Security Headers Webserver
Security Headers: HTTP-Schutz für Websites
Security Headers schützen Ihre Website vor Angriffen. Lernen Sie die wichtigsten Header und ihre Konfiguration.
Die wichtigsten Security Headers
| Header | Schutz vor |
|---|---|
| Strict-Transport-Security | Man-in-the-Middle, Downgrade |
| Content-Security-Policy | XSS, Injection |
| X-Frame-Options | Clickjacking |
| X-Content-Type-Options | MIME Sniffing |
| Referrer-Policy | Information Leakage |
| Permissions-Policy | Feature Missbrauch |
Nginx Konfiguration
# /etc/nginx/conf.d/security-headers.conf # HTTPS erzwingen (1 Jahr) add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; # Clickjacking verhindern add_header X-Frame-Options "SAMEORIGIN" always; # XSS Filter (veraltet, aber schadet nicht) add_header X-XSS-Protection "1; mode=block" always; # MIME-Type Sniffing verhindern add_header X-Content-Type-Options "nosniff" always; # Referrer einschränken add_header Referrer-Policy "strict-origin-when-cross-origin" always; # Feature-Zugriff kontrollieren add_header Permissions-Policy "geolocation=(), camera=(), microphone=()" always; # Content Security Policy (anpassen!) add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self'; connect-src 'self'; frame-ancestors 'self';" always;
Apache Konfiguration
# .htaccess oder VirtualHost Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" Header always set X-Frame-Options "SAMEORIGIN" Header always set X-Content-Type-Options "nosniff" Header always set Referrer-Policy "strict-origin-when-cross-origin" Header always set Permissions-Policy "geolocation=(), camera=(), microphone=()" Header always set Content-Security-Policy "default-src 'self'"
HSTS (Strict-Transport-Security)
# Browser merkt sich: Diese Site nur über HTTPS! # Standard Strict-Transport-Security: max-age=31536000 # Mit Subdomains Strict-Transport-Security: max-age=31536000; includeSubDomains # Für Preload-Liste (Chrome, Firefox, etc.) Strict-Transport-Security: max-age=31536000; includeSubDomains; preload # ⚠️ Vorsicht: # - Erst testen mit max-age=300 # - Bei Problemen: Kein einfaches Zurück! # - preload nur wenn wirklich HTTPS-only
Content-Security-Policy (CSP)
# Grundstruktur Content-Security-Policy: direktive quelle quelle; direktive quelle; # Directives: default-src # Fallback für alle script-src # JavaScript style-src # CSS img-src # Bilder font-src # Schriftarten connect-src # AJAX, WebSocket frame-src # iframes media-src # Audio, Video object-src # Plugins (Flash) base-uri #Tag form-action # Formular-Ziele # Sources: 'none' # Nichts erlaubt 'self' # Gleiche Origin 'unsafe-inline'# Inline Scripts/Styles (vermeiden!) 'unsafe-eval' # eval() (vermeiden!) https: # Nur HTTPS data: # data: URIs *.example.com # Wildcard Domain # Beispiel: Sichere CSP Content-Security-Policy: default-src 'none'; script-src 'self' https://cdn.example.com; style-src 'self'; img-src 'self' data: https:; font-src 'self'; connect-src 'self' https://api.example.com; frame-ancestors 'self'; base-uri 'self'; form-action 'self'; # Report-Only (zum Testen) Content-Security-Policy-Report-Only: default-src 'self'; report-uri /csp-report
Referrer-Policy
# Optionen (empfohlen → strikt) no-referrer # Kein Referrer gesendet no-referrer-when-downgrade # Kein Referrer bei HTTPS→HTTP origin # Nur Origin, kein Pfad: https://example.com origin-when-cross-origin # Volle URL intern, nur Origin extern same-origin # Referrer nur bei gleicher Origin strict-origin # Origin nur bei gleichem Protokoll strict-origin-when-cross-origin ← Empfohlen! # Volle URL intern, Origin extern, nichts bei Downgrade unsafe-url # Immer volle URL (nicht empfohlen)
Permissions-Policy
# Früher: Feature-Policy # Browser-Features deaktivieren Permissions-Policy: geolocation=(), camera=(), microphone=() # Nur für eigene Origin Permissions-Policy: geolocation=(self) # Für bestimmte Origins Permissions-Policy: geolocation=(self "https://maps.example.com") # Alle Features: accelerometer, ambient-light-sensor, autoplay, camera, encrypted-media, fullscreen, geolocation, gyroscope, magnetometer, microphone, midi, payment, picture-in-picture, usb, xr-spatial-tracking
Testen
# Online Tools # - securityheaders.com # - observatory.mozilla.org # curl curl -I https://example.com # Browser DevTools # Network Tab → Response Headers
Komplette Beispiele
# Minimale sichere Konfiguration (Nginx) add_header Strict-Transport-Security "max-age=31536000" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; # Strenge Konfiguration add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; add_header X-Frame-Options "DENY" always; add_header X-Content-Type-Options "nosniff" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; add_header Permissions-Policy "geolocation=(), camera=(), microphone=(), payment=()" always; add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self' data:; font-src 'self'; frame-ancestors 'none';" always;
💡 Tipp:
Prüfen Sie Ihre Security Headers regelmäßig mit dem Enjyn Domain Toolkit.