Differences
This shows you the differences between two versions of the page.
| Next revision | Previous revision |
| computer:web:security_headers [2019-02-14 07:51] – created skrupellos | computer:web:security_headers [2020-11-18 18:11] (current) – external edit 127.0.0.1 |
|---|
| ====== Security Headers ====== | ====== Security Headers ====== |
| |
| ^ Header ^ Spezifikation |^ Doc ^ Anwendbarkeit |^ Sane\\ Default | Setzen durch ^ Google? ^ Notes ^ | ^ Header ^ Spezifikation |^ Doc ^ Anwendbarkeit |^ Sane\\ Default | Setzen durch ^ Google? ^ Notes ^ |
| | ^ Erste ^ Aktuelle | ^ Website ^ Resources ^ | ^ | | | | ^ Erste ^ Aktuelle | ^ Website ^ Resources ^ | ^ | | |
| | X-Frame-Options | [[https://tools.ietf.org/html/rfc7034|RFC 7034]] (2013) \\ <wrap lo>[[https://blogs.msdn.microsoft.com/ieinternals/2010/03/30/combating-clickjacking-with-x-frame-options/|Microsoft]] (2009)</wrap> || [[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options|Moz]] | (V)\\ <wrap lo>Die durch Server o. Client dynamisch sind</wrap> | %%(%%(V)%%)%% ((Macht wenig Sinn)) | ''DENY''\\ <wrap lo>''SAMEORIGIN''</wrap> | App -> View -> Immer | (V)\\ <wrap lo>Für Webseite</wrap> | Ersetzt durch `Frame-Options` in CSP\\ Meta-Tags funktionieren nicht [(https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Clickjacking_Defense_Cheat_Sheet.md#common-defense-mistakes)] | | | X-Frame-Options | [[https://tools.ietf.org/html/rfc7034|RFC 7034]] (2013) \\ <wrap lo>[[https://blogs.msdn.microsoft.com/ieinternals/2010/03/30/combating-clickjacking-with-x-frame-options/|Microsoft]] (2009)</wrap> || [[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options|Moz]] | (V)\\ <wrap lo>Die durch Server o. Client dynamisch sind</wrap> | %%(%%(V)%%)%% ((Macht wenig Sinn)) | ''DENY''\\ <wrap lo>''SAMEORIGIN''</wrap> | App -> View -> Immer | (V)\\ <wrap lo>Für Webseite</wrap> | Ersetzt durch `Frame-Options` in CSP\\ Meta-Tags funktionieren nicht [(https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Clickjacking_Defense_Cheat_Sheet.md#common-defense-mistakes)] | |
| | Strict-Transport-Security | [[https://tools.ietf.org/html/rfc6797|RFC 6797]] (2012) || [[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security|Moz]] | (V) | (V) | ''max-age=31536000; includeSubDomains;''\\ (!) ''includeSubDomains'' nicht, wenn Büronetz mit HTTP-only Geräten. | SSL Endpunkt | %%(%%(X)%%)%%\\ <wrap lo>Nicht nötig, machen preloading</wrap> | | | | Strict-Transport-Security | [[https://tools.ietf.org/html/rfc6797|RFC 6797]] (2012) || [[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security|Moz]] | (V) | (V) | ''max-age=31536000; includeSubDomains;''\\ (!) ''includeSubDomains'' nicht, wenn Büronetz mit HTTP-only Geräten. | SSL Endpunkt -> Immer | %%(%%(X)%%)%%\\ <wrap lo>Nicht nötig, machen preloading</wrap> | | |
| | | Referrer-Policy | [[https://www.w3.org/TR/referrer-policy/|w3]] (2017) || [[https://scotthelme.co.uk/a-new-security-header-referrer-policy/|Scott Helme]], [[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy|Moz]] | (V) | CSS | ''no-referrer''\\ ''strict-origin'' | App -> View -> Immer\\ Server -> CSS -> Immer | (X) | Veraltet in CSP | |
| | | X-Content-Type-Options | [[https://blogs.msdn.microsoft.com/ie/2008/09/02/ie8-security-part-vi-beta-2-update/|Microsoft]] (2008) | | [[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options|Moz]] | (V) | (V)\\ <wrap lo>[[https://github.com/whatwg/fetch/issues/395|Probleme mit Bildern?]]</wrap> | ''no-sniff'' | | %%(%%(V)%%)%%\\ Für Resourcen | | |
