align:center">https://www.example.com/dir/other.html</td> <td style="text-align:center">不同源</td> <td style="text-align:center">协议不同</td> </tr> <tr> <td style="text-align:center">http://en.example.com/dir/other.html</td> <td style="text-align:center">不同源</td> <td style="text-align:center">主机名不同</td> </tr> <tr> <td style="text-align:center">http://example.com/dir/other.html</td> <td style="text-align:center">不同源</td> <td style="text-align:center">主机不同,必须完全匹配</td> </tr> <tr> <td style="text-align:center">http://v2.www.example.com/dir/other.html</td> <td style="text-align:center">不同源</td> <td style="text-align:center">主机不同,必须完全匹配</td> </tr> <tr> <td style="text-align:center">http://www.example.com:80/dir/other.html</td> <td style="text-align:center">Depends</td> <td style="text-align:center">Port explicit. Depends on implementation in browser</td> </tr> </table> <ul> <li><strong>ALLOW-FROM</strong>指定具体的来源</li> </ul> <h2>服务器配置</h2> <h3>Apache</h3> <p>添加站点配置:</p> <pre class="sycode" name="code">Header always append X-Frame-Options SAMEORIGIN</pre> <h3>Nginx</h3> <p>添加 http , server 或者 location 配置</p> <pre class="sycode" name="code">add_header X-Frame-Options SAMEORIGIN;</pre> <h3>IIS</h3> <p>添加到站点的 Web.config</p> <pre class="sycode" name="code"><system.webServer> ... <httpProtocol> <customHeaders> </customHeaders> </httpProtocol> ...</system.webServer></pre> <h3>HAProxy</h3> <p>添加到 frontend, listen, 或者 backend 配置中:</p> <pre class="sycode" name="code">rspadd X-Frame-Options:\ SAMEORIGIN</pre> <h2>更安全的Cookie</h2> <p>Cookie 是浏览器储存在客户端的小的文本文件,用于客户端与服务器之间互传.Web服务器通过指定 http header 的 Set-Cookie, 其结构如下:</p> <pre class="sycode" name="code">Set-Cookie: name=value[; expires=date][; domain=domain][; path=path][; secure][; httpOnly]</pre> <p>可以看到,Cookie主要包含一下几个字段:</p> <ul> <li><strong>name</strong></li> <li><strong>value</strong></li> <li><strong>expire</strong></li> <li><strong>domain</strong></li> <li><strong>path</strong></li> <li><strong>secure</strong></li> <li><strong>httpOnly</strong></li> </ul> <p>这里主要讲secure 和 httpOnly</p> <h3>httpOnly标识</h3> <p>用来告诉浏览器不能通过JavaScript的 document.cookie 来访问 cookie, 目的是避免 <strong>跨站脚本攻击 (XSS)</strong></p> <h3>secure标识</h3> <p>强制应用通过Https来传输 Cookie</p> <h2>PHP Yii2中设置Cookie的 httpOnly 和 secure</h2> <h3>设置 _csrf</h3> <p>Yii2中的 Cookie yii\web\Cookie默认是 httpOnly的, </p> <pre class="sycode" name="code">class Cookie extends \yii\base\Object{ public $name; public $value = ''; public $domain = ''; public $expire = 0; public $path = '/'; public $secure = false; public $httpOnly = true;}</pre> <p>使用 <?= Html::csrfMetaTags() ?> 就会生成一个 name=_csrf 的 Cookie, 默认是 httpOnly, 通过注入request来改变:</p> <p>在 config/main.php 中</p> <pre class="sycode" name="code"> ... 'components' => [ 'request' => [ 'csrfCookie' => [ 'httpOnly' => true, 'secure' => SECURE_COOKIE, ], ], ... ] ...</pre> <p>注入 csrfCookie 的 httpOnly 和 secure 属性值</p> <h3>生成secure的 Cookie</h3> <pre class="sycode" name="code">$cookies = Yii::$app->response->cookies;$cookies->add(new Cookie([ 'name' => 'accesstoken', 'value' => $accessToken, 'expire' => time() + Token::EXPIRE_TIME, 'secure' => SECURE_COOKIE ]));</pre> <p>注意更新 Cookie 的时候也需要更新 secure 属性</p> <pre class="sycode" name="code">$cookies = Yii::$app->request->cookies;if (($cookie = $cookies->get('accesstoken')) !== null) { $cookie->secure = SECURE_COOKIE; // 这里很重要, 不然就会丢失 $cookie->expire = time() + Token::EXPIRE_TIME; Yii::$app->response->cookies->add($cookie);}</pre> </div> <div class=""> <ul class="m-news-opt fix"> <li class="opt-item"> <a href='/PHPjiqiao-132037.html' target='_blank'><p>< 上一篇</p><p class="ellipsis">xuzuning板主,刚刚foreach的问题还有个问题</p></a> </li> <li class="opt-item ta-r"> <a href='/PHPjiqiao-132039.html' target='_blank'><p>下一篇 ></p><p class="ellipsis">PHP7新建扩展</p></a> </li> </ul> </div> </div> </div> <div class="g-title fix"> <h2 class="title-txt">人气教程排行</h2> </div> <div class="m-rank u-dashed mb40"> <ul> <li class="rank-item"> <a href="/PHPjiqiao-379253.html" title='php如何获取跳转前的url' class="item-name ellipsis" target="_blank"> <span class="g-art-count fr">174次</span> <span class="g-sort-num top">1</span> php如何获取跳转前的url </a> </li> <li class="rank-item"> <a href="/PHPjiqiao-379019.html" title='php格林威治时间转换成当前时间的方法' class="item-name ellipsis" target="_blank"> <span class="g-art-count fr">174次</span> <span class="g-sort-num second">2</span> php格林威治时间转换成当前时间的方法 </a> </li> <li class="rank-item"> <a href="/PHPjiqiao-366629.html" title='为什么php不能做大型系统?' class="item-name ellipsis" target="_blank"> <span class="g-art-count fr">174次</span> <span class="g-sort-num third">3</span> 为什么php不能做大型系统? </a> </li> <li class="rank-item"> <a href="/PHPjiqiao-207623.html" title='range函数怎么用' class="item-name ellipsis" target="_blank"> <span class="g-art-count fr">174次</span> <span class="g-sort-num ">4</span> range函数怎么用 </a> </li> <li class="rank-item"> <a href="/PHPjiqiao-162433.html" title='php中计算页面加载时间几种方法总结_PHP教程' class="item-name ellipsis" target="_blank"> <span class="g-art-count fr">174次</span> <span class="g-sort-num ">5</span> php中计算页面加载时间几种方法总结_PHP教程 </a> </li> <li class="rank-item"> <a href="/PHPjiqiao-140221.html" title='求帮助,关于paypal支付返回值修改订单状态' class="item-name ellipsis" target="_blank"> <span class="g-art-count fr">174次</span> <span class="g-sort-num ">6</span> 求帮助,关于paypal支付返回值修改订单状态 </a> </li> <li class="rank-item"> <a href="/PHPjiqiao-103588.html" title='typecho怎么配置文章内容页?' class="item-name ellipsis" target="_blank"> <span class="g-art-count fr">174次</span> <span class="g-sort-num ">7</span> typecho怎么配置文章内容页? </a> </li> <li class="rank-item"> <a href="/PHPjiqiao-99213.html" title='PhpStorm左侧structure不显示文件的方法列表是这么回事?' class="item-name ellipsis" target="_blank"> <span class="g-art-count fr">174次</span> <span class="g-sort-num ">8</span> PhpStorm左侧structure不显示文件的方法列表是这么回事? </a> </li> <li class="rank-item"> <a href="/PHPjiqiao-92208.html" title='查看PHP的环境变量_PHP' class="item-name ellipsis" target="_blank"> <span class="g-art-count fr">174次</span> <span class="g-sort-num ">9</span> 查看PHP的环境变量_PHP </a> </li> <li class="rank-item"> <a href="/PHPjiqiao-170.html" title='PHP Primary script unknown 解决方法总结' class="item-name ellipsis" target="_blank"> <span class="g-art-count fr">174次</span> <span class="g-sort-num ">10</span> PHP Primary script unknown 解决方法总结 </a> </li> <li class="rank-item"> <a href="/PHPjiqiao-148.html" title='php的命名空间与自动加载实现方法' class="item-name ellipsis" target="_blank"> <span class="g-art-count fr">174次</span> <span class="g-sort-num ">11</span> php的命名空间与自动加载实现方法 </a> </li> <li class="rank-item"> <a href="/PHPjiqiao-133.html" title='解决laravel 出现ajax请求419(unknown status)的问题' class="item-name ellipsis" target="_blank"> <span class="g-art-count fr">174次</span> <span class="g-sort-num ">12</span> 解决laravel 出现ajax请求419(unknown status)的问题 </a> </li> <li class="rank-item"> <a href="/PHPjiqiao-462817.html" title='php 如何删除mysql记录' class="item-name ellipsis" target="_blank"> <span class="g-art-count fr">173次</span> <span class="g-sort-num ">13</span> php 如何删除mysql记录 </a> </li> <li class="rank-item"> <a href="/PHPjiqiao-388448.html" title='PHP如何替换数组中的指定元素' class="item-name ellipsis" target="_blank"> <span class="g-art-count fr">173次</span> <span class="g-sort-num ">14</span> PHP如何替换数组中的指定元素 </a> </li> <li class="rank-item"> <a href="/PHPjiqiao-124270.html" title='怎么去除字符串中非汉字、非字母、非数字的字符' class="item-name ellipsis" target="_blank"> <span class="g-art-count fr">173次</span> <span class="g-sort-num ">15</span> 怎么去除字符串中非汉字、非字母、非数字的字符 </a> </li> <li class="rank-item"> <a href="/PHPjiqiao-112291.html" title='mysql如何一次执行多条SQL语句' class="item-name ellipsis" target="_blank"> <span class="g-art-count fr">173次</span> <span class="g-sort-num ">16</span> mysql如何一次执行多条SQL语句 </a> </li> <li class="rank-item"> <a href="/PHPjiqiao-110669.html" title='修改header里面的Connection为close解决方法' class="item-name ellipsis" target="_blank"> <span class="g-art-count fr">173次</span> <span class="g-sort-num ">17</span> 修改header里面的Connection为close解决方法 </a> </li> <li class="rank-item"> <a href="/PHPjiqiao-153.html" title='PHP基于session.upload_progress 实现文件上传进度显示功能详解' class="item-name ellipsis" target="_blank"> <span class="g-art-count fr">173次</span> <span class="g-sort-num ">18</span> PHP基于session.upload_progress 实现文件上传进度显示功能详解 </a> </li> <li class="rank-item"> <a href="/PHPjiqiao-125.html" title='php5.6.x到php7.0.x特性小结' class="item-name ellipsis" target="_blank"> <span class="g-art-count fr">173次</span> <span class="g-sort-num ">19</span> php5.6.x到php7.0.x特性小结 </a> </li> <li class="rank-item"> <a href="/PHPjiqiao-378118.html" title='php为什么会出现504错误' class="item-name ellipsis" target="_blank"> <span class="g-art-count fr">172次</span> <span class="g-sort-num ">20</span> php为什么会出现504错误 </a> </li> </ul> </div> </div> </div> <!-- / 教程内容页 --> </div> </div> <!-- 页尾 --> <div class="footer"> 本站所有资源全部来源于网络,若本站发布的内容侵害到您的隐私或者利益,请联系我们删除!</div> <!-- / 页尾 --> <script type="text/javascript" src="/kan/js/read.js"></script> <div style="display:none"> <div class="login-box" id="login-dialog"> <div class="login-top"><a class="current" rel="nofollow" id="login1" onclick="setTab('login',1,2);" >登录</a></div> <div class="login-form" id="nav-signin"> <!-- <div class="login-ico"><a rel="nofollow" class="qq" id="qqlogin" target="_blank" href="/user-center-qqlogin.html"> QQ </a></div> --> <div class="login-box-form" id="con_login_1"> <form id="loginform" action="/user-center-login.html" method="post" onsubmit="return false;"> <p class="int-text"> <input class="email" id="username" name="username" type="text" value="用户名或Email" onfocus="if(this.value=='用户名或Email'){this.value='';}" onblur="if(this.value==''){this.value='用户名或Email';};" ></p> <p class="int-text"> <input class="password1" type="password" id="password" name="password" value="******" onBlur="if(this.value=='') this.value='******';" onFocus="if(this.value=='******') this.value='';" > </p> <p class="int-info"> <label class="ui-label"> </label> <label for="agreement" class="ui-label-checkbox"> <input type="checkbox" value="" name="cookietime" id="cookietime" checked="checked" value="2592000"> <input type="hidden" name="notforward" id="notforward" value="1"> <input type="hidden" name="dosubmit" id="dosubmit" value="1">记住我的登录 </label> <a rel="nofollow" class="aright" href="/user-center-forgetpwd.html" target="_blank"> 忘记密码? </a></p> <p class="int-btn"><a rel="nofollow" id="loginbt" class="loginbtn"><span>登录</span></a></p> </form> </div> <form id="regform" action="/user-center-reg.html" method="post"> <div class="login-reg" style="display: none;" id="con_login_2"> <input type="hidden" name="t" id="t"/> <p class="int-text"> <input id="email" name="email" type="text" value="Email" onfocus="if(this.value=='Email'){this.value='';}" onblur="if(this.value==''){this.value='Email';};"></p> <p class="int-text"> <input id="uname" name="username" type="text" value="用户名或昵称" onfocus="if(this.value=='用户名或昵称'){this.value='';}" onblur="if(this.value==''){this.value='用户名或昵称';};"></p> <p class="int-text"> <input type="password" id="pwd" name="password" value="******" onBlur="if(this.value=='') this.value='******';" onFocus="if(this.value=='******') this.value='';"> </p> <p class="int-text1"><span class="inputbox"> <input id="validate" name="validate" type="text" value="验证码" onfocus="if(this.value=='验证码'){this.value='';}" onblur="if(this.value==''){this.value='验证码';};"> </span><span class="yzm-img"><img src="/user-checkcode-index" alt="看不清楚换一张" id="indexlogin"></p> <p class="int-info"> <label> <input value="" name="agreement" id="agreement" CHECKED="checked" type="checkbox"> 我已阅读<a rel="nofollow" href="/user-center-agreement.html">用户协议</a>及<a rel="nofollow" href="/user-center-agreement.html">版权声明</a></label> </p> <p class="int-btn"><input type="hidden" name="dosubmit"/> <a rel="nofollow" class="loginbtn" id="register"><span>注册</span></a></p> </div> </form> </div> </div> </div> </div> <script type="text/javascript" src="/kan/js/foot_js.js"></script> <script> var _hmt = _hmt || []; (function() { var hm = document.createElement("script"); hm.src = "https://hm.baidu.com/hm.js?6dc1c3c5281cf70f49bc0bc860ec24f2"; var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(hm, s); })(); </script> <script type="text/javascript" src="/layui/layui.js"></script> <script> layui.use('code', function() { layui.code({ elem: 'pre', //默认值为.layui-code about: false, skin: 'notepad', title: 'php怎么实现数据库验证跳转代码块', encode: true //是否转义html标签。默认不开启 }); }); </script> </body> </html>
