如何在Apache server下新增X-Frame-Options與Content-Security-Policy至Response Header中(fix Web Application Potentially Vulnerable to Clickjacking issue)

臨時接到之前其他開發團隊所開發的案子被資安掃描軟體偵測出有資安上的漏洞,但因大多的開發人員都已離開公司了,因此派我前往支援嘗試修復這些問題,Issue的說明如下:

Web Application Potentially Vulnerable to Clickjacking (85582)

主要就是說Web Server(Apache)沒有設定response header,因為需要在response header中回傳X-Frame-OptionsContent-Security-Policy(CSP)屬性,該專案使用的是WAMP,因此必須到相對應的目錄下找到Apache資料夾,並找到檔名為httpd.conf,一起來看看如何設定!

Step 1:

於Apache資料夾下,找檔名為http.conf的檔案

Step 2:

打開httpd.conf後,搜尋#LoadModule headers_module modules/mod_headers.so,並將#去掉

Step 3:

於httpd.con文件中新增下列內容

#set up response header
<IfModule mod_headers.c>
Header set X-Frame-Options "SAMEORIGIN"
Header set Content-Security-Policy "default-src 'self'"
</IfModule>

其中,X-Frame-Options “SAMEORIGIN” -> 唯有當符合同源政策下,才能被嵌入到 frame 中
Content-Security-Policy “default-src ‘self’” -> 只允許本站資源(CSP主要是在減少跨站腳本攻擊)

新增完成後,記得要重開Apache server設定才會套用上去哦!

Written by

Project Manager | Account Manager | Technical Account Manager | Support Engineer | Sales Engineer | Cloud | Sigfox | LPWAN IoT

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store