1、服务器开启 options方法

通过web.config文件禁止WEB服务启用OPTIONS方法

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
   <security>
      <requestFiltering>
        <verbs allowUnlisted="true">
          <add verb="OPTIONS" allowed="false"/>
        </verbs>
      </requestFiltering>
    </security>
  </system.webServer>
</configuration>

2、点击劫持:使用X-Frame-Options 解决方法

通过web.config文件添加X-Frame-Options 夈

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
        <httpProtocol>
            <customHeaders>
                <remove name="X-Powered-By" />
                <add name="X-Frame-Options" value="SAMEORIGIN" />
            </customHeaders>
        </httpProtocol>
  </system.webServer>
</configuration>

X-Frame-Options 有三个值:
DENY
表示该页面不允许在 frame 中展示,即便是在相同域名的页面中嵌套也不允许。
SAMEORIGIN
表示该页面可以在相同域名页面的 frame 中展示。
ALLOW-FROM uri
表示该页面可以在指定来源的 frame 中展示。

3、应用信息错误漏洞(.net环境请忽略)

通过web.config文件移除无用脚本

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
        <handlers>
            <remove name="PageHandlerFactory-ISAPI-4.0_64bit" />
            <remove name="PageHandlerFactory-ISAPI-4.0_32bit" />
            <remove name="PageHandlerFactory-ISAPI-2.0-64" />
            <remove name="PageHandlerFactory-ISAPI-2.0" />
            <remove name="PageHandlerFactory-Integrated-4.0" />
            <remove name="PageHandlerFactory-Integrated" />
            <remove name="SimpleHandlerFactory-ISAPI-4.0_64bit" />
            <remove name="SimpleHandlerFactory-ISAPI-4.0_32bit" />
            <remove name="SimpleHandlerFactory-ISAPI-2.0-64" />
            <remove name="SimpleHandlerFactory-ISAPI-2.0" />
            <remove name="SimpleHandlerFactory-Integrated-4.0" />
            <remove name="SimpleHandlerFactory-Integrated" />
            <remove name="WebServiceHandlerFactory-ISAPI-4.0_32bit" />
            <remove name="WebServiceHandlerFactory-ISAPI-2.0" />
            <remove name="WebServiceHandlerFactory-Integrated-4.0" />
            <remove name="WebServiceHandlerFactory-Integrated" />
            <remove name="WebServiceHandlerFactory-ISAPI-2.0-64" />
            <remove name="WebServiceHandlerFactory-ISAPI-4.0_64bit" />
        </handlers>
  </system.webServer>
</configuration>

4、cookie缺少secure属性

通过web.config文件给Cookie设置HttpOnly属性

<system.web>
    <httpCookies httpOnlyCookies="true" />
</system.web>

标签: X-Frame-Options, options, cookie, secure, 应用信息错误漏洞

添加新评论