Howpsuzlyk syýasaty we CSP

1) Howpsuzlyk syýasaty näme üçin zerur?

Häzirki zaman frontendleri we API köp çeşmelere (CDN, analitika, PSP, 3DS, söhbetdeşlikler) baglydyr. Berk syýasatlar bolmazdan, XSS, klikjeking, maglumatlaryň syzmagy we sessiýalaryň ogurlanmagy töwekgelçiligi ýokarlanýar. Howpsuzlyk syýasaty, brauzeri "diňe aç-açan rugsat berilýär" (allow-list) modeline geçirmek arkaly rugsat berilýän zatlary çäklendirýär.

2) Esasy sütünler

CSP (Content Security Policy) - JS/CSS/media çeşmeleriniň we hereketleriniň merkezleşdirilen "menýusy".
Trusted Types - DOM-XSS-den gorag.
SRI (Subresource Integrity) - skriptleriň/stilleriň bitewiligine gözegçilik.
COOP/COEP/CORP - çeşmeleriň arasynda kontekstleri we çeşmeleri berk izolirlemek.
Fetch Metadata ('Sec-Fetch-') - saýt soraglaryny süzmek üçin serwer çözgüdi.
CORS - API-e domenara girmek syýasaty.
Nusgawy sözbaşylar: HSTS, 'X-Frame-Options '/' frame-ancestors', 'Referrer-Policy', 'Permissions-Policy', SameSite-cookies.

3) CSP: esaslar we ýörelgeler

3. 1 Görkezmeler (esasy)

'default-src' - beýleki direktiwalar üçin defolt.
'script-src' - JS, nonce/hash, 'strict-dynamic', 'report-sample' çeşmeleri.
'style-src' - CSS çeşmeleri; 'unsafe-inline' -ni minimallaşdyrmak.
`img-src`, `font-src`, `media-src`, `object-src` (обычно `none`).
'connect-src' - ulgam soraglary (XHR/fetch/WebSocket).
'frame-src '/' child-src' - üçünji tarap framlary (PSP, 3DS).
'frame-ancestors' - sahypamyzy kim gurup biler (anti-clickjacking).
'base-uri' - çalyşmaga gadaganlyk '<base>'.
'form-action' - formalary bozmaga rugsat berilýär.
'upgrade-insecure-requests', 'block-all-mixed-content' - HTTP/HTTPS garyndysyna garşy göreş.
'report-uri '/' report-to' - bozmalary nirä ibermeli.

3. 2 Nonce и hash

Nonce-çemeleşme: Her HTTP jogabyna 'nonce', inline-skriptlere '<script nonce = "...>' we 'script-src' nonce-... 'goşmak.
Hash-çemeleşme: içerki mazmunyň kesgitlenen heşi. Statik HTML üçin amatly, dinamika üçin amatsyz.
'strict-dynamic': diňe "ynanylan" skript bilen ýüklenen skriptlere ynanmak (nonce/hash bilen). Dinamiki ýüklemede maksatly domenleri sanamak zerurlygyny aýyrýar, ýöne modern-brauzerleri talap edýär.

3. 3 Gadaganlyk 'unsafe-'

'unsafe-inline', 'unsafe-eval' -den gaça duruň. Eger framwork eval (mysal üçin, dev-de source-map) talap etse, diňe dev-de açyň.
Stiller üçin - 'nonce' ýa-da 'hash', mümkin boldugyça aňsatsyz.

3. 4 Berk CSP mysaly (söweş nyşany)

Content-Security-Policy:
default-src 'none';
base-uri 'self';
object-src 'none';
script-src 'self' 'nonce-{RANDOM}' 'strict-dynamic' https://www. googletagmanager. com;
style-src 'self' 'nonce-{RANDOM}';
img-src 'self' data: https://images. example-cdn. com;
font-src 'self' https://fonts. gstatic. com;
connect-src 'self' https://api. example. com wss://ws. example. com;
frame-src https://3ds. psp. com https://pay. psp. com;
frame-ancestors 'none';
form-action 'self' https://pay. psp. com;
upgrade-insecure-requests;
report-to csp-endpoint; report-sample

4) Trusted Types (DOM-XSS)

'Content-Security-Policy: require-trusted-types-for' script 'direktiwasyny açyň; trusted-types app default`.
Kod ('window. trustedTypes. createPolicy('app', { createHTML() {... } })`).
Howpsuz bellemegi gadagan ediň ('element. innerHTML =...`) без Trusted Types.
Frameworklar bilen integrasiýa (React/Angular/Vue): Ygtybarly API render ediň, howply dangerouslySetInnerHTML-den gaça duruň.

5) SRI (CDN bitewiligi)

Daşarky' <script> '/' <link> 'integrity =" sha256- "... crossorigin =" anonymous"'.
SRI CSP-ni ýerine ýetirýär. CDN wersiýasy täzelenende - heşi täzeläň.

6) Klikjeking we çarçuwalar

Häzirki zaman usuly - 'frame-ancestors' (köne 'X-Frame-Options' bilen çalşyrylýar).