This article focuses on some standard specifications to make our Web more secure, common Web security problems will be introduced later (XSS, CSRF, MITM, SQL injection, etc.), if there is any improper understanding, please also point out, thank you. The article is a little longer, and the main clue is to introduce the relevant knowledge of the browser source Origin, which is the cornerstone of Web security. The following sections mostly rely on this section.
Same-origin Policy
The same origin policy restricts how documents or scripts loaded in one origin can interact with resources in other sources. This is a key security mechanism used to isolate potentially malicious documents.
Definition of a source
Two pages have the same source if they have the same protocol, domain name, port (if specified), and.
The source of inheritance
Data: URLs gets a new, empty security context. Scripts executed on a page with about:blank or javascript: URL inherit the source of the document that opened that URL, because these types of URLs do not explicitly contain information about the original server. For example, about:blank is usually the URL of a new blank pop-up Window that the parent script writes to (for example, through the window.open () mechanism). If this pop-up window also contains code, that code inherits from the same source as the script that created it. Data: THE URL gets a new empty security context. It is worth mentioning that Internet Explorer has two main Trust Zones when it comes to same-origin policies: two domains with high mutual Trust, such as corporate domains, that do not comply with same-origin policies. Port: IE did not add the port number to the part of the same origin policy, http://company.com:81/index.html and http://company.com/index.html belong to the homologous and therefore not subject to any restrictions.
The source of change
A page may change its source due to certain restrictions. A script can set the value of document.domain to its current domain or to the superdomain of its current domain. If it is set to the superdomain of its current domain, the shorter domain is used for subsequent source checks. Assuming that http://store.company.com/dir/other.html document a script execution of the following statements:
document.domain = "company.com";Copy the code
After this statement is executed, The page will be successfully through the homologous detection of http://company.com/dir/page.html (assuming http://company.com/dir/page.html to document it. Domain Set it to Company.com). However, Company.com cannot set document.domain to otherCompany.com because it is not company.com’s superdomain. PS: Within the root domain, the browser allows you to set the value of the domain property to its upper domain. For example, in the cicada.alipay.com domain, you can set the domain to alipay.com but not alipay.org or com. PS: The browser saves the port number separately. Any assignment, including document.domain = document.domain, will result in the port number being overwritten to NULL. So company.com:8080 cannot communicate with company.com only by setting document.domain = company.com. It must also assign values to both of them to ensure null port numbers. When using document.domain to allow the child domain to securely access its parent, you need to set document.domain to the same value in the parent and child domains. This is necessary even if doing so simply sets the parent field back to its original value. Failure to do so may result in permissions errors.
Cross-source network access
The same origin policy controls interactions between different sources, such as when using XMLHttpRequest or IMG tags. These interactions generally fall into three categories:
- Cross-origin writes are generally allowed. Examples include links, redirects, and form submission.
- Cross-origin embedding is generally allowed.
- Cross-origin reads are not normally allowed. However, it is often possible to cleverly read access through embedded resources. For example, you can read the height and width of the embedded picture, and call the methods of the embedded script.
Here are some examples of resources that might be embedded across sources:
- The script tag embeds cross-domain scripts. Syntax error messages can only be captured in cognate scripts.
- Link tags are embedded in the CSS. Due to the loose syntax rules of CSS, CSS cross-domain requires a properly set Content-Type header.
- Img Embeds the image. Supported image formats include PNG,JPEG,GIF,BMP,SVG…
- Video and Audio Embed multimedia resources.
- Object, Embed, and applet plugins.
- @font-face The introduced font. Some browsers allow cross-origin fonts, some require same-Origin fonts.
- Frame (deprecated) and any resources loaded by iframe. Sites can use x-frame-options headers to prevent this form of cross-domain interaction.
Allow/prevent cross-domain access
How do I allow cross-source access
CORS, JSONP, Document.domain, window.name, window.postMessage, CSST (CSS Text Transformation) See zhihu – about the front-end cross-domain arrangement
How do I block cross-source access
To prevent cross-domain write operations, simply detect an unmeasurable marker (CSRF token) in the Request, known as the Cross-Site Request Forgery (CSRF) token. This tag must be used to prevent cross-site reads of the page. To prevent cross-site reading of a resource, ensure that the resource is not embeddable. Blocking embedded behavior is necessary because embedded resources often expose information to them. To prevent cross-site embedding, make sure your resources are not in the embeddable resource format listed above. In most cases, browsers do not adhere to conten-type headers. For example, if you specify the
\>
Cross-source scripting API access
There may be differences between different browsers. The standards prevail. Javascript APIs such as iframe.contentWindow, window.parent, window.open and window.opener allow documents to reference each other directly. These references restrict access to Window and Location objects when the two documents have different sources. PS: To further communicate documents between different sources, use window.postMessage.
Window (methods and properties)
Window.blur window.close window.focus window.postMessage window.closed Read-only Window.frames read-only Window.length read-only Window. Location Read/write Window.opener read only Window.parent read only window.self read only window.top read only window.window
location
Location. replace location.href just says.
Access across source data stores
Data stored in the browser, such as localStorage and IndexedDB, is segmented by source. Each source has its own storage space, and Javascript scripts in one source cannot read or write data belonging to other sources. Cookies use different source definitions. A page can set cookies for the local field and any parent field, as long as the parent field is not a public suffix. PS: Public Suffix Indicates the Top Level Domain (TLD) list provided by the Internet Corporation for Assigning Names and Numbers, such as com, NET, and org.
CSP (Content Security Policy)
Content Security Policy (CSP) is an additional layer of Security to help detect and mitigate certain types of attacks, including cross-site scripting (XSS) and data injection attacks. These attacks can be used for anything from data theft to website destruction or distribution as versions of malware. In fact, the essence of CSP is the whitelist mechanism for the site to load or execute the resources.
Applicable way
- You can configure your web server to return the Content-Security-Policy HTTP header (sometimes you’ll see something about the X-Content-Security-Policy header, which is an older version).
- Used in the meta element of an HTML page, as follows
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; img-src https://*; child-src 'none';" >Copy the code
Supported policy directives
base-uri
The base-URI directive defines the URI, which can be used as the base URL for the document.
connect-src
The connect-src directive defines the connection source for requests, XMLHttpRequest, WebSocket, and EventSource (Server-Sent Events(SSE)).
default-src
The default-src directive defines the (default) security policies that are not specified by more precise directives. This command contains the following commands: connect-src, font-src, img-src, media-src, object-src, script-src, and style-src
font-src
The font-src directive defines a valid source for loading fonts via @font-face.
form-action
Specify the source for the form submission.
frame-ancestors
SRC attribute source of frame and iframe.
img-src
The SRC attribute source of the img element.
media-src
The loading source of audio and video.
object-src
Object, Embed, and applet loading sources.
plugin-types
The plugin source.
sandbox
script-src
Script source, with inline scripts and eval() disabled.
style-src
The style of the source.
Content source
Source list
The source list is a string that specifies one or more Internet hosts (by hostname or IP address), and optionally URL protocols and/or port numbers. http://*.foo.com matches all attempts to load any subdomain of foo.com using the HTTP: protocol. Mail.foo.com :443 Matches all attempts to access port 443 on mail.foo.com. Store.foo.com matches all attempts to access store.foo.com using the HTTPS: protocol. If the port number is not specified, the browser uses the default port number for the specified protocol. If no protocol is specified, the browser uses the protocol used when accessing the document.
The keyword
‘None’ stands for empty set; That is, no URL is matched. ‘self’ means the same source as the document, including the same URL protocol and port number. ‘unsafe-inline’ allows the use of inline resources such as inline script elements, javascript: urls, inline event handlers, and inline style elements. ‘unsafe-eval’ allows methods such as eval() to create code from strings.
A safe environment
The browser enters a secure environment when it meets the minimum security requirements. Secure environments allow browsers to expose APIs that are only allowed if they are securely transmitted to the user. Role: The primary goal of a security context is to prevent attackers from accessing powerful apis that can further compromise victims of attacks.
Check whether the environment is secure
You can use feature detection to determine if the context is in a secure context by using the Boolean returned by isSecureContext that is public in the global scope.
If (window.isSecureContext) {// If (window.isSecureContext) {// The page is a secure context and the service can be used normally. navigator.serviceWorker.register("/offline-worker.js").then(function () { ... }); }Copy the code
How to protect our site
User information security
How do I turn off the auto-complete function of a form
Many browser form fields support auto-completion; So their values can be recommended and automatically restored the next time a user visits your site. For certain types of data, you may want to disable this feature. By default, the browser logs information about the input fields submitted on the user’s web page. This allows the browser to auto-complete (provide the user with possible content as soon as the user starts typing) and auto-populate (pre-populate certain fields at load time).
How do I disable auto fill?
Set for the entire form
<form method="post" action="/form" autocomplete="off"> </form>Copy the code
Set for a single field
< form method = "post" action = "/ form" > [...]. <label>name: <input type="text" id="cc" name="cc" autocomplete="off"> </label> </form>Copy the code
Setting autoComplete = “off” here has two effects:
- It prevents browsers from automatically saving form data in order to auto-complete similar forms later, but browsers are different.
- It blocks form data from the browser history cache. When the form data comes from the cache, the information the user fills in is visible when the user clicks the back button to return.
PS: In some cases, the browser will continue to prompt the auto-complete value even if autofill is set to off. This may leave developers scratching their heads. The way to force the browser not to auto-populate is to set a random string for AutoComplete that cannot be an optional value for the AutoComplete property.
Automatically populate properties and login
Modern browsers inherit password management: when a user logs in to a site using a username and password, the browser remembers it for the user. When a user visits your site again, the browser automatically populates the login module with stored data. For this reason, many modern browsers do not support setting autocomplete= “off” in the login module:
- If a site sets autocomplete= “off” for a form, if the form contains a username and password, the browser will still remember the login information and, if the user agrees, the browser will fill it in automatically the next time the user visits the site.
- If the site sets autocomplete= “off” to the user name and password fields, the browser will still remember the login, and if the user agrees, the browser will automatically fill in the login information the next time the user visits.
If you want to prevent the password field from being filled in on the user admin page, users can specify a new password for someone other than themselves, although autocomplete = “new-password” should be specified, although not yet supported by all browsers.
Privacy and: Visited Selectors
Why: Visited Selectors expose user privacy?
At one time, the CSS selector: Visited was used by websites to see users’ browsing history. Find out which web sites the user visited by scanning the user’s browsing history using getComputedStyle() or other methods. This is easy to do, not only to determine whether the user has ever visited the page, but also to guess a lot about the user’s identity.
Browser handling
Browsers can lie to web programs in some cases, especially getComputedStyle() and similar features such as element.querySelector(), which always returns a value indicating that the user has never visited any link on the web page. In addition, if a sibling selector is used, such as visited + span, \ appears as unvisited. Also, in rare cases, if a nested link element is used and the matching element is different from the one in history, the link is drawn in an unvisited style.
Restrictions on visited link styles
You can still set visual styles for visited links, but there are restrictions on what styles can be used. Only the following attributes can be applied to a visited link:
- color
- background-color
- border-color (and its sub-properties)
- outline-color
- The color portion of the fill and stroke attributes (used in SVG)
Content security
Correctly configure the MIME Types of the server
What are MIME Types?
MIME types describe the content of the media type in an email or by a Web server or Web application and are designed to help guide web browsers on how to process and display the content. Common MIME Types?
- text/html for normal web pages
- text/plain for plain text
- text/css for Cascading Style Sheets
- text/javascript for scripts
- Application /octet-stream meaning “Download this file”
- application/x-java-applet for Java applets
- application/pdf for PDF documents
Why is it the correct MIME type?
If a Web server or application sets an incorrect MIME type, a Web browser has no way of knowing from the HTTP specification what the author wants to do with it. Most browsers allow Web servers and applications that misconfigure MIME Types to guess their MIME Types. Using the correct MIME type for service content can also be important for security reasons; Malicious content can affect a user’s computer, posing as a secure type of document.
How do I set your server to send the correct MIME type?
If you use an Apache Web server, simply copy the sample.htaccess file to a directory that contains the correct MIME type for the file you want to send. If you have a complete subdirectory of the file, put the file in the parent directory; You don’t have to put it in every subdirectory. If you use Microsoft IIS, you are reading this article. If you are using a server-side script (Perl, PHP, ASP, or Java) to generate content, you can usually add a line at the top of the script. You just need to set the right Content-Type.
Use HTTPS strictly (HSTS)
HTTP Strict Transport Security (often referred to simply as HSTS) is a Security feature that tells the browser to access the current resource only through HTTPS, not HTTP.
The example scenario
You connect to a free WiFi access point and start browsing websites, accessing your online banking, checking your spending, and paying for some orders. Unfortunately, the WiFi you’re accessing is actually a laptop hotspot for hackers who intercept your initial HTTP request and then redirect to a phishing site that looks exactly like your bank’s website. Now, your private data is exposed to hackers. Strict Transport Security solves this problem; As long as you access your bank’s website via an HTTPS request, and your bank’s website is configured with Strict Transport Security, your browser knows to automatically use HTTPS requests, which can prevent the hacker’s man-in-the-middle trick.
How does the browser handle it?
The first time your site makes an HTTPS request, the server responds with the strict-transport-Security header, the browser records this information, and subsequent attempts to access the site will automatically replace HTTP with HTTPS. When the expiration time set by the HSTS header is up, subsequent access via HTTP reverts to normal mode and no longer automatically jumps to HTTPS. Each time the browser receives the strict-transport-Security header, it updates the expiration date for this site, so the site can refresh this information to prevent expiration from happening. In browsers such as Chrome and Firefox, when you attempt to access content in this domain name, a 307 Internal Redirect is generated, which automatically redirects you to HTTPS requests.
grammar
Strict-Transport-Security: max-age=<expire-time>
Strict-Transport-Security: max-age=<expire-time>; includeSubDomains
Strict-Transport-Security: max-age=<expire-time>; preloadCopy the code
Cross-domain Resource Sharing (CORS)
CORS is an HTTP access control feature. Most of the content below is specific to XMLHttpRequest, and some does not apply to Fetch. When a resource requests a resource from a different domain or port than the server on which the resource itself resides, the resource makes a cross-domain HTTP request. For example, an HTML page at http://domain-a.com requests http://domain-b.com/image.jpg through the SRC of img. Many pages on the web load CSS stylesheets, images, scripts and other resources from different domains. For security reasons, browsers restrict cross-source HTTP requests made from within a script or return results to be blocked by browsers. For example, the XMLHttpRequest and Fetch apis follow the same origin policy. This means that Web applications using these apis can only request HTTP resources from the same domain that loaded the application, unless CORS headers are used. PS: Cross-domain is not necessarily restricted by the browser, it may be that cross-site requests can be initiated normally, but the return result is blocked by the browser. The best example of this is the CSRF cross-site attack principle, where requests are sent to back-end servers regardless of whether they are cross-domain! Note: Some browsers do not allow cross-domain access to HTTP from HTTPS domains, such as Chrome and Firefox, and these browsers are a special case where they intercept requests before they are sent. The cross-domain resource sharing (CORS) mechanism allows Web application servers to control cross-domain access and secure cross-domain data transfer. Browsers support the use of CORS in API containers, such as XMLHttpRequest or Fetch, to reduce the risk associated with cross-domain HTTP requests.
Classification of CORS
Cross-domain resource sharing standards have added a new set of HTTP header fields that allow servers to declare which source sites have access to which resources. In addition, the specification requires that HTTP request methods (especially HTTP requests other than GET, or POST requests paired with certain MIME types) that may have adverse effects on server data, The browser must first issue a preflight request using the OPTIONS method to know whether the server will allow the cross-domain request. The actual HTTP request is made only after the server confirms that it is allowed. In the return of the precheck request, the server side can also inform the client whether it needs to carry identity credentials (including Cookies and HTTP authentication related data).
A simple request
For simple requests, the browser issues CORS requests directly. Specifically, add an Origin field to the header information. If Origin does not specify a licensed source, the server will return a normal HTTP response. The browser realizes that the response header does not contain the Access-Control-Allow-Origin field (more on that below), and it throws an error that is caught by XMLHttpRequest’s onError callback. Note that this error cannot be identified by the status code, because the status code for the HTTP response might be 200. If Origin specifies a domain name within the license, the server returns a response with several additional header fields. Correlation request header
Origin: http://api.bob.comCopy the code
PS: In the header above, the Origin field indicates the source (protocol + domain name + port) from which the request is sent. Based on this value, the server decides whether to approve the request or not. Correlation response header
Access-Control-Allow-Origin: http://api.bob.com
Access-Control-Allow-Credentials: true
Access-Control-Expose-Headers: FooBarCopy the code
PS: (1) access-Control-allow-origin This field is mandatory. Its value is either the value of the Origin field at the time of the request, or an *, indicating acceptance of requests for any domain name. (2) Access-control-allow-credentials This field is optional. Its value is a Boolean value indicating whether cookies are allowed to be sent. By default, cookies are not included in CORS requests. If set to true, the server explicitly approves that cookies can be included in the request and sent to the server. This value can only be set to true if the server does not want the browser to send cookies. (3) Access-Control-expose-headers This field is optional. In CORS requests, the getResponseHeader() method of the XMLHttpRequest object takes only six basic fields: Cache-control, Content-language, Content-Type, Expires, Last-Modified, Pragma. If you want to get other fields, you must specify access-Control-expose-headers. The above example specifies that getResponseHeader(‘ FooBar ‘) can return the value of the FooBar field.
Non-simple request
Unlike the simple request described above, “Requests to Precheck” requires that a precheck request must first be sent to the server using the OPTIONS method to know whether the server will allow the actual request. The use of precheck requests prevents cross-domain requests from having unexpected impacts on the server’s user data. Precheck request The browser first asks the server whether the domain name of the current web page is on the server’s license list and which HTTP verb and header fields are available. The browser issues a formal XMLHttpRequest request only if it receives a positive response; otherwise, an error is reported. Correlation request header
Origin: http://api.bob.com
Access-Control-Request-Method: PUT
Access-Control-Request-Headers: X-Custom-HeaderCopy the code
PS: (1) Origin indicates the request source. Access-control-request-method This field is required to list HTTP methods used by the browser for CORS requests, such as PUT. Access-control-request-headers The access-Control-request-headers field is a comma-separated string that specifies the additional Header field to be sent by the browser for CORS requests. X-custom-header is used in this example. After receiving the pre-check Request, the relevant response header server checks the Origin, Access-Control-request-Method, and access-Control-request-headers fields to confirm that cross-source requests are allowed, and then responds.
Access-Control-Allow-Origin: http://api.bob.com
Access-Control-Allow-Methods: GET, POST, PUT
Access-Control-Allow-Headers: X-Custom-Header
Access-Control-Allow-Credentials: true
Access-Control-Max-Age: 1728000Copy the code
PS: (1) access-Control-allow-methods This field is required, and its value is a comma-separated string indicating all Methods supported by the server for cross-domain requests. Notice that all supported methods are returned, not just the one requested by the browser. This is to avoid multiple “pre-check” requests. (2) Access-Control-allow-headers is required if the browser Request includes the access-Control-request-headers field. It is also a comma-separated string that indicates all header information fields supported by the server, not just those requested by the browser in precheck. (3) Access-Control-allow-credentials This field has the same meaning as those in simple requests. (4) Access-Control-max-age Specifies the validity period of the precheck request, in seconds. In the result above, the validity period is 20 days (1728000 seconds), which allows the response to be cached for 1728000 seconds (20 days), during which time another precheck request is not issued. Normal request Precheck After a successful request, a normal request can be made. The corresponding request headers and response headers are similar to those of simple requests.
Summary of relevant request headers and response headers
Origin Syntax: Origin: Indicates the source of the precheck request or actual request. Access-control-request-method Syntax: access-control-request-method Function: Prechecks requests. It tells the server the HTTP method used for the actual request. Access-control-request-headers Syntax: access-Control-request-headers: [,] Purpose: Pre-check the Request. This tells the server the header field carried by the actual request. Response header Access – Control – Allow – Origin syntax: Access – Control – Allow – Origin: Origin | ` role: allows Access to the resources of outland URI. Access-control-expose-headers syntax: access-control-expose-headers X-my-custom Header, x-another Custom Header In cross-domain access, the getResponseHeader() method of the XMLHttpRequest object takes only the most basic response headers, Cache-control, Content-language, Content-Type, Expires, last-Modified, Pragma. To access other headers, the server needs to set this response header. Access-control-max-age: access-control-max-age: Delta-seconds effect: The access-Control-max-age header specifies how long the results of the preflight request can be cached. See the Preflight example mentioned earlier in this article. Access-control-allow-credentials syntax: access-control-allow-credentials: True Specifies whether the browser is allowed to read the response when the credentials are set to true. Access-control-allow-methods syntax: access-control-allow-methods: method[, method] used to pre-check the response to a request. This specifies the HTTP methods allowed for the actual request. Access-control-allow-headers Syntax: access-control-allow-headers: field-name [, field-name] ‘ This specifies the header field that is allowed in the actual request.
X – Frame – Options response headers
The X-frame-options HTTP response header is a flag used to indicate to the browser whether to allow a page to be displayed in Frame (deprecated), iframe, or Object. Sites can use this feature to ensure that their content is not embedded in someone else’s site, and thus avoid clickjacking attacks.
Use X – Frame – the Options
X-frame-options has three values: DENY Indicates that the page is not allowed to be displayed in the Frame, even if the page is nested in the same domain name. SAMEORIGIN says the page can be displayed in a frame within the same domain name page. Allow-from URI indicates that the page can be displayed in the frame of the specified source. PS: If set to DENY, it will not load not only when frame is embedded on other websites, but also in the same domain page. On the other hand, if set to SAMEORIGIN, pages can be nested within the frame of the same domain page.
Server Configuration
Configure the Apache
To configure Apache to send the x-frame-options response Header on all pages, add the following line to the ‘site’ configuration: Header always append x-frame-options SAMEORIGIN
Configure nginx
Configure nginx to send the x-frame-options response header. Add the following line to the configuration for ‘HTTP’, ‘server’, or ‘location’ : add_header x-frame-options SAMEORIGIN;
Configure IIS
Configure IIS to send the X-frame-options response header and add the following configuration to the web. config file:
<system.webServer>
...
<httpProtocol>
<customHeaders>
<add name="X-Frame-Options" value="SAMEORIGIN" />
</customHeaders>
</httpProtocol>
...
</system.webServer>Copy the code
PS: Note that the frame-rooted directive in the CSP Level 2 specification replaces this non-standard header. The FRAMe-rooted CSP will be supported in Gecko 4.0, but not in all browsers. However, X-frame-options is a widely supported unofficial standard that can be used in conjunction with CSP. In addition to server configuration to prevent your web pages from being embedded in iframe form, you can also use JS processing.
Sub-resource integrity (SRI)
Subresource Integrity is a security feature that allows a browser to check whether the resources it obtains (for example, from a CDN) have been tampered with. It determines whether the resource has been tampered with by verifying that the hash value of the obtained file is the same as the hash value you provided. Sub-resource integrity (SRI) is a security feature that allows the browser to verify that a file retrieved (for example, from a CDN content distribution network) was delivered without incident. It works by allowing you to provide an encrypted hash that the retrieval file must match.
How SRI works
Sharing files such as scripts and stylesheets across multiple sites using a Content delivery network (CDN) can improve site performance and save bandwidth. However, using a CDN also carries the risk that if an attacker gains control of the CDN, it can inject arbitrary malicious content into files on the CDN (or replace files entirely), and thus potentially attack all sites that obtain files from the CDN. Sub-resource integrity reduces the risk of this attack by ensuring that the files obtained by a Web application have not been injected or otherwise modified by a third party.
How to use SRI
Subresource integrity is enabled by writing the base64 encoded file hash value to the Integrigy attribute value of the \ or \ tag that you reference. PS: Integrity values are divided into two parts. The first part specifies the hash generating algorithm (currently sha256, SHA384 and SHA512 are supported), and the second part is the actual hash encoded in Base64, separated by a short bar (-). The integrity value can contain multiple space-separated hashes, and as long as the file matches any one of the hashes, the resource can be verified and loaded.
Content Security Policies (CSP) and sub-resource integrity (SRI) are used together
You can configure your server to comply with SRI for specified types of files based on content security policies. This is done by adding the require-SRI-for directive to the CSP header:
// This directive specifies that all JavaScript must have an integrity property and be verified before it can be loaded. Content-Security-Policy: require-sri-for script; // You can also specify that all stylesheets should also pass SRI validation: content-security-policy: require-Sri-for style;Copy the code
You can also add validation to both.
Tools for generating SRI hashes
Openssl at the command line
You can use Openssl to generate an SRI hash by executing the following command from the command line: The cat FILENAME. Js | openssl DGST sha384 – binary | openssl enc – on-line base64 – A generation SRI hash value of the tool The following zhihu a js file, for example
/ / / / original js file address https://unpkg.zhimg.com/[email protected]/dist/zap.js generated script tag < script SRC = "https://unpkg.zhimg.com/[email protected]/dist/zap.js" integrity="sha384-B4YDh2AljLezOmNwiezobW8FJbJQfyZxm1SksT7THfKULK6SVxN+dRNSvLxEmXtA" crossorigin="anonymous"></script>Copy the code
Shasum is on the command line
shasum -b -a 384 FILENAME.js | xxd -r -p | base64
Is the user password the cause of the leak?
The HTTPS protocol is designed to protect user data from eavesdropping (confidentiality) and tampering (integrity) over the network. Websites that handle user data should use the HTTPS protocol to protect their users from hackers. If a site uses HTTP instead of HTTPS, stealing user information, such as their login credentials, would be easy. This has been nicely demonstrated by Firesheep. Here’s a list of the security issues involved:
- Run the login form over HTTP. Even if the action object of the form is an HTTPS link, the user’s login form information is at risk because an attacker can modify the page received by the user (for example, an attacker could insert a keylog script to steal the password entered by the user). They can also change the form destination page to send sensitive information to servers under their control.
- Use the HTTP link in the action link of the form. In this case, any information entered by the user will be transmitted over the network in clear text. That way, from the time it leaves the user’s computer to the time it arrives at the server, the user’s password will be clearly visible to anyone sniffing around the user’s network.
- Submit the login form in the web iframe (or an HTTPS frame embedded in an HTTP Frame). Even if the uppermost page is HTTPS, there is no difference between including a password field in an HTTP IFrame and including a password field in an HTTP page. An attacker could also modify the page and steal user information.
- Sometimes web pages require usernames and passwords but don’t actually store sensitive information. For example, a news page might store an article that a user wants to read again without storing any other information about the user. The web developer of this news site may not be motivated to improve the security of his site and protect the information of his users. Unfortunately, password reuse is also a big problem. Users may use the same password for different sites (news pages, social networks, email addresses and their banks). So even if using a username and password to access your website is not a big problem for you, it can be a big threat for users who repeatedly use the same username and password to access their bank accounts. Cyber attackers are getting smarter. They steal usernames and passwords from one site and then use them on another site where they might make money.
Weak signature algorithm
When signing digital certificates, the integrity of hashing algorithm is the key factor to determine the security of certificates. Weaknesses in the hashing algorithm may result in an attacker being able to obtain forged certificates under certain circumstances. Such attacks have become much more feasible thanks to technological advances and known new types of attacks. Therefore, using older algorithms is not recommended, and support for older algorithms will eventually cease.
MD5
Support for MD5-based signatures was discontinued in early 2012.
SHA-1
Sha-1 based signatures are very common; As of May 2015, approximately 45% of digital certificates use this algorithm. However, SHA-1 is outdated and is no longer recommended. Sha-1 certificates will no longer be considered secure by major browser vendors starting in 2017.
Sha-2 (Recommended)
Sha-2 is a family of hash algorithms, including SHA-256 and SHA-512. As of 2015, the SHA-2 family was considered safe and powerful enough. Many certificate authorities issue new certificates using SHA-256.
Reference Documents: X-frame-options PUBLIC SUFFIX LIST CORS X-frame-options SRI Hash Generator HTTPS Let’s Encrypt, Free HTTPS certificate