################################################################


# 웹서버 헤더 정보를 추가하여 브라우저를 이용한 해킹에 대응


# https://www.owasp.org/index.php/List_of_useful_HTTP_headers


# https://www.veracode.com/blog/2014/03/guidelines-for-setting-security-headers/


################################################################


// HTTP Strict-Transport-Security (HSTS) enforces secure (HTTP over SSL/TLS) connections to the server.


if (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on') {


header('Strict-Transport-Security: max-age=31536000');


}


// Adds X-XSS-Protection to HTTP header, so that page prevents XSS


if (isset($_SERVER['HTTP_HOST'])) { // 실제 웹서버에서 접근할 때 적용


header('X-XSS-Protection:1; mode=block'); // IE8+



// Adds X-Content-Type-Options to HTTP header, so that page prevents content-sniffing behavior


header('X-Content-Type-Options: nosniff');


header('Content-Security-Policy: policy');


header('Cache-Control: no-cache');


// Adds X-Frame-Options to HTTP header, so that page can only be shown in an iframe of the same site.


//header('X-Frame-Options: SAMEORIGIN'); // FF 3.6.9+ Chrome 4.1+ IE 8+ Safari 4+ Opera 10.5+



}

                                                

+ Recent posts