【发布时间】:2018-03-13 14:58:33
【问题描述】:
我编写了一个 .htaccess 文件来解决我一直在处理的网站的某些安全问题。
诸如:
- HSTS
- 框架选项
- 嗅探选项
- CSP
我遇到的问题是该文件似乎适用于以下内容:
- HTML
- CSS
- JS
但不适用于 PHP 文件。
在处理 PHP 文件时,您是否需要显式使用 header()?
以防万一我太密集了,我已经包含了该文件。
#############################
## ERROR MESSAGES REDIRECT ##
#############################
ErrorDocument 404 /404.php
#############################
## ERROR MESSAGES REDIRECT ##
#############################
############################
# DISABLE SERVER SIGNATURE #
############################
ServerSignature Off
############################
# DISABLE SERVER SIGNATURE #
############################
#################
## VARY HEADER ##
#################
<IfModule mod_headers.c>
Header always add TestHeader "It works."
######################################
## Set X headers for extra security ##
######################################
# 1. HTTP Strict Transport Security (HSTS) header
# 2. CSP - Only allow content from particular places
# 3. XXS Protection - Protect from XXS
# 4. X-Frame-Options SAMEORIGIN - Only allow frames within this domain
# 5. X-Content-Type-Options nosniff - Disable browser sniffing
Header set Strict-Transport-Security "max-age=631138519; includeSubDomains"
Header set Content-Security-Policy "default-src 'self'; script-src 'self' www.google-analytics.com
Header set X-XSS-Protection "1; mode=block"
Header always append X-Frame-Options SAMEORIGIN
Header set X-Content-Type-Options nosniff
######################################
## Set X headers for extra security ##
######################################
#####################
## Unset X headers ##
#####################
Header unset X-Powered-By
#####################
## Unset X headers ##
#####################
#####################
## Vary headers ##
#####################
<FilesMatch "\.(js|css|xml|gz|html|php|woff|woff2)$">
Header append Vary: Accept-Encoding
Header set Access-Control-Allow-Origin "*"
</FilesMatch>
#####################
## Vary headers ##
#####################
#####################
## EXPIRES CACHING ##
#####################
<IfModule mod_expires.c>
ExpiresActive On
ExpiresDefault "access plus 1 month"
# CSS
ExpiresByType text/css "access plus 1 year"
# Data interchange
ExpiresByType application/json "access plus 0 seconds"
ExpiresByType application/xml "access plus 0 seconds"
ExpiresByType text/xml "access plus 0 seconds"
# Favicon (cannot be renamed!)
ExpiresByType image/x-icon "access plus 1 week"
# HTML components (HTCs)
ExpiresByType text/x-component "access plus 1 month"
# HTML
ExpiresByType text/html "access plus 0 seconds"
# JavaScript
ExpiresByType application/javascript "access plus 1 year"
# Manifest files
ExpiresByType application/x-web-app-manifest+json "access plus 0 seconds"
ExpiresByType text/cache-manifest "access plus 0 seconds"
# Media
ExpiresByType audio/ogg "access plus 1 month"
ExpiresByType image/gif "access plus 1 month"
ExpiresByType image/jpeg "access plus 1 month"
ExpiresByType image/png "access plus 1 month"
ExpiresByType video/mp4 "access plus 1 month"
ExpiresByType video/ogg "access plus 1 month"
ExpiresByType video/webm "access plus 1 month"
# Web feeds
ExpiresByType application/atom+xml "access plus 1 hour"
ExpiresByType application/rss+xml "access plus 1 hour"
# Web fonts
ExpiresByType application/font-woff2 "access plus 1 month"
ExpiresByType application/font-woff "access plus 1 month"
ExpiresByType application/vnd.ms-fontobject "access plus 1 month"
ExpiresByType application/x-font-ttf "access plus 1 month"
ExpiresByType font/opentype "access plus 1 month"
ExpiresByType image/svg+xml "access plus 1 month"
</IfModule>
#####################
## EXPIRES CACHING ##
#####################
#################
## COMPRESSION ##
#################
<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE application/javascript
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/vnd.ms-fontobject
AddOutputFilterByType DEFLATE application/x-font
AddOutputFilterByType DEFLATE application/x-font-opentype
AddOutputFilterByType DEFLATE application/x-font-otf
AddOutputFilterByType DEFLATE application/x-font-truetype
AddOutputFilterByType DEFLATE application/x-font-ttf
AddOutputFilterByType DEFLATE application/x-javascript
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE font/opentype
AddOutputFilterByType DEFLATE font/otf
AddOutputFilterByType DEFLATE font/ttf
AddOutputFilterByType DEFLATE font/woff
AddOutputFilterByType DEFLATE font/woff2
AddOutputFilterByType DEFLATE image/svg+xml
AddOutputFilterByType DEFLATE image/x-icon
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/javascript
AddOutputFilterByType DEFLATE text/plain
</IfModule>
#################
## COMPRESSION ##
#################
我添加了 TestHeader 作为检查手段。
查看标题我一直在使用https://securityheaders.io/
以下内容来自 HTML 文件
以下来自 PHP 文件
如您所见,额外的标题被完全忽略了。
PHP 处理 .htaccess 文件的方式不同吗?
我正在运行 PHP 7。
【问题讨论】:
-
我认为您将 .htaccess 文件复制并粘贴到此问题中,这意味着它是您在服务器上拥有的。您在以
Header set Content-Security-Policy "开头的行上缺少一个结束双引号 -
"PHP 处理 .htaccess 文件的方式不同吗?" -
.htaccess在 PHP 之前由 Apache 处理。但是,PHP 可以覆盖任何这些标头(尽管这似乎不太可能)。 PHP 的处理程序是什么 - 这些可能由外部进程处理吗?