<IfModule mod_headers.c>
Header set X-XSS-Protection "1; mode=block"
Header always set X-Frame-Options "sameorigin"
Header set X-Content-Type-Options "nosniff"
#Header set Content-Security-Policy "default-src 'self'; script-src 'nonce-%{UNIQUE_ID}e' 'self'; style-src 'self' 'unsafe-inline'; object-src 'none'; base-uri 'self';"
</IfModule>
<FilesMatch ".(zip)$">
Order Allow,Deny
Deny from all
</FilesMatch>
----------------------------------------------------
Implement nonce in header:
header('Content-Security-Policy: default-src \'self\'; script-src \'nonce-'.$user->nonce_str.'\' \'self\'; style-src \'self\' \'unsafe-inline\'; object-src \'none\'; base-uri \'self\';');
<script src="js/bootstrap.js" nonce="<?php echo $user->nonce_str; ?>"></script>
------------------------------------------------------
noopener noreferrer in a link:
<div> <a href="#" target="_blank" rel="noopener noreferrer">linking status</a></div>
--------------------------
Authentication Bypass Using HTTP Verb Tampering:
HTTP Verb Tampering is an attack that exploits vulnerabilities in HTTP verb (also known as HTTP method) authentication and access control mechanisms.
Hypertext transfer protocol (HTTP) gives you list of methods that can be used to perform actions on the web server.
Following are some of the methods:
- HEAD
- GET
- POST
- PUT
- DELETE
- TRACE
- OPTIONS
- CONNECT
In HTTP methods, GET and POST (and sometimes PUT) are most commonly used by developers to access information provided by a web server.
The simplest form of HTTP Verb manipulation:
+ Changing GET to POST
+ Change POST to GET
+ etc.