• 2022-05-28
宇哥博客 服务器 网站安全分析测试,评分F解决办法

网站安全分析测试,评分F解决办法

trojan

使用网站安全分析工具测试网站,得出结果为“F”,提示的安全问题就是JQuery版本较低、安全头信息。

所用的工具为:https://snyk.io/test/website-scanner/

JQuery版本1.9.1都不行么??

引入的JQuery文件名为jquery-1.9.1.min.js,接着就直接改了文件名为jquery-3.5.1.min.js,文件内的版本号改成了3.5.1。

再次测试,竟然没有提示JQuery版本的问题了。???

安全头信息的问题

  • Strict Transport Security
  • X Content Type Options
  • X Frame Options
  • Content Security Policy
  • X XSS Protection

在PHP文件中添加以下代码即可,

header("Content-Security-Policy: default-src 'self'; img-src https://*; child-src 'none'; script-src * 'unsafe-inline';");
header('X-Frame-Options:Deny');
header('Strict-Transport-Security: max-age=63072000');

header('X-XSS-Protection: 1');
header('Access-Control-Allow-Origin: *');

header('X-Content-Type-Options: nosniff');

其它语言可以查询相关添加头信息的方法。

此时再次测试,评分变成了“A”。

关于评分

How do we score a website security scan?

The highest grade you can get is an A+ and the lowest is an F. The grades are composed based on the following score:

  • A+ for a score equal to or higher than 95
  • A for a score equal to or higher than 75
  • B for a score equal to or higher than 60
  • C for a score equal to or higher than 50
  • D for a score equal to or higher than 29
  • E for a score equal to or higher than 14
  • F for a score equal to or higher than 0

The scores are calculated based on the formula that Scott Helm has put together for https://securityheaders.com. The formula is public and includes a factor that lowers the score for any JavaScript vulnerabilities that are detected.

Security headers are scored as follows:

  • Content-Security-Policy adds 25 points
  • X-Frame-Options adds 20 points
  • X-XSS-Protection adds 20 points
  • X-Content-type-options adds 20 points
  • Strict-transport-security adds 25 points, only if the website tested is on HTTPS

以上内容来自于https://snyk.io/blog/website-security-score-explained/,评定标准的一些解释。

其它

Mozilla HTTP Observatory,是Mozilla最近发布的一款名为Observatory的网站安全分析工具。

http-observatory github开源地址:https://github.com/mozilla/http-observatory

本文来自网络,不代表本站立场,转载请注明出处。http://www.ygbks.com/1469.html

发表评论

您的电子邮箱地址不会被公开。

返回顶部