安全加固

iTop基于PHP,其内容由web-服务器提供。

此页面引用PHP和web-服务器配置将增强iTop安装的安全。

使用https

您应该仅使用https协议来提供页面。

Wikipedia所述:它可以防止中间人攻击。客户和服务器之间的双向通信加密可防止窃听和篡改通信。

防止会话被盗

尽管从安全角度来看,PHP默认配置非常相关,但它可能是增强:对于这些条目,您应该变更为默认价值:

session.cookie_httponly

为了防止恶意javascript代码嗅探用户的会话,您应该启用session.cookie_httponly(请参阅PHP文档)

您可以在使用session.cookie_httponly = 1的php.ini中执行此操作,也可以在php_flag session.cookie_httponly启用的apache中执行此操作。

session.cookie_secure

如果使用https,则应启用此指令,以便仅通过安全连接发送cookie,请参阅PHP文档.

其他http标头

尽管不像以前的配置那样重要,但是您可以在Web服务器中配置这些http标头,以便添加安全的额外层。由于此页面尽量保持简单,因此此处提到的标题通常可以进行微调以使其更具限制性。

以下示例适用于apache,并且需要mod标头,但所有主流网络服务器均提供了一种配置方法。

严格网络安全

Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;" env=HTTPS

这告诉浏览器应仅使用HTTPS而不是HTTP对其进行访问。更多信息

X框架选项

Header always set X-Frame-Options "sameorigin"

这指示是否应允许浏览器在<frame>,<iframe>,<embed>或<对象>中呈现页面。MDN文档.

X内容类型选项

Header always set X-Content-Type-Options "nosniff"

这允许选择不进行MIME类型嗅探(不应更改Content-Type标头中宣传的MIME类型),MDN文档.

内容-安全-策略

这有助于检测和缓解跨站点脚本(XSS)和数据注入攻击。

当心:此标头将阻止任何未经授权的领域,这使正确配置更加困难。 MDN上有一篇很棒的文章:内容安全策略(CSP),您应该参考它以执行正确的配置。

基本的配置可能是

Header set Content-Security-Policy "default-src 'self' www.itophub.io;script-src 'self' www.itophub.io 'unsafe-inline' 'unsafe-eval' blob:; style-src 'self' 'unsafe-inline';img-src  'self' data: blob: www.itophub.io "

但是,例如,如果您使用Recaptcha或其他代码,则还必须允许“ www.google.com”和“ www.gstatic.com”:

Header set Content-Security-Policy "default-src 'self' www.itophub.io;script-src 'self' www.google.com www.gstatic.com www.itophub.io 'unsafe-inline' 'unsafe-eval' blob:; style-src 'self' 'unsafe-inline';img-src  'self' data: blob: www.itophub.io "

关于维护正确的配置的困难,我们在下面的示例中不包含此标头,但是如果您对额外的维护感到满意,则可以添加它。

完整的例子

php_flag session.cookie_httponly on
Header always set X-Frame-Options "sameorigin"
Header always set X-Content-Type-Options "nosniff"
 
# only for https:
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;" 
php_flag session.cookie_secure on

原贴链接:https://www.itophub.io/wiki/page?id=2_7_0%3Aadmin%3Asecurity


Security best practice

iTop is based on PHP and its content is served by web-server.

This page reference PHP and web-server configuration that will enhance the security of your iTop installation.

Use https

You should serve your pages only using the https protocol.

As stated by wikipedia: it protects against man-in-the-middle attacks. The bidirectional encryption of communications between a client and server protects against eavesdropping and tampering of the communication.

Prevent session theft

While PHP default configuration is quite relevant from a security point of view, it can be enhanced: you should change the default value for those entries:

session.cookie_httponly

In order to prevent malicious javascript code to sniff the user's session, you should enable session.cookie_httponly (see php documentation)

you can do so either in your php.ini using session.cookie_httponly = 1, or within apache with php_flag session.cookie_httponly on.

session.cookie_secure

If you use https, you should enable this directive so cookies are only sent over secure connections, see php documentation.

Additional http headers

While not as critical as the previous configuration, you can configure those http headers within your web server in order to add extra layer of security. Since this page try to remain simple, the headers mentioned here can often be fine tuned to be even more restrictive.

The examples below are for apache and require the mod header, but all mainstream webserver provide a way to configure them.

Strict-Transport-Security

Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;" env=HTTPS

This tell browsers that it should only be accessed using HTTPS, instead of using HTTP. more informations

X-Frame-Options

Header always set X-Frame-Options "sameorigin"

This indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe>, <embed> or <object>. MDN documentation.

X-Content-Type-Options

Header always set X-Content-Type-Options "nosniff"

This allows to opt-out of MIME type sniffing (the MIME types advertised in the Content-Type headers should not be changed), MDN documentation.

Content-Security-Policy

This helps to detect and mitigate Cross Site Scripting (XSS) and data injection attacks.

Beware: this header will block any not authorized domain, this make it is more difficult to properly configure. The MDN has an excellent article: Content Security Policy (CSP), you should refer to it in order to perform a proper configuration.

A basic configuration may be

Header set Content-Security-Policy "default-src 'self' www.itophub.io;script-src 'self' www.itophub.io 'unsafe-inline' 'unsafe-eval' blob:; style-src 'self' 'unsafe-inline';img-src  'self' data: blob: www.itophub.io "

But, for example if you make use of recaptcha or other, you will have to allow also “www.google.com” and “www.gstatic.com”:

Header set Content-Security-Policy "default-src 'self' www.itophub.io;script-src 'self' www.google.com www.gstatic.com www.itophub.io 'unsafe-inline' 'unsafe-eval' blob:; style-src 'self' 'unsafe-inline';img-src  'self' data: blob: www.itophub.io "

Regarding the difficulty to maintain a correct configuration, we do not include this header in the example below, but if you feel confortable with extra maintenance, you can add it.

Complete example

php_flag session.cookie_httponly on
Header always set X-Frame-Options "sameorigin"
Header always set X-Content-Type-Options "nosniff"
 
# only for https:
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;" 
php_flag session.cookie_secure on
标签:
由 superadmin 在 2020/08/25, 16:37 创建
    

需要帮助?

如果您需要有关XWiki的帮助,可以联系:

深圳市艾拓先锋企业管理咨询有限公司