X-Frame-Options标题的重点是什么? [英] What's the point of the X-Frame-Options header?
问题描述
我在一个应用程序上工作,用户可以通过将其加载到iframe中来将其网站嵌入到周围的内容中。这显然依赖于未在用户网站上设置的X-Frame-Options工作。客户要求我创建一个反向代理,因为出于安全考虑,他们不想从他们的网站中删除X-Frame-Options标题。
I work on an application where users can embed their website within surrounding content by loading it in an iframe. This obviously relies on the X-Frame-Options not being set on the users website to work. I was asked by a client to create a reverse proxy because they didn't want to remove the X-Frame-Options header from their site for security concerns.
我设置了代理和一切都有效但是X-Frame-Options标题的重点是创建代理以避开它?
I setup the proxy and everything works but what's the point of the X-Frame-Options header if its as simple as creating a proxy to circumvent?
我理解标题存在以防止clickjacking但是如果有人可以只使用代理来解决它...它真的能提高安全性吗?
I understand the header exists to prevent clickjacking but if anyone can just make a proxy to workaround it... does it really increase security?
我不是来自企业开发世界,你能帮忙吗?我理解为什么IT部门会拒绝删除标题背后的原因?
I don't come from the enterprise dev world, can you help me understand the reasoning behind why the IT department would be resistant to removing the header?
我注意到google.com和facebook.com也设置了标题,所以它可以'完全没有意义吗?
I noticed google.com and facebook.com also set the header, so it can't be completely pointless can it?
谢谢
推荐答案
任何网站例如,通过http服务可以通过使用代理来改变其内容。所以是的,这在http网站上毫无意义,因为它很容易被击败。
Any site served over http can have its content altered by using a proxy for example. So yes this is fairly pointless on http sites since it's so easily defeated.
通过https服务网站可以防止这种情况,除非你有一个代理服务器也可以拦截https流量。这只能通过代理充当中间人(MITM)来实现,因此它会解密代理处的流量,然后重新加密流量以发送到服务器,然后再返回。为此,代理服务器要么需要知道服务器私钥,要么更有可能用自己的副本替换提供给客户端的证书。
Serving a site over https prevents this unless you have a proxy server which also intercepts https traffic. This is only possible by the proxy acting as a man-in-the-middle (MITM) so it decrypts the traffic at the proxy and then re-encrypts the traffic to send on to the server and same in way back. For this to work the proxy server either needs to know the server private key or, more likely, replaces the cert presented to its client with its own copy.
虽然MITM是通常与攻击相关联有一些合法的场景(尽管许多人认为这些都不合法,https应该是安全的!):
While MITM is usually associated with attacks there are some legitimate scenarios (though many argue even these are not legitimate and https should be secure!):
-
防病毒软件可以执行此操作来扫描保护计算机的请求。例如,如果您运行Avast并启用了SSL扫描(默认情况下认为它已启用),请转到 https://www.google .com 并查看证书,您会注意到它是由Avast而不是像往常一样由Google发布的。要做到这一点,需要防病毒软件在您的PC上安装颁发者证书,从中可以颁发这些替换证书,您的浏览器仍将接受这些证书作为真实证书。安装此颁发者证书需要您在安装防病毒软件时临时提供的管理员访问权限。
Anti-virus software can do this to scan requests to protect your computer. If you run Avast for example and have SSL scanning turned on (think it's on by default) and go to https://www.google.com and look at the cert you will notice it's been issued by Avast instead of by Google as usual. To do this requires the antivirus software to have installed an issuer certificate on your PC from which it can issue these replacement certs which your browser will still accept as real certs. Installing this issuer cert requires Admin access which you temporarily give when installing the anti-virus software.
企业代理执行类似的过程以允许他们监控https流量来自员工。同样,它需要使用管理员权限在PC上安装发行者。
Corporate proxies do a similar process to allow them to monitor https traffic from its employees. Again it requires an issuer installed on the PC using admin rights.
所以基本上只能使用像这样的代理你建议使用https流量,如果你已经拥有或曾经拥有PC中的管理员权限 - 在这种情况下,所有投注都是关闭的。
So basically it's only possible to use a proxy like you suggest for https traffic if you already have, or have had in the past, Admin rights in the PC - at which case all bets are off anyway.
唯一的其他这样做的方法是使用代理保持http流量。例如,如果您请求www.google.com,那么这通常会重定向到 https://www.google.com 但您的代理可以拦截该重定向请求,而是将客户端 - >代理连接保留在https上,允许代理修改请求以删除标头。这取决于没有键入https的用户,没有注意到没有绿色挂锁,并且可以使用HSTS等技术(在某些浏览器中自动预加载某些网站,如google.com)。所以不是真正可靠的拦截流量的方式。
The only other way to do this is to keep traffic on http using a proxy. For example if you request www.google.com then this normally redirects to https://www.google.com but your proxy can intercept that redirect request and instead keep the client->proxy connection on https, allowing the proxy to amend the request to strip out headers. This depends on the users not typing https, not noticing there is no green padlock and can be defeated with technologies like HSTS (which is automatically preloaded in some browsers for some sites like google.com). So not really reliable way to intercept traffic.
这篇关于X-Frame-Options标题的重点是什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
