Add to Favorites | Login | Register
Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

About us Contact us

Handling of website vulnerabilities

2025-01-30 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Share

Shulou(Shulou.com)06/01 Report--

1: click hijacking: no X-Frame-Options header information

The X-Frame-Options HTTP response header, which indicates whether the browser should load a page in iframe. A website can prevent click hijacking by setting X-Frame-Options to prevent pages within the site from being embedded by other pages.

There are three values for X-Frame-Options:

DENY

No page can be embedded in iframe or frame.

SAMEORIGIN

The page can only be embedded in iframe or frame by the page of this site.

ALLOW-FROM uri

The page itself can be embedded in iframe or frame by the specified Uri.

1) IIS6 server. Configure the server so that the return message includes X-Frame-Options. Modify IIS configuration, http header, customize, add.

2) Apache configuration X-Frame-Options

Add the following configuration to the site profile httpd.conf to restrict that only pages within the site can be embedded in iframe.

Header always append X-Frame-Options SAMEORIGIN

If you have multiple sites on the same apache server and you only want to configure them for one site, you can modify the .htaccess file by adding the following:

Header append X-FRAME-OPTIONS "SAMEORIGIN"

3) Nginx configuration X-Frame-Options

Under the nginx/conf folder, modify the nginx.conf and add the following:

Add_header X-Frame-Options "SAMEORIGIN"

2. Microsoft IIS directory enumeration

Solution: install urlscan and reject the ~ symbol. Add ~ under DenyUrlSequences.

3.Microsoft IIS version leak

Solution: install urlscan and delete the header header server.

4. General OPTIONS methodis enabled

Solution: install urlscan,UseAllowVerbs = 0

Use the allow mode to check URL requests. If set to 1, all requests not set in the [AllowVerbs] section are rejected; if set to 0, all URL requests not set in [DenyVerbs] are considered legal; the default is 1;.

AllowDotInPath=1

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 0

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Tag Search: Page configuration site file method server service content website legal three information only can pass multiple message indication folder mode browser vpn macOS Linux MariaDB MySQL Docker Shulou Information Shulou Technology Shulou Tech Info OPPO Reno Redmi Xiaomi NVidia Microsoft Huawei Apple Huawei Apple NVidia Microsoft Xiaomi Docker Shulou Information Shulou Technology MySQL Linux Shulou Tech Info Redmi macOS vpn OPPO Reno MariaDB Huawei Apple NVidia Microsoft Xiaomi Docker Shulou Information Shulou Technology MySQL Linux Shulou Tech Info Redmi macOS vpn OPPO Reno MariaDB

Share To

Related

Network Security

More Network Security >

Latest Network Security More Network Security >

Latest Internet Technology More Internet Technology >

Latest Development More Development >

Latest Database More Database >

Latest Servers More Servers >

Latest Mobile Phone More Mobile Phone >

Latest Android Software More Android Software >

Latest Apple Software More Apple Software >

Latest Computer Software News More Computer Software News >

Latest IT Information More IT Information >

Wechat

About us Contact us Product review car news thenatureplanet

© 2024 shulou.com SLNews company. All rights reserved.

12
Report