| Ãë¾àÁ¡ID |
210182 |
| À§Çèµµ |
20 |
| Æ÷Æ® |
80, ... |
| ÇÁ·ÎÅäÄÝ |
TCP |
| ºÐ·ù |
CGI |
| »ó¼¼¼³¸í |
'ClickJacking' °ø°ÝÀ¸·ÎºÎÅÍ º¸È£Çϱâ À§ÇÑ X-Frame-Options Çì´õ°¡ HTTP ÀÀ´ä¿¡ Æ÷ÇÔµÇÁö ¾Ê½À´Ï´Ù.
´ëºÎºÐÀÇ ÃֽŠÀ¥ ºê¶ó¿ìÀú´Â X-Frame-Options HTTP Çì´õ¸¦ Áö¿øÇÕ´Ï´Ù. À¥ »çÀÌÆ®°¡ ¹Ýȯ ÇÑ ¸ðµç À¥ ÆäÀÌÁö¿¡ ¼³Á¤µÇ¾î ÀÖ´ÂÁö È®ÀÎÇϽʽÿÀ (¿¹¸¦ µé¾î, ÆäÀÌÁö°¡ ¼¹öÀÇ ÆäÀÌÁö¿¡ ÀÇÇؼ¸¸ ÇÁ·¹ÀÓ È µÉ °ÍÀ¸·Î ¿¹»óµÇ´Â °æ¿ì (¿¹ : FRAMESETÀÇ ÀϺÎ) SAMEORIGINÀ» »ç¿ëÇϽʽÿÀ. ALLOW-FROMÀ» »ç¿ëÇϸé ƯÁ¤ À¥ »çÀÌÆ®°¡ Áö¿øµÇ´Â À¥ ºê¶ó¿ìÀú¿¡¼ À¥ ÆäÀÌÁö¸¦ ±¸¼º ÇÒ ¼ö ÀÖ½À´Ï´Ù).
* Âü°í »çÀÌÆ®:
https://www.owasp.org/index.php/Security_Headers
* ¿µÇâÀ» ¹Þ´Â Ç÷§Æû:
Any operating system Any version |
| ÇØ°áÃ¥ |
* ApacheÀÇ httpd.conf ÆÄÀÏ¿¡ ´ÙÀ½°ú °°ÀÌ Á¤ÀÇÇÕ´Ï´Ù.
<IfModule mod_headers.c>
Header set Content-Security-Policy "script-src 'self' ; img-src 'self'; style-src 'self' 'unsafe-inline';connect-src http:; child-src 'unsafe-inline'"
Header set X-Content-Type-Options nosniff
Header set X-XSS-Protection "1;mode=block"
Header set Cache-Control "no-store"
Header set Pragma "no-cache"
Header set X-Frame-Options SAMEORIGIN
</IfModule>
* WAS´Â ÇÊÅÍ µîÀ» ÀÌ¿ëÇÏ¿© response¿¡ ÇØ´ç Çì´õ¸¦ º¸³À´Ï´Ù.
response.setHeader("X-Frame-Options","SAMEORIGIN"); |
| °ü·Ã URL |
(CVE) |
| °ü·Ã URL |
(SecurityFocus) |
| °ü·Ã URL |
(ISS) |
|
