缺少 Anti-CSRF 令牌和服务器通过 "X-Powered-By" 泄露的信息:如何设置?
Absence of Anti-CSRF Tokens & Server Leaks Information via "X-Powered-By" : How do I set it?
我目前正在为我的项目使用 Wamp 应用程序的 Apache 服务器。在进行安全扫描时,报告出现了 2 个错误:
- 服务器通过“X-Powered-By”HTTP 响应Header 字段泄漏信息
- 缺少 Anti-CSRF 个令牌
我需要做什么来解决这些问题?谢谢。
这里有一个帮助你可以实现 csrf 令牌:
https://code-boxx.com/simple-csrf-token-php/
您可以在此处详细了解什么是 csrf 令牌及其用途:https://portswigger.net/web-security/csrf/tokens
A CSRF token is a unique, secret, unpredictable value that is
generated by the server-side application and transmitted to the client
in such a way that it is included in a subsequent HTTP request made by
the client. When the later request is made, the server-side
application validates that the request includes the expected token and
rejects the request if the token is missing or invalid.
CSRF tokens can prevent CSRF attacks by making it impossible for an
attacker to construct a fully valid HTTP request suitable for feeding
to a victim user. Since the attacker cannot determine or predict the
value of a user's CSRF token, they cannot construct a request with all
the parameters that are necessary for the application to honor the
request.
要删除 X-Powered-By,您可以在 php.ini 文件中设置 expose_php = off
我目前正在为我的项目使用 Wamp 应用程序的 Apache 服务器。在进行安全扫描时,报告出现了 2 个错误:
- 服务器通过“X-Powered-By”HTTP 响应Header 字段泄漏信息
- 缺少 Anti-CSRF 个令牌
我需要做什么来解决这些问题?谢谢。
这里有一个帮助你可以实现 csrf 令牌: https://code-boxx.com/simple-csrf-token-php/
您可以在此处详细了解什么是 csrf 令牌及其用途:https://portswigger.net/web-security/csrf/tokens
A CSRF token is a unique, secret, unpredictable value that is generated by the server-side application and transmitted to the client in such a way that it is included in a subsequent HTTP request made by the client. When the later request is made, the server-side application validates that the request includes the expected token and rejects the request if the token is missing or invalid.
CSRF tokens can prevent CSRF attacks by making it impossible for an attacker to construct a fully valid HTTP request suitable for feeding to a victim user. Since the attacker cannot determine or predict the value of a user's CSRF token, they cannot construct a request with all the parameters that are necessary for the application to honor the request.
要删除 X-Powered-By,您可以在 php.ini 文件中设置 expose_php = off