En sevdi\u011finiz kafede oturdu\u011funuzu veya bir otel odas\u0131nda oldu\u011funuzu ve \u00fccretsiz Wi-Fi hizmetini kullanmak istedi\u011finizi d\u00fc\u015f\u00fcn\u00fcn.\u00a0Bu gibi yerlerde Wi-Fi \u015fifrelerinin ka\u011f\u0131da (not defteri, bro\u015f\u00fcr, kart vb.) bas\u0131ld\u0131\u011f\u0131n\u0131 ve hi\u00e7 de\u011fi\u015fmedi\u011fini hi\u00e7 fark ettiniz mi?<\/p>\n
K\u00f6t\u00fc niyetli hackerlar da\u00a0 bu ortak a\u011flara kolayl\u0131kla ba\u011flanabilme olana\u011f\u0131na sahip olabiliyorlar. Dolay\u0131s\u0131yla bu; onlar\u0131n ba\u011fl\u0131 oldu\u011funuz a\u011f\u0131 izleyebilecekleri ve siz dahil o a\u011f\u0131 kullanan herkesin verilerini g\u00f6rebilecekleri \/ \u00e7alabilecekleri programlar\u0131 kolayl\u0131kla kullanabilecekleri anlam\u0131na geliyor.<\/p>\n
Bu hacker, HTTP’den HTTPS’ye ge\u00e7i\u015f yapmak<\/a><\/strong> i\u00e7in 301 Redirect y\u00f6nlendirmesine dayal\u0131 herhangi bir web sitesi i\u00e7in HTTP \u00fczerinden a\u011f trafi\u011finizi yakalayabilir.\u00a0Bu y\u00f6ntem, hacker’\u0131n SSL \u015fifrelemenizi kald\u0131rmas\u0131 ve ki\u015fisel verilerinizi \u00e7almas\u0131 veya daha da k\u00f6t\u00fcs\u00fc sahte bir giri\u015f sayfas\u0131 bile olu\u015fturmas\u0131na olanak sa\u011flayabilecek bir f\u0131rsat penceresi sunar.<\/p>\n Bu nedenle web siteniz sadece HTTPS \u00fczerinden HTTP Strict Transport Security\u00a0(HSTS) kullanmal\u0131d\u0131r.\u00a0Dolay\u0131s\u0131yla bir SSL Sertifikas\u0131 kullan\u0131yor olman\u0131z, HTTP\u2019den HTTPS\u2019e ge\u00e7i\u015fte 301 y\u00f6nlendirmesi kullan\u0131l\u0131yorsa tam anlam\u0131yla a\u011f g\u00fcvenli\u011fini sa\u011flamayacakt\u0131r.<\/p>\n Bu yaz\u0131m\u0131zda HSTS’i nas\u0131l kullanabilece\u011finizi anlatt\u0131k.<\/p>\n <\/p>\n HTTP Strict Transport Security<\/strong> (HSTS), User-Agentlara ve web taray\u0131c\u0131lar\u0131na en ba\u015ftan ve taray\u0131c\u0131ya geri g\u00f6nderilen bir yan\u0131t ba\u015fl\u0131\u011f\u0131 \u00fczerinden ba\u011flant\u0131lar\u0131n\u0131 nas\u0131l kullanacaklar\u0131n\u0131 bildiren bir web sunucusu y\u00f6nergesidir.<\/em><\/p>\n Bu, HSTS<\/strong> (HTTP Strict-Transport-Security<\/strong>) ilkesi, alan parametresini ayarlar.\u00a0Bu ba\u011flant\u0131lar\u0131 HTTPS \u00fczerinden \u00e7al\u0131\u015fmaya zorlar<\/strong> ve herhangi bir kod par\u00e7as\u0131n\u0131n HTTP \u00fczerinden herhangi bir kayna\u011f\u0131 y\u00fckleme \u00e7a\u011fr\u0131s\u0131n\u0131 dikkate almaz.\u00a0HSTS, web sunucunuz veya web bar\u0131nd\u0131rma hizmetiniz i\u00e7in g\u00fcvenlik ayarlar\u0131 bak\u0131m\u0131ndan tam g\u00fcvenli\u011fi sa\u011flayabilecek yoldur.<\/p>\n Bunu evin veya i\u015fyerinden \u00e7\u0131karken kap\u0131y\u0131 kapatt\u0131ktan sora kilitlemeye benzetebilriz. Sonu\u00e7ta web sitenizdeki veriler, sizin i\u00e7in fiziksel e\u015fyalar\u0131n\u0131z veya maddi de\u011feri olan her \u015fey gibi de\u011ferli olabilir. Bu y\u00fczden onlar\u0131 g\u00fcvende tutmak \/ tutmaya \u00e7al\u0131\u015fmak da \u00f6nemlidir.\u00a0Web sitenizi SSL ile korumak yeterli olmayacakt\u0131r, \u00e7\u00fcnk\u00fc insanlar web sitenize \u201chttp:\/\/\u201d \u00fczerinden eri\u015fmenin bir yolunu bulabilir.\u00a0HSTS (HTTP Strict-Transport-Security), taray\u0131c\u0131lar\u0131 ve uygulama ba\u011flant\u0131lar\u0131n\u0131 varsa HTTPS kullanmaya zorlar.\u00a0B\u00f6ylece birisi sadece http:\/\/www veya http:\/\/ yazsa bile, http:\/\/ olarak gelen istekler, HSTS protokol\u00fcne g\u00f6re direkt olarak HTTPS olarak al\u0131n\u0131r.<\/p>\n HTTPS, Google\u2019da s\u0131ralama fakt\u00f6rlerinden biridir ve sayfa h\u0131z\u0131 ve mobil yan\u0131t verme gibi di\u011fer bir\u00e7ok fakt\u00f6rle birlikte bir “site kalitesi” puan\u0131 olarak kategorize edilir. Ayr\u0131ca Google Chrome taray\u0131c\u0131lar\u0131n\u0131n da SSL kullanmayan web siteleri i\u00e7in, \u201cG\u00fcvenli De\u011fil\u201d olarak bildirim verdi\u011fini hat\u0131rlatal\u0131m. K\u0131sacas\u0131 Google da web\u2019in g\u00fcvenli olamas\u0131na yard\u0131mc\u0131 olmak istiyor.<\/p>\n http:\/\/ den https:\/\/\u2019e 301 y\u00f6nlendirmelerini ayarlamak, alan ad\u0131n\u0131z\u0131 tamamen korumak i\u00e7in yeterli de\u011fildir. HTTP’nin g\u00fcvensiz y\u00f6nlendirmesi nedeniyle halen hackerlar i\u00e7in kullanabilecekleri bir s\u00fcr\u00fc y\u00f6ntem var.<\/p>\n Hackerlar site \u00e7erezleri<\/a>ni, oturum kimli\u011fini (genellikle bir URL parametresi olarak g\u00f6nderilir) yakalayabilir veya web sitenizin birebir kopyas\u0131 olan kimlik av\u0131 sitelerine yeniden y\u00f6nlendirmeye zorlayabilir ki bu, en k\u00f6t\u00fc senaryo.<\/p>\n Web sitenizde HSTS (HTTP Strict-Transport-Security) Header \u00f6zelli\u011finin kullan\u0131m\u0131, k\u00f6t\u00fc niyetli ki\u015filerin herhangi bir bilgiyi toplamas\u0131n\u0131 neredeyse imkans\u0131z k\u0131lacakt\u0131r.<\/p>\n Milyarlarca dolarl\u0131k \u015firket olan Google, 29 Temmuz 2016 tarihinde HSTS g\u00fcvenlik politikas\u0131n\u0131 resmen y\u00fcr\u00fcrl\u00fc\u011fe koydu.<\/p>\n HSTS projesi ilk olarak 2009’un ba\u015flar\u0131nda haz\u0131rland\u0131.\u00a0Facebook, Google, Gmail, Twitter ve PayPal, bug\u00fcn HSTS’yi uygulayan en \u00f6nemli sosyal a\u011f ve \u00f6deme portallar\u0131ndan sadece birka\u00e7\u0131d\u0131r.<\/p>\n \u0130\u00e7erik yap\u0131n\u0131zda subdomain kullan\u0131yorsan\u0131z, SADECE HTTPS’yi kapsayacak bir Wildcard Sertifikas\u0131<\/a><\/strong>na ihtiyac\u0131n\u0131z olacakt\u0131r.\u00a0Aksi takdirde web siteniz, Herhangi bir SSL Sertifikas\u0131 ile \u00a0de olduk\u00e7a g\u00fcvende olacakt\u0131r.\u00a0SSL\u2019in kurulu oldu\u011fundan ve do\u011fru \u00e7al\u0131\u015ft\u0131\u011f\u0131ndan emin olun.<\/strong><\/p>\n HSTS’nin sitede kullan\u0131m\u0131n\u0131n SEO a\u00e7\u0131s\u0131ndan pek \u00e7ok avantaj\u0131 ve faydas\u0131 bulunmaktad\u0131r. HSTS kurulu olan bir sitede, kullan\u0131c\u0131n\u0131n yazd\u0131\u011f\u0131 adres http i\u00e7ermesine ra\u011fmen, t\u0131pk\u0131 https iste\u011fiymi\u015f gibi de\u011ferlendirerek iste\u011fi https ile a\u00e7maya \u00e7al\u0131\u015f\u0131r. Dolay\u0131s\u0131yla y\u00f6nlendirmeler aras\u0131nda ge\u00e7en zamandan tasarruf edilerek performans anlam\u0131nda pozitif etkisi olmaktad\u0131r. Bu; hem a\u00e7\u0131l\u0131\u015f sayfalar\u0131n\u0131z\u0131n<\/a> h\u0131z\u0131n\u0131 etkileyen bir fakt\u00f6r, hem de SEO puan\u0131n\u0131z\u0131 pozitif etkileyen bir uygulamad\u0131r.<\/p>\n <\/p>\n A\u015fa\u011f\u0131daki kodu Apache web sunucusu<\/a>nda public_html<\/strong> veya httpdoc<\/strong> gibi en \u00fcst d\u00fczeydeki k\u00f6k dizin klas\u00f6r\u00fcndeki .htaccess<\/strong> dosyas\u0131na ekleyebilirsiniz.<\/p>\n Bunu Lighttpd<\/strong> yap\u0131land\u0131rma dosyas\u0131na \/etc\/lighttpd\/lighttpd.conf<\/strong> dosyas\u0131na ekleyin<\/p>\n NGINX web sunucusu<\/a> i\u00e7in HSTS kurulumu kodlar\u0131n\u0131 site.conf dosyan\u0131za yazmal\u0131s\u0131n\u0131z.<\/p>\n HSTS \u00f6ny\u00fcklemesi;<\/strong> taray\u0131c\u0131da yerle\u015fik bir fonksiyondur, bu sayede global bir ana bilgisayar listesi web sitelerinde SADECE HTTPS kullan\u0131m\u0131n\u0131 zorlar.<\/strong><\/p>\n Bu liste Chrome, Firefox ve Safari taraf\u0131ndan kullan\u0131lmaktad\u0131r.\u00a0Bu siteler, politikay\u0131 uygulamak i\u00e7in HSTS cevap ba\u015fl\u0131klar\u0131n\u0131n yay\u0131nlanmas\u0131na ba\u011fl\u0131 de\u011fildir.\u00a0Bunun yerine, taray\u0131c\u0131 etki alan\u0131 ad\u0131n\u0131n SADECE HTTPS kullan\u0131lmas\u0131n\u0131 gerektirdi\u011finin fark\u0131ndad\u0131r ve herhangi bir ba\u011flant\u0131 veya ileti\u015fim ger\u00e7ekle\u015fmeden \u00f6nce HSTS’yi \u00f6ncelikli olarak kullanmaktad\u0131r..<\/p>\n Bu, bir hacker\u2019\u0131n HTTP \u00fczerinden y\u00f6nlendirmelerle m\u00fcdahale etme ve kurcalama olana\u011f\u0131n\u0131 kald\u0131r\u0131r.\u00a0HSTS yan\u0131t ba\u015fl\u0131\u011f\u0131na bu senaryoda hala ihtiya\u00e7 duyulmaktad\u0131r ve \u00f6nceden y\u00fcklenmi\u015f HSTS listelerini kullanmayan taray\u0131c\u0131lar i\u00e7in yerinde b\u0131rak\u0131lmal\u0131d\u0131r.<\/p>\n HSTS<\/strong> neredeyse sekiz y\u0131ldan beri var.\u00a0Bu HTTPS Yaln\u0131zca web altyap\u0131n\u0131zdaki politika, k\u00f6t\u00fc niyetli ki\u015fileri d\u0131\u015far\u0131da ve hassas verilerinizi g\u00fcvende tutar.\u00a0Web y\u00f6neticiniz veya web bar\u0131nd\u0131rma servisiniz taraf\u0131ndan kurulmas\u0131 sadece birka\u00e7 dakika s\u00fcrer ve SSL puan\u0131n\u0131z\u0131\u00a0GlobalSign’\u0131n SSL Checker<\/a>\u00a0ile art\u0131racakt\u0131r\u00a0\u00a0.<\/p>\n HSTS Referanslar\u0131<\/strong><\/p>\n En sevdi\u011finiz kafede oturdu\u011funuzu veya bir otel odas\u0131nda oldu\u011funuzu ve \u00fccretsiz Wi-Fi hizmetini kullanmak istedi\u011finizi d\u00fc\u015f\u00fcn\u00fcn.\u00a0Bu gibi yerlerde Wi-Fi \u015fifrelerinin ka\u011f\u0131da (not…<\/p>\n","protected":false},"author":3,"featured_media":12694,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[74],"tags":[],"class_list":["post-12656","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-makaleler"],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/www.ihs.com.tr\/blog\/wp-json\/wp\/v2\/posts\/12656","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ihs.com.tr\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ihs.com.tr\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ihs.com.tr\/blog\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ihs.com.tr\/blog\/wp-json\/wp\/v2\/comments?post=12656"}],"version-history":[{"count":45,"href":"https:\/\/www.ihs.com.tr\/blog\/wp-json\/wp\/v2\/posts\/12656\/revisions"}],"predecessor-version":[{"id":14231,"href":"https:\/\/www.ihs.com.tr\/blog\/wp-json\/wp\/v2\/posts\/12656\/revisions\/14231"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.ihs.com.tr\/blog\/wp-json\/wp\/v2\/media\/12694"}],"wp:attachment":[{"href":"https:\/\/www.ihs.com.tr\/blog\/wp-json\/wp\/v2\/media?parent=12656"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ihs.com.tr\/blog\/wp-json\/wp\/v2\/categories?post=12656"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ihs.com.tr\/blog\/wp-json\/wp\/v2\/tags?post=12656"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}\u0130\u00e7erik<\/strong><\/h5>\n
\n
HSTS (HTTP Strict Transport Security) Nedir?<\/strong><\/h2>\n
Web Sitenizde Neden HSTS Kullanmal\u0131s\u0131n\u0131z?<\/strong><\/h3>\n
$ curl --head http:\/\/www.facebook.com HTTP\/1.1 301 Moved Permanently Location: https:\/\/www.facebook.com\/<\/strong><\/code><\/p>\n$ curl --head https:\/\/www.facebook.com HTTP\/1.1 200\u00a0OK Strict-Transport-Security: max-age=15552000; preload<\/strong><\/code><\/p>\nHSTS Uygulamas\u0131 Ne Kadar Pop\u00fcler?<\/strong><\/h4>\n
Web Siteniz \u0130\u00e7in HSTS Nas\u0131l Kurulur?<\/strong><\/h3>\n
HSTS’nin SEO A\u00e7\u0131s\u0131ndan Faydalar\u0131<\/strong><\/h3>\n
HSTS Gereksinimleri<\/strong><\/h3>\n
\n
Apache Web Sunucusu \u0130\u00e7in HSTS Kurulumu<\/strong><\/h3>\n
# Use HTTP Strict Transport Security to force client to use secure connections only Header always set Strict-Transport-Security \"max-age=300;\u00a0includeSubDomains;\u00a0preload\"<\/strong><\/code><\/p>\nLighttpd i\u00e7in HSTS Kurulumu<\/strong><\/h3>\n
server.modules\u00a0+= ( \"mod_setenv\" ) $HTTP[\"scheme\"] == \"https\" {\u00a0setenv.add-response-header = (\"Strict-Transport-Security\" => \"max-age=300;\u00a0includeSubDomains; preload\") }<\/strong><\/code><\/p>\nNGINX i\u00e7in HSTS Kurulumu<\/strong><\/h3>\n
add_header\u00a0Strict-Transport-Security 'max-age=300;\u00a0includeSubDomains; preload; always;'<\/strong><\/code><\/p>\nIIS Sunucular\u0131 i\u00e7in HSTS Kurulumu<\/strong><\/h3>\n
protected void\u00a0Application_BeginRequest(Object sender,\u00a0EventArgs\u00a0e) { switch (Request.Url.Scheme) { case \"https\":\u00a0Response.AddHeader(\"Strict-Transport-Security\", \"max-age=31536000;\u00a0includeSubDomains; preload\"); break; case \"http\":\u00a0var\u00a0path = \"https:\/\/\" +\u00a0Request.Url.Host\u00a0+\u00a0Request.Url.PathAndQuery;\u00a0Response.Status\u00a0= \"301 Moved Permanently\";\u00a0Response.AddHeader(\"Location\", path); break; } }<\/strong><\/code><\/p>\nHSTS \u00d6n Y\u00fcklemesi Nedir?<\/strong><\/h3>\n
Referanslar<\/strong><\/h4>\n
\n