文档建议反馈控制台
首页
学习
活动
专区
圈层
工具
MCP广场
文章/答案/技术大牛
发布
社区首页 >问答首页 >这些方法是否足以保护我的主机(php)?

这些方法是否足以保护我的主机(php)?
EN

Stack Overflow用户
提问于 2021-02-01 11:21:03
回答 1查看 117关注 0票数 1

我想让我的主机更安全(防止攻击,xss和CSRF . )

  • 第一防御(令牌)
代码语言:javascript
复制
if ( time() >= $_SESSION['token']['expire'] ) {
    $length = rand(31,50);
    try {
      $_SESSION['token']['code'] =  bin2hex(random_bytes($length));
      $_SESSION['token']['input'] =  bin2hex(random_bytes($length));
    } catch (\Exception $e) {
      $_SESSION['token']['code'] = substr(base_convert(sha1(uniqid(mt_rand())), 16, 36), 0, $length);
      $_SESSION['token']['input'] = substr(base_convert(sha1(uniqid(mt_rand())), 16, 36), 0, $length);
   }
   $_SESSION['token']['expire'] = time() + 3600;
   die(JSON_TIME_OUT);
}
  • 第二个防御(检查所有查询)
代码语言:javascript
复制
$value = trim(strip_tags(htmlspecialchars(stripslashes($POST['query']))));
  • 第三次辩护(只允许邮寄请求)
代码语言:javascript
复制
if ($_SERVER['REQUEST_METHOD'] !== 'POST' || sizeof($_GET)) {
    http_response_code(405);
    exit;
}
  • 第四防御(用于在db中保存密码)
代码语言:javascript
复制
$pass = password_hash("password", PASSWORD_DEFAULT);

,还有什么我错过的吗?

php
security
xss
EN

回答 1

Stack Overflow用户

发布于 2021-02-01 12:17:28

您错过了SQL注入。

您可以使用准备好的语句来避免SQL注入。

下面是一个示例:

代码语言:javascript
复制
$conn = mysqli_connect("localhost", "username", "password", "database");

$username = "someone";
$comments = "something like ); SELECT * FROM table;"; #some kind of sql injection
$current_date = date("h:i:s a d-m-Y");
        $sql = "INSERT INTO comments (name, comments, date_publish) VALUES (?, ?, ?);";
        $stmt = mysqli_stmt_init($conn);
        if (!mysqli_stmt_prepare($stmt, $sql)) {
            echo "An error occured!";
        } else {
            mysqli_stmt_bind_param($stmt, "sss", $username, $comment, $current_date);
            mysqli_stmt_execute($stmt);
            mysqli_stmt_get_result($stmt);
            echo "Done!";
        }

即使您在标题中包含了(php),我还是想分享一些安全头:

如果使用Apache,则向Apache添加以下内容:

代码语言:javascript
复制
<IfModule headers_module>
Header always set Expires "-1"
Header always set Cache-Control "no-store, no-cache, must-revalidate, max-age=0"
Header always set Pragma "no-cache"

<FilesMatch "\.(gif|jpe?g|png|webp|ico|mp4|mp3)$">
Header always unset Expires
Header always set Cache-Control "must-revalidate, max-age=3600"
Header always unset Pragma
</FilesMatch>
Header always set Content-Security-Policy "default-src 'none'; img-src data: https: 'self'; script-src 'self'; object-src 'none'; frame-ancestors 'none'; style-src 'self'; base-uri 'none'; form-action 'self'; media-src https: 'self'; frame-src 'none'; child-src 'none'; connect-src 'self'"
Header always set X-Frame-Options "DENY"
Header always set X-XSS-Protection "1; mode=block"
Header always set X-Content-Type-Options nosniff
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" "expr=%{HTTPS} == 'on'"
#Header always set Referrer-Policy "no-referrer"
Header always set Permissions-Policy "geolocation=();midi=();notifications=();push=();sync-xhr=(self);microphone=();camera=();magnetometer=();gyroscope=();speaker=(self);vibrate=();fullscreen=(self);payment=();"
Header always set X-Permitted-Cross-Domain-Policies "none"
</IfModule>

以下是简单的标题:

代码语言:javascript
复制
set-cookie: __Secure-YOURSESSID=abcdefghijklmnopqrstuvwxyz123456789; path=/; secure; HttpOnly; SameSite=Lax
expires: -1
cache-control: no-store, no-cache, must-revalidate, max-age=0
pragma: no-cache
content-security-policy: default-src 'none'; img-src data: https: 'self'; script-src 'self'; object-src 'none'; frame-ancestors 'none'; style-src 'self'; base-uri 'none'; form-action 'self'; media-src https: 'self'; frame-src 'none'; child-src 'none'; connect-src 'self'
x-frame-options: DENY
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
strict-transport-security: max-age=63072000; includeSubDomains; preload
permissions-policy: geolocation=();midi=();notifications=();push=();sync-xhr=(self);microphone=();camera=();magnetometer=();gyroscope=();speaker=(self);vibrate=();fullscreen=(self);payment=();
x-permitted-cross-domain-policies: none
content-type: text/html; charset=UTF-8

你可以根据你的需要改变它们。Content-Security-Policy头是最重要的。它可能会破坏你的网站,但,它会有很大帮助。

使用SSLLabs测试站点的安全性。

下面是用于最安全的SSLLabs评分的Apache配置:

代码语言:javascript
复制
SSLCipherSuite TLSv1.3 TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384
SSLOpenSSLConfCmd ECDHParameters secp384r1

#generate DH param using: openssl dhparam -out dhparam.pem 4096
SSLOpenSSLConfCmd DHParameters "/path/to/ssl/dh4096.pem"

SSLHonorCipherOrder On
SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLPassPhraseDialog builtin
SSLSessionCache "shmcb:/usr/local/apache2/logs/ssl_scache(512000)"
SSLSessionCacheTimeout 300
SSLUseStapling On
SSLStaplingCache "shmcb:ssl_stapling(32768)"
票数 1
EN
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:

https://stackoverflow.com/questions/65991811

复制
相关文章

相似问题

领券

腾讯云开发者

扫码关注腾讯云开发者

扫码关注腾讯云开发者

领取腾讯云代金券

热门产品

热门推荐

更多推荐

Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有 

深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 粤公网安备44030502008569号

腾讯云计算(北京)有限责任公司 京ICP证150476号 |  京ICP备11018762号

问题归档专栏文章快讯文章归档关键词归档开发者手册归档开发者手册 Section 归档