如何实施内容安全策略? [英] How to implement content security policy?
问题描述
有很多不错的文章解释了CSP的选项,例如: http://www.html5rocks.com/zh-CN/tutorials/security/content-security-policy/
There's good articles explaining the options for CSP like this one: http://www.html5rocks.com/en/tutorials/security/content-security-policy/
也许这是完全显而易见的,因为我找不到任何好的示例,但是您实际上如何实践CSP?
Perhaps it's completely obvious because I can't find any good examples but how do you actually implement CSP in practise?
在PHP中,您可以在您服务的页面上设置页眉,但是如果您只有HTML文件,该怎么办?您是否必须通过Web服务器,Apache或类似服务器来进行?这似乎不是一个容易的方法.
In PHP you can set the header on a page you serve, but what if you just have a HTML file? Do you have to do it through your webserver, apache or similar? That doesn't seem an easy approach.
这里的最佳做法是什么?服务的每个页面都应该手动设置页眉?
What's the best practise here? Every individual page served should have the header manually set?
谢谢!
推荐答案
这似乎并不容易.
That doesn't seem an easy approach.
是的,不是.但是,您可以采用一些巧妙的快捷方式.
Yeah, it's not. There are some clever shortcuts you can take, however.
您实际上如何实践CSP?
how do you actually implement CSP in practise?
在PHP中,您可以在您服务的页面上设置页眉,但是如果您只有HTML文件,该怎么办?您是否必须通过Web服务器,Apache或类似服务器来进行?这似乎不是一个容易的方法.
In PHP you can set the header on a page you serve, but what if you just have a HTML file? Do you have to do it through your webserver, apache or similar? That doesn't seem an easy approach.
我编写了一个命令行PHP脚本,该脚本采用了类似于代码块A的JSON blob,并组装了一个类似于代码块B的字符串并将其保存到单独的文件中.
I wrote a command line PHP script that took a JSON blob like code block A assembled a string that looks like code block B and saved it to a separate file.
A:
{
"script-src": [ "self", "https://apis.google.com" ]
}
B:
add_header Content-Security-Policy "script-src: 'self' https://apis.google.com";
然后,我在该虚拟主机上添加了一行以配置我的nginx配置,以包括生成的CSP指令:
Then I added a line to configure my nginx configuration for that virtualhost to include the generated CSP directive:
include /path/to/script/output.conf;
由于这个系统,如果我想更改CSP标头,则只需要编辑一个JSON文件.
As a consequence of this system, if I wanted to make a change to the CSP headers, I only need to edit a JSON file.
这就是我使CSP标头易于管理的方式.您的里程可能会有所不同.
And that's how I made CSP headers easy to manage. Your mileage may vary.
这里是: CSP Builder .
这篇关于如何实施内容安全策略?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
