{"id":15954,"date":"2026-06-25T23:54:20","date_gmt":"2026-06-25T20:54:20","guid":{"rendered":"https:\/\/www.ihs.com.tr\/blog\/?p=15954"},"modified":"2026-06-25T23:54:20","modified_gmt":"2026-06-25T20:54:20","slug":"sitenizin-guvenlik-basligini-security-headers-csp-ile-guclendirme","status":"publish","type":"post","link":"https:\/\/www.ihs.com.tr\/blog\/sitenizin-guvenlik-basligini-security-headers-csp-ile-guclendirme\/","title":{"rendered":"Sitenizin G\u00fcvenlik Ba\u015fl\u0131\u011f\u0131n\u0131 (Security Headers) CSP ile G\u00fc\u00e7lendirme"},"content":{"rendered":"<p>Web sitenizin g\u00fcvenli\u011fi, dijital varl\u0131\u011f\u0131n\u0131z\u0131n en kritik bile\u015fenlerinden biridir. Kullan\u0131c\u0131 verilerini korumak, marka itibar\u0131n\u0131 sa\u011flamla\u015ft\u0131rmak ve siber sald\u0131r\u0131lara kar\u015f\u0131 bir savunma hatt\u0131 olu\u015fturmak i\u00e7in at\u0131lmas\u0131 gereken bir\u00e7ok ad\u0131m bulunmaktad\u0131r. Bu ad\u0131mlar\u0131n en temel ve etkili olanlar\u0131ndan biri de HTTP g\u00fcvenlik ba\u015fl\u0131klar\u0131n\u0131 do\u011fru bir \u015fekilde yap\u0131land\u0131rmakt\u0131r. Bu ba\u015fl\u0131klar, taray\u0131c\u0131lara sitenizle nas\u0131l etkile\u015fimde bulunmalar\u0131 gerekti\u011fini s\u00f6yleyen sunucu talimatlar\u0131d\u0131r ve modern web g\u00fcvenli\u011finin temel ta\u015flar\u0131n\u0131 olu\u015ftururlar. \u00d6zellikle \u0130\u00e7erik G\u00fcvenlik Politikas\u0131 (Content Security Policy &#8211; CSP), bu ba\u015fl\u0131klar aras\u0131nda en g\u00fc\u00e7l\u00fc ve esnek olan\u0131d\u0131r; sitenizin yaln\u0131zca g\u00fcvendi\u011finiz kaynaklardan i\u00e7erik y\u00fcklemesini sa\u011flayarak bir\u00e7ok yayg\u0131n sald\u0131r\u0131 t\u00fcr\u00fcn\u00fc proaktif olarak engeller.<\/p>\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_77 counter-hierarchy ez-toc-counter ez-toc-grey ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">\u0130\u00e7erik Tablosu<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a3db2f8373c4\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\" id=\"ez-toc-cssicon-toggle-item-6a3db2f8373c4\" aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/www.ihs.com.tr\/blog\/sitenizin-guvenlik-basligini-security-headers-csp-ile-guclendirme\/#Web-Guvenliginin-Temeli-HTTP-Guvenlik-Basliklari\" >Web G\u00fcvenli\u011finin Temeli: HTTP G\u00fcvenlik Ba\u015fl\u0131klar\u0131<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/www.ihs.com.tr\/blog\/sitenizin-guvenlik-basligini-security-headers-csp-ile-guclendirme\/#HTTP-Guvenlik-Basligi-Nedir\" >HTTP G\u00fcvenlik Ba\u015fl\u0131\u011f\u0131 Nedir?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/www.ihs.com.tr\/blog\/sitenizin-guvenlik-basligini-security-headers-csp-ile-guclendirme\/#Neden-Kritik-Oneme-Sahipler\" >Neden Kritik \u00d6neme Sahipler?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/www.ihs.com.tr\/blog\/sitenizin-guvenlik-basligini-security-headers-csp-ile-guclendirme\/#Yaygin-Web-Saldiri-Turlerine-Genel-Bakis-XSS-Clickjacking-vb\" >Yayg\u0131n Web Sald\u0131r\u0131 T\u00fcrlerine Genel Bak\u0131\u015f (XSS, Clickjacking, vb.)<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/www.ihs.com.tr\/blog\/sitenizin-guvenlik-basligini-security-headers-csp-ile-guclendirme\/#Content-Security-Policy-CSP-Kavrami\" >Content Security Policy (CSP) Kavram\u0131<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/www.ihs.com.tr\/blog\/sitenizin-guvenlik-basligini-security-headers-csp-ile-guclendirme\/#CSP-Nedir-ve-Nasil-Calisir\" >CSP Nedir ve Nas\u0131l \u00c7al\u0131\u015f\u0131r?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/www.ihs.com.tr\/blog\/sitenizin-guvenlik-basligini-security-headers-csp-ile-guclendirme\/#CSPnin-Engelledigi-Temel-Saldiri-Vektorleri\" >CSP&#8217;nin Engelledi\u011fi Temel Sald\u0131r\u0131 Vekt\u00f6rleri<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/www.ihs.com.tr\/blog\/sitenizin-guvenlik-basligini-security-headers-csp-ile-guclendirme\/#Beyaz-Liste-Whitelist-Mantigi-ve-Guvenilir-Kaynaklar\" >Beyaz Liste (Whitelist) Mant\u0131\u011f\u0131 ve G\u00fcvenilir Kaynaklar<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/www.ihs.com.tr\/blog\/sitenizin-guvenlik-basligini-security-headers-csp-ile-guclendirme\/#CSP-Politikasinin-Sunucuya-Entegrasyon-Yontemleri\" >CSP Politikas\u0131n\u0131n Sunucuya Entegrasyon Y\u00f6ntemleri<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"https:\/\/www.ihs.com.tr\/blog\/sitenizin-guvenlik-basligini-security-headers-csp-ile-guclendirme\/#Temel-CSP-Yonergeleri-Directives-ve-Anlamlari\" >Temel CSP Y\u00f6nergeleri (Directives) ve Anlamlar\u0131<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-11\" href=\"https:\/\/www.ihs.com.tr\/blog\/sitenizin-guvenlik-basligini-security-headers-csp-ile-guclendirme\/#default-src-Varsayilan-Kaynak-Politikasi\" >`default-src`: Varsay\u0131lan Kaynak Politikas\u0131<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-12\" href=\"https:\/\/www.ihs.com.tr\/blog\/sitenizin-guvenlik-basligini-security-headers-csp-ile-guclendirme\/#script-src-JavaScript-Dosyalari-Icin-Guvenlik\" >`script-src`: JavaScript Dosyalar\u0131 \u0130\u00e7in G\u00fcvenlik<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-13\" href=\"https:\/\/www.ihs.com.tr\/blog\/sitenizin-guvenlik-basligini-security-headers-csp-ile-guclendirme\/#style-src-CSS-Dosyalari-Icin-Guvenlik\" >`style-src`: CSS Dosyalar\u0131 \u0130\u00e7in G\u00fcvenlik<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-14\" href=\"https:\/\/www.ihs.com.tr\/blog\/sitenizin-guvenlik-basligini-security-headers-csp-ile-guclendirme\/#img-src-Gorsel-Dosyalari-Icin-Kaynak-Belirleme\" >`img-src`: G\u00f6rsel Dosyalar\u0131 \u0130\u00e7in Kaynak Belirleme<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-15\" href=\"https:\/\/www.ihs.com.tr\/blog\/sitenizin-guvenlik-basligini-security-headers-csp-ile-guclendirme\/#font-src-Yazi-Tipi-Dosyalarinin-Kontrolu\" >`font-src`: Yaz\u0131 Tipi Dosyalar\u0131n\u0131n Kontrol\u00fc<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-16\" href=\"https:\/\/www.ihs.com.tr\/blog\/sitenizin-guvenlik-basligini-security-headers-csp-ile-guclendirme\/#connect-src-API-ve-AJAX-Isteklerinin-Yonetimi\" >`connect-src`: API ve AJAX \u0130steklerinin Y\u00f6netimi<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-17\" href=\"https:\/\/www.ihs.com.tr\/blog\/sitenizin-guvenlik-basligini-security-headers-csp-ile-guclendirme\/#frame-src-Iframe-Iceriklerinin-Kisitlanmasi\" >`frame-src`: Iframe \u0130\u00e7eriklerinin K\u0131s\u0131tlanmas\u0131<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-18\" href=\"https:\/\/www.ihs.com.tr\/blog\/sitenizin-guvenlik-basligini-security-headers-csp-ile-guclendirme\/#media-src-Ses-ve-Video-Dosyalarinin-Kontrolu\" >`media-src`: Ses ve Video Dosyalar\u0131n\u0131n Kontrol\u00fc<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-19\" href=\"https:\/\/www.ihs.com.tr\/blog\/sitenizin-guvenlik-basligini-security-headers-csp-ile-guclendirme\/#Gelismis-CSP-Yapilandirmasi-ve-Yonergeleri\" >Geli\u015fmi\u015f CSP Yap\u0131land\u0131rmas\u0131 ve Y\u00f6nergeleri<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-20\" href=\"https:\/\/www.ihs.com.tr\/blog\/sitenizin-guvenlik-basligini-security-headers-csp-ile-guclendirme\/#report-uri-ve-report-to-Ihlal-Raporlamasi\" >`report-uri` ve `report-to`: \u0130hlal Raporlamas\u0131<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-21\" href=\"https:\/\/www.ihs.com.tr\/blog\/sitenizin-guvenlik-basligini-security-headers-csp-ile-guclendirme\/#nonce-Kullanimi-Tek-Seferlik-Inline-Script-Izinleri\" >`nonce` Kullan\u0131m\u0131: Tek Seferlik Inline Script \u0130zinleri<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-22\" href=\"https:\/\/www.ihs.com.tr\/blog\/sitenizin-guvenlik-basligini-security-headers-csp-ile-guclendirme\/#hash-Kullanimi-Belirli-Script-ve-Style-Bloklarina-Izin-Verme\" >`hash` Kullan\u0131m\u0131: Belirli Script ve Style Bloklar\u0131na \u0130zin Verme<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-23\" href=\"https:\/\/www.ihs.com.tr\/blog\/sitenizin-guvenlik-basligini-security-headers-csp-ile-guclendirme\/#unsafe-inline-ve-unsafe-eval-Kullaniminin-Riskleri\" >`unsafe-inline` ve `unsafe-eval` Kullan\u0131m\u0131n\u0131n Riskleri<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-24\" href=\"https:\/\/www.ihs.com.tr\/blog\/sitenizin-guvenlik-basligini-security-headers-csp-ile-guclendirme\/#frame-ancestors-Clickjackinge-Karsi-Modern-Cozum\" >`frame-ancestors`: Clickjacking'e Kar\u015f\u0131 Modern \u00c7\u00f6z\u00fcm<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-25\" href=\"https:\/\/www.ihs.com.tr\/blog\/sitenizin-guvenlik-basligini-security-headers-csp-ile-guclendirme\/#form-action-Form-Gonderim-Hedeflerini-Sinirlama\" >`form-action`: Form G\u00f6nderim Hedeflerini S\u0131n\u0131rlama<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-26\" href=\"https:\/\/www.ihs.com.tr\/blog\/sitenizin-guvenlik-basligini-security-headers-csp-ile-guclendirme\/#upgrade-insecure-requests-Otomatik-HTTPS-Yonlendirmesi\" >`upgrade-insecure-requests`: Otomatik HTTPS Y\u00f6nlendirmesi<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-27\" href=\"https:\/\/www.ihs.com.tr\/blog\/sitenizin-guvenlik-basligini-security-headers-csp-ile-guclendirme\/#CSP-Disindaki-Diger-Onemli-Guvenlik-Basliklari\" >CSP D\u0131\u015f\u0131ndaki Di\u011fer \u00d6nemli G\u00fcvenlik Ba\u015fl\u0131klar\u0131<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-28\" href=\"https:\/\/www.ihs.com.tr\/blog\/sitenizin-guvenlik-basligini-security-headers-csp-ile-guclendirme\/#HTTP-Strict-Transport-Security-HSTS\" >HTTP Strict Transport Security (HSTS)<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-29\" href=\"https:\/\/www.ihs.com.tr\/blog\/sitenizin-guvenlik-basligini-security-headers-csp-ile-guclendirme\/#X-Frame-Options\" >X-Frame-Options<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-30\" href=\"https:\/\/www.ihs.com.tr\/blog\/sitenizin-guvenlik-basligini-security-headers-csp-ile-guclendirme\/#X-Content-Type-Options\" >X-Content-Type-Options<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-31\" href=\"https:\/\/www.ihs.com.tr\/blog\/sitenizin-guvenlik-basligini-security-headers-csp-ile-guclendirme\/#Referrer-Policy\" >Referrer-Policy<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-32\" href=\"https:\/\/www.ihs.com.tr\/blog\/sitenizin-guvenlik-basligini-security-headers-csp-ile-guclendirme\/#Permissions-Policy-Feature-Policy\" >Permissions-Policy (Feature-Policy)<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-33\" href=\"https:\/\/www.ihs.com.tr\/blog\/sitenizin-guvenlik-basligini-security-headers-csp-ile-guclendirme\/#CSP-Politikasini-Adim-Adim-Uygulama-Rehberi\" >CSP Politikas\u0131n\u0131 Ad\u0131m Ad\u0131m Uygulama Rehberi<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-34\" href=\"https:\/\/www.ihs.com.tr\/blog\/sitenizin-guvenlik-basligini-security-headers-csp-ile-guclendirme\/#Asama-1-Mevcut-Kaynaklarin-Tespiti-ve-Analizi\" >A\u015fama 1: Mevcut Kaynaklar\u0131n Tespiti ve Analizi<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-35\" href=\"https:\/\/www.ihs.com.tr\/blog\/sitenizin-guvenlik-basligini-security-headers-csp-ile-guclendirme\/#Asama-2-Raporlama-Modunda-Politika-Olusturma-Report-Only\" >A\u015fama 2: Raporlama Modunda Politika Olu\u015fturma (Report-Only)<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-36\" href=\"https:\/\/www.ihs.com.tr\/blog\/sitenizin-guvenlik-basligini-security-headers-csp-ile-guclendirme\/#Asama-3-Gelen-Raporlarin-Incelenmesi-ve-Politikanin-Iyilestirilmesi\" >A\u015fama 3: Gelen Raporlar\u0131n \u0130ncelenmesi ve Politikan\u0131n \u0130yile\u015ftirilmesi<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-37\" href=\"https:\/\/www.ihs.com.tr\/blog\/sitenizin-guvenlik-basligini-security-headers-csp-ile-guclendirme\/#Asama-4-Politikayi-Zorunlu-Kilma-Enforce-ve-Canliya-Alma\" >A\u015fama 4: Politikay\u0131 Zorunlu K\u0131lma (Enforce) ve Canl\u0131ya Alma<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-38\" href=\"https:\/\/www.ihs.com.tr\/blog\/sitenizin-guvenlik-basligini-security-headers-csp-ile-guclendirme\/#Asama-5-Surekli-Izleme-ve-Guncelleme\" >A\u015fama 5: S\u00fcrekli \u0130zleme ve G\u00fcncelleme<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-39\" href=\"https:\/\/www.ihs.com.tr\/blog\/sitenizin-guvenlik-basligini-security-headers-csp-ile-guclendirme\/#Sik-Karsilasilan-Sorunlar-ve-Cozum-Yollari\" >S\u0131k Kar\u015f\u0131la\u015f\u0131lan Sorunlar ve \u00c7\u00f6z\u00fcm Yollar\u0131<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-40\" href=\"https:\/\/www.ihs.com.tr\/blog\/sitenizin-guvenlik-basligini-security-headers-csp-ile-guclendirme\/#Ucuncu-Parti-Servislerin-Google-Analytics-Facebook-Pixel-vb-Entegrasyonu\" >\u00dc\u00e7\u00fcnc\u00fc Parti Servislerin (Google Analytics, Facebook Pixel vb.) Entegrasyonu<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-41\" href=\"https:\/\/www.ihs.com.tr\/blog\/sitenizin-guvenlik-basligini-security-headers-csp-ile-guclendirme\/#Dinamik-Olarak-Olusturulan-Iceriklerin-Yonetimi\" >Dinamik Olarak Olu\u015fturulan \u0130\u00e7eriklerin Y\u00f6netimi<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-42\" href=\"https:\/\/www.ihs.com.tr\/blog\/sitenizin-guvenlik-basligini-security-headers-csp-ile-guclendirme\/#Asiri-Kisitlayici-Politikalarin-Site-Fonksiyonlarini-Bozmasi\" >A\u015f\u0131r\u0131 K\u0131s\u0131tlay\u0131c\u0131 Politikalar\u0131n Site Fonksiyonlar\u0131n\u0131 Bozmas\u0131<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-43\" href=\"https:\/\/www.ihs.com.tr\/blog\/sitenizin-guvenlik-basligini-security-headers-csp-ile-guclendirme\/#CSP-Hatalarini-Ayiklama-Debugging-Teknikleri\" >CSP Hatalar\u0131n\u0131 Ay\u0131klama (Debugging) Teknikleri<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-44\" href=\"https:\/\/www.ihs.com.tr\/blog\/sitenizin-guvenlik-basligini-security-headers-csp-ile-guclendirme\/#Guvenlik-Basligi-Yapilandirmaniz-Icin-Neden-IHS-Telekomu-Tercih-Etmelisiniz\" >G\u00fcvenlik Ba\u015fl\u0131\u011f\u0131 Yap\u0131land\u0131rman\u0131z \u0130\u00e7in Neden \u0130HS Telekom'u Tercih Etmelisiniz?<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-45\" href=\"https:\/\/www.ihs.com.tr\/blog\/sitenizin-guvenlik-basligini-security-headers-csp-ile-guclendirme\/#Uzman-Teknik-Destek-ve-Guvenlik-Danismanligi\" >Uzman Teknik Destek ve G\u00fcvenlik Dan\u0131\u015fmanl\u0131\u011f\u0131<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-46\" href=\"https:\/\/www.ihs.com.tr\/blog\/sitenizin-guvenlik-basligini-security-headers-csp-ile-guclendirme\/#Guvenlik-Odakli-Optimize-Edilmis-Sunucu-Altyapisi\" >G\u00fcvenlik Odakl\u0131 Optimize Edilmi\u015f Sunucu Altyap\u0131s\u0131<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-47\" href=\"https:\/\/www.ihs.com.tr\/blog\/sitenizin-guvenlik-basligini-security-headers-csp-ile-guclendirme\/#Kolay-Yonetim-Panelleri-ile-Hizli-Entegrasyon\" >Kolay Y\u00f6netim Panelleri ile H\u0131zl\u0131 Entegrasyon<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-48\" href=\"https:\/\/www.ihs.com.tr\/blog\/sitenizin-guvenlik-basligini-security-headers-csp-ile-guclendirme\/#Web-Sitenizin-Guvenligini-ve-Performansini-Artirma-Garantisi\" >Web Sitenizin G\u00fcvenli\u011fini ve Performans\u0131n\u0131 Art\u0131rma Garantisi<\/a><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n<h2><span class=\"ez-toc-section\" id=\"Web-Guvenliginin-Temeli-HTTP-Guvenlik-Basliklari\"><\/span>Web G\u00fcvenli\u011finin Temeli: HTTP G\u00fcvenlik Ba\u015fl\u0131klar\u0131<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Modern web uygulamalar\u0131n\u0131n karma\u015f\u0131kl\u0131\u011f\u0131 artt\u0131k\u00e7a, siber sald\u0131rganlar\u0131n hedef alabilece\u011fi potansiyel zafiyetlerin say\u0131s\u0131 da artmaktad\u0131r. HTTP g\u00fcvenlik ba\u015fl\u0131klar\u0131, bu tehditlere kar\u015f\u0131 ilk savunma hatt\u0131n\u0131 olu\u015fturur. Sunucunuzun web sitenizi ziyaret eden taray\u0131c\u0131lara g\u00f6nderdi\u011fi bu \u00f6zel HTTP yan\u0131t ba\u015fl\u0131klar\u0131, taray\u0131c\u0131n\u0131n belirli g\u00fcvenlik politikalar\u0131n\u0131 zorunlu k\u0131lmas\u0131n\u0131 sa\u011flar. Bu sayede, potansiyel olarak tehlikeli i\u00e7eriklerin y\u00fcr\u00fct\u00fclmesi engellenir ve sitenizin hem kendisi hem de kullan\u0131c\u0131lar\u0131 i\u00e7in daha g\u00fcvenli bir ortam olu\u015fturulur.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"HTTP-Guvenlik-Basligi-Nedir\"><\/span>HTTP G\u00fcvenlik Ba\u015fl\u0131\u011f\u0131 Nedir?<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>HTTP g\u00fcvenlik ba\u015fl\u0131klar\u0131, bir web sunucusunun HTTP yan\u0131t\u0131n\u0131n ba\u015fl\u0131k b\u00f6l\u00fcm\u00fcnde g\u00f6nderdi\u011fi, taray\u0131c\u0131 davran\u0131\u015f\u0131n\u0131 kontrol eden ve g\u00fcvenlik politikalar\u0131n\u0131 uygulayan \u00f6zel direktiflerdir. Taray\u0131c\u0131, bir web sayfas\u0131n\u0131 y\u00fcklerken bu ba\u015fl\u0131klar\u0131 okur ve i\u00e7erdi\u011fi kurallara uyar. \u00d6rne\u011fin, bir ba\u015fl\u0131k taray\u0131c\u0131ya yaln\u0131zca g\u00fcvenli (HTTPS) ba\u011flant\u0131lar kullanmas\u0131n\u0131, sitenin ba\u015fka siteler taraf\u0131ndan bir `<iframe>` i\u00e7ine yerle\u015ftirilmesini engellemesini veya yaln\u0131zca belirli kaynaklardan betik (script) dosyalar\u0131 y\u00fcklemesini s\u00f6yleyebilir. Bu basit ama etkili mekanizma, kod seviyesinde karma\u015f\u0131k de\u011fi\u015fiklikler yapmadan g\u00fcvenlik seviyesini \u00f6nemli \u00f6l\u00e7\u00fcde art\u0131r\u0131r.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Neden-Kritik-Oneme-Sahipler\"><\/span>Neden Kritik \u00d6neme Sahipler?<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>HTTP g\u00fcvenlik ba\u015fl\u0131klar\u0131, savunma derinli\u011fi (defense-in-depth) stratejisinin hayati bir par\u00e7as\u0131d\u0131r. Uygulama katman\u0131ndaki bir g\u00fcvenlik a\u00e7\u0131\u011f\u0131 (\u00f6rne\u011fin, kullan\u0131c\u0131 girdisinin yeterince temizlenmemesi) siber sald\u0131rganlar taraf\u0131ndan istismar edilse bile, do\u011fru yap\u0131land\u0131r\u0131lm\u0131\u015f g\u00fcvenlik ba\u015fl\u0131klar\u0131 bu sald\u0131r\u0131n\u0131n ba\u015far\u0131l\u0131 olma olas\u0131l\u0131\u011f\u0131n\u0131 b\u00fcy\u00fck \u00f6l\u00e7\u00fcde azaltabilir. Kullan\u0131c\u0131 verilerinin \u00e7al\u0131nmas\u0131n\u0131, sahte i\u00e7erik enjeksiyonunu ve oturum h\u0131rs\u0131zl\u0131\u011f\u0131n\u0131 \u00f6nleyerek hem site sahibi hem de son kullan\u0131c\u0131 i\u00e7in bir g\u00fcvence katman\u0131 sa\u011flarlar. Ayr\u0131ca, arama motorlar\u0131 g\u00fcvenli siteleri tercih etti\u011finden, bu ba\u015fl\u0131klar\u0131n do\u011fru kullan\u0131m\u0131 dolayl\u0131 olarak SEO performans\u0131na da olumlu etki edebilir.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Yaygin-Web-Saldiri-Turlerine-Genel-Bakis-XSS-Clickjacking-vb\"><\/span>Yayg\u0131n Web Sald\u0131r\u0131 T\u00fcrlerine Genel Bak\u0131\u015f (XSS, Clickjacking, vb.)<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>G\u00fcvenlik ba\u015fl\u0131klar\u0131n\u0131n neden bu kadar \u00f6nemli oldu\u011funu anlamak i\u00e7in engelledikleri sald\u0131r\u0131 t\u00fcrlerini bilmek gerekir:<\/p>\n<ul>\n<li><strong>Siteler Aras\u0131 Betik \u00c7al\u0131\u015ft\u0131rma (Cross-Site Scripting &#8211; XSS):<\/strong> Sald\u0131rgan\u0131n, hedef web sitesine k\u00f6t\u00fc ama\u00e7l\u0131 bir betik enjekte etti\u011fi ve bu beti\u011fin ba\u015fka bir kullan\u0131c\u0131n\u0131n taray\u0131c\u0131s\u0131nda \u00e7al\u0131\u015ft\u0131\u011f\u0131 bir sald\u0131r\u0131 t\u00fcr\u00fcd\u00fcr. XSS, oturum bilgilerini (cookie) \u00e7almak, sayfa i\u00e7eri\u011fini de\u011fi\u015ftirmek veya kullan\u0131c\u0131 ad\u0131na i\u015flemler yapmak i\u00e7in kullan\u0131labilir.<\/li>\n<li><strong>T\u0131klama Gasp\u0131 (Clickjacking):<\/strong> Sald\u0131rgan\u0131n, kullan\u0131c\u0131y\u0131 kand\u0131rarak g\u00f6r\u00fcnmez bir web sayfas\u0131 \u00fczerinde, asl\u0131nda ba\u015fka bir sitede bulunan bir butona veya linke t\u0131klamas\u0131n\u0131 sa\u011flad\u0131\u011f\u0131 bir tekniktir. \u00d6rne\u011fin, kullan\u0131c\u0131 &#8220;sevimli kedi videosu izle&#8221; butonuna t\u0131klad\u0131\u011f\u0131n\u0131 d\u00fc\u015f\u00fcn\u00fcrken, asl\u0131nda arka planda fark\u0131nda olmadan sosyal medya hesab\u0131ndan bir \u015feyi be\u011fenmi\u015f veya bir i\u015flemi onaylam\u0131\u015f olabilir.<\/li>\n<li><strong>Protokol D\u00fc\u015f\u00fcrme Sald\u0131r\u0131lar\u0131 (Protocol Downgrade Attacks):<\/strong> Sald\u0131rgan, kullan\u0131c\u0131 ile sunucu aras\u0131ndaki g\u00fcvenli HTTPS ba\u011flant\u0131s\u0131n\u0131 g\u00fcvensiz HTTP&#8217;ye d\u00fc\u015f\u00fcrmeye \u00e7al\u0131\u015f\u0131r. Bu, araya girerek (Man-in-the-Middle) verileri okumas\u0131na veya de\u011fi\u015ftirmesine olanak tan\u0131r.<\/li>\n<li><strong>MIME T\u00fcr\u00fc Kar\u0131\u015f\u0131kl\u0131\u011f\u0131 (MIME-Type Sniffing):<\/strong> Taray\u0131c\u0131lar, bir dosyan\u0131n `Content-Type` ba\u015fl\u0131\u011f\u0131na g\u00fcvenmek yerine i\u00e7eri\u011fini analiz ederek t\u00fcr\u00fcn\u00fc tahmin etmeye \u00e7al\u0131\u015fabilir. Bu durum, sald\u0131rganlar\u0131n zarars\u0131z gibi g\u00f6r\u00fcnen bir dosyay\u0131 (\u00f6rne\u011fin bir resim) betik olarak y\u00fcr\u00fctebilmesine yol a\u00e7abilir.<\/li>\n<\/ul>\n<h2><span class=\"ez-toc-section\" id=\"Content-Security-Policy-CSP-Kavrami\"><\/span>Content Security Policy (CSP) Kavram\u0131<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>HTTP g\u00fcvenlik ba\u015fl\u0131klar\u0131 aras\u0131nda en kapsaml\u0131 ve g\u00fc\u00e7l\u00fc olan\u0131 \u0130\u00e7erik G\u00fcvenlik Politikas\u0131, yani CSP&#8217;dir. CSP, web sitenizin hangi kaynaklardan (script&#8217;ler, stiller, resimler, fontlar vb.) i\u00e7erik y\u00fckleyebilece\u011fini detayl\u0131 bir \u015fekilde tan\u0131mlaman\u0131za olanak tan\u0131yan bir g\u00fcvenlik standard\u0131d\u0131r. Bu sayede, taray\u0131c\u0131ya yaln\u0131zca sizin onaylad\u0131\u011f\u0131n\u0131z kaynaklardan gelen i\u00e7erikleri i\u015flemesi ve di\u011fer t\u00fcm istekleri engellemesi talimat\u0131n\u0131 verirsiniz. Bu proaktif yakla\u015f\u0131m, \u00f6zellikle XSS gibi i\u00e7erik enjeksiyonu sald\u0131r\u0131lar\u0131na kar\u015f\u0131 son derece etkilidir.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"CSP-Nedir-ve-Nasil-Calisir\"><\/span>CSP Nedir ve Nas\u0131l \u00c7al\u0131\u015f\u0131r?<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>CSP, sunucunun HTTP yan\u0131t\u0131na `Content-Security-Policy` adl\u0131 bir ba\u015fl\u0131k eklemesiyle \u00e7al\u0131\u015f\u0131r. Bu ba\u015fl\u0131\u011f\u0131n de\u011feri, sitenin farkl\u0131 t\u00fcrdeki i\u00e7erikler i\u00e7in hangi kaynaklara izin verdi\u011fini belirten bir dizi y\u00f6nergeden (directive) olu\u015fur. \u00d6rne\u011fin, `script-src &#8216;self&#8217; https:\/\/apis.google.com` y\u00f6nergesi, taray\u0131c\u0131ya sadece sitenin kendi kayna\u011f\u0131ndan (same-origin) ve `https:\/\/apis.google.com` adresinden gelen JavaScript dosyalar\u0131n\u0131 \u00e7al\u0131\u015ft\u0131rma izni verir. Ba\u015fka herhangi bir kaynaktan gelen bir script&#8217;i y\u00fckleme giri\u015fimi taray\u0131c\u0131 taraf\u0131ndan engellenir ve genellikle taray\u0131c\u0131n\u0131n geli\u015ftirici konsoluna bir ihlal raporu g\u00f6nderilir.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"CSPnin-Engelledigi-Temel-Saldiri-Vektorleri\"><\/span>CSP&#8217;nin Engelledi\u011fi Temel Sald\u0131r\u0131 Vekt\u00f6rleri<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>CSP&#8217;nin birincil hedefi, k\u00f6t\u00fc ama\u00e7l\u0131 i\u00e7eriklerin web sayfan\u0131zda y\u00fcr\u00fct\u00fclmesini engellemektir. Bu kapsamda en etkili oldu\u011fu sald\u0131r\u0131 t\u00fcrleri \u015funlard\u0131r:<\/p>\n<ul>\n<li><strong>Siteler Aras\u0131 Betik \u00c7al\u0131\u015ft\u0131rma (XSS):<\/strong> CSP, yaln\u0131zca g\u00fcvenilir kaynaklardan script y\u00fcklenmesine izin vererek ve varsay\u0131lan olarak sat\u0131r i\u00e7i (inline) script&#8217;leri (`<script>...<\/script>` veya `onclick=&#8221;&#8230;&#8221;`) engelleyerek XSS sald\u0131r\u0131lar\u0131n\u0131n neredeyse tamam\u0131n\u0131 etkisiz hale getirir.<\/li>\n<li><strong>Veri S\u0131z\u0131nt\u0131s\u0131 (Data Exfiltration):<\/strong> K\u00f6t\u00fc ama\u00e7l\u0131 bir kod, sayfan\u0131zdan veri \u00e7almaya \u00e7al\u0131\u015ft\u0131\u011f\u0131nda, CSP&#8217;nin `connect-src`, `form-action` gibi y\u00f6nergeleri bu verilerin yetkisiz hedeflere g\u00f6nderilmesini engelleyebilir.<\/li>\n<li><strong>Clickjacking:<\/strong> `frame-ancestors` y\u00f6nergesi kullan\u0131larak, sitenizin hangi kaynaklar taraf\u0131ndan `<iframe>` veya benzeri etiketler i\u00e7ine yerle\u015ftirilebilece\u011fini kontrol edebilir, b\u00f6ylece t\u0131klama gasp\u0131 sald\u0131r\u0131lar\u0131n\u0131 \u00f6nleyebilirsiniz.<\/li>\n<\/ul>\n<h3><span class=\"ez-toc-section\" id=\"Beyaz-Liste-Whitelist-Mantigi-ve-Guvenilir-Kaynaklar\"><\/span>Beyaz Liste (Whitelist) Mant\u0131\u011f\u0131 ve G\u00fcvenilir Kaynaklar<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>CSP, temel olarak bir &#8220;beyaz liste&#8221; (whitelist) veya daha modern bir deyi\u015fle &#8220;izin listesi&#8221; (allowlist) mant\u0131\u011f\u0131na dayan\u0131r. Politikan\u0131zda a\u00e7\u0131k\u00e7a izin vermedi\u011finiz her \u015fey varsay\u0131lan olarak yasaklan\u0131r. Bu &#8220;varsay\u0131lan olarak reddet&#8221; (deny-by-default) yakla\u015f\u0131m\u0131, g\u00fcvenli\u011fi en \u00fcst d\u00fczeye \u00e7\u0131kar\u0131r. G\u00fcvenilir kaynaklar\u0131 belirlerken, sitenizin \u00e7al\u0131\u015fmas\u0131 i\u00e7in gerekli olan t\u00fcm betik, stil, resim, font ve API sa\u011flay\u0131c\u0131lar\u0131n\u0131 dikkatlice listelemeniz gerekir. Bu kaynaklar genellikle kendi <a href=\"https:\/\/www.ihs.com.tr\/blog\/domain-nedir-ne-ise-yarar\/\" target=\"_blank\">alan ad\u0131<\/a> (self), kulland\u0131\u011f\u0131n\u0131z CDN&#8217;ler (Content Delivery Network), Google Analytics gibi analiz servisleri veya Google Fonts gibi font sa\u011flay\u0131c\u0131lar\u0131d\u0131r.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"CSP-Politikasinin-Sunucuya-Entegrasyon-Yontemleri\"><\/span>CSP Politikas\u0131n\u0131n Sunucuya Entegrasyon Y\u00f6ntemleri<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Bir CSP politikas\u0131n\u0131 web sitenize entegre etmenin iki temel yolu vard\u0131r:<\/p>\n<ol>\n<li><strong>HTTP Ba\u015fl\u0131\u011f\u0131 Yoluyla (\u00d6nerilen Y\u00f6ntem):<\/strong> En yayg\u0131n ve etkili y\u00f6ntem, web sunucusu yap\u0131land\u0131rmas\u0131 (\u00f6rne\u011fin, Apache i\u00e7in `.htaccess`, Nginx i\u00e7in `nginx.conf`) veya sunucu taraf\u0131 bir betik (PHP, Node.js vb.) arac\u0131l\u0131\u011f\u0131yla `Content-Security-Policy` HTTP ba\u015fl\u0131\u011f\u0131n\u0131 her yan\u0131ta eklemektir. Bu, sitenin t\u00fcm sayfalar\u0131 i\u00e7in merkezi bir politika y\u00f6netimi sa\u011flar.<\/li>\n<li><strong>Meta Etiketi Yoluyla:<\/strong> Politika, sayfan\u0131n HTML kodunun `<head>` b\u00f6l\u00fcm\u00fcne bir `<meta>` etiketi eklenerek de belirtilebilir: `<meta http-equiv=\"Content-Security-Policy\" content=\"...\">`. Ancak bu y\u00f6ntemin baz\u0131 k\u0131s\u0131tlamalar\u0131 vard\u0131r; \u00f6rne\u011fin, `frame-ancestors`, `report-uri` gibi baz\u0131 \u00f6nemli y\u00f6nergeleri desteklemez ve sadece o belirli HTML sayfas\u0131 i\u00e7in ge\u00e7erlidir. Bu nedenle genellikle HTTP ba\u015fl\u0131\u011f\u0131 y\u00f6ntemi tercih edilir.<\/li>\n<\/ol>\n<h2><span class=\"ez-toc-section\" id=\"Temel-CSP-Yonergeleri-Directives-ve-Anlamlari\"><\/span>Temel CSP Y\u00f6nergeleri (Directives) ve Anlamlar\u0131<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Bir Content Security Policy (CSP), sitenizin hangi kaynaklara eri\u015febilece\u011fini tan\u0131mlayan bir dizi y\u00f6nergeden (directive) olu\u015fur. Her y\u00f6nerge, belirli bir kaynak t\u00fcr\u00fcn\u00fc (\u00f6rne\u011fin, script&#8217;ler veya stiller) kontrol eder. Bu y\u00f6nergeleri do\u011fru bir \u015fekilde anlamak ve yap\u0131land\u0131rmak, etkili ve k\u0131r\u0131lgan olmayan bir g\u00fcvenlik politikas\u0131 olu\u015fturman\u0131n anahtar\u0131d\u0131r.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"default-src-Varsayilan-Kaynak-Politikasi\"><\/span>`default-src`: Varsay\u0131lan Kaynak Politikas\u0131<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>`default-src`, CSP politikan\u0131z\u0131n bel kemi\u011fidir. E\u011fer `script-src`, `style-src` gibi daha spesifik bir y\u00f6nerge belirtilmemi\u015fse, taray\u0131c\u0131 bu y\u00f6nergenin de\u011ferini o kaynak t\u00fcr\u00fc i\u00e7in varsay\u0131lan olarak kullan\u0131r. Bu, genellikle politikan\u0131z\u0131 basitle\u015ftirmek i\u00e7in kullan\u0131l\u0131r. \u00d6rne\u011fin, t\u00fcm kaynaklar\u0131n yaln\u0131zca kendi alan ad\u0131n\u0131zdan y\u00fcklenmesine izin vermek i\u00e7in `default-src &#8216;self&#8217;;` kural\u0131n\u0131 belirleyebilirsiniz. Bu, en k\u0131s\u0131tlay\u0131c\u0131 ba\u015flang\u0131\u00e7 noktas\u0131d\u0131r ve daha sonra ihtiya\u00e7 duyulan di\u011fer kaynaklar i\u00e7in \u00f6zel izinler eklenir.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"script-src-JavaScript-Dosyalari-Icin-Guvenlik\"><\/span>`script-src`: JavaScript Dosyalar\u0131 \u0130\u00e7in G\u00fcvenlik<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Belki de en \u00f6nemli CSP y\u00f6nergesi olan `script-src`, hangi kaynaklardan JavaScript dosyalar\u0131n\u0131n y\u00fcklenebilece\u011fini ve y\u00fcr\u00fct\u00fclebilece\u011fini kontrol eder. XSS sald\u0131r\u0131lar\u0131n\u0131 \u00f6nlemedeki birincil ara\u00e7t\u0131r. \u00d6rne\u011fin, `script-src &#8216;self&#8217; https:\/\/cdn.example.com;` kural\u0131, sitenin kendi k\u00f6k dizininden ve `cdn.example.com` adresinden gelen betiklere izin verir, di\u011fer t\u00fcm kaynaklar\u0131 engeller. Varsay\u0131lan olarak inline script&#8217;leri (`<script>...<\/script>`) ve `eval()` gibi fonksiyonlar\u0131 engeller.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"style-src-CSS-Dosyalari-Icin-Guvenlik\"><\/span>`style-src`: CSS Dosyalar\u0131 \u0130\u00e7in G\u00fcvenlik<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>`style-src`, hangi kaynaklardan CSS dosyalar\u0131n\u0131n ve stillerin y\u00fcklenebilece\u011fini tan\u0131mlar. K\u00f6t\u00fc ama\u00e7l\u0131 bir stil dosyas\u0131n\u0131n, sayfan\u0131n d\u00fczenini de\u011fi\u015ftirerek veya veri s\u0131zd\u0131rmaya y\u00f6nelik CSS enjeksiyonu sald\u0131r\u0131lar\u0131yla kullan\u0131c\u0131lar\u0131 yan\u0131ltmas\u0131n\u0131 engelleyebilir. `style-src &#8216;self&#8217; https:\/\/fonts.googleapis.com;` gibi bir kural, yerel stillere ve Google Fonts taraf\u0131ndan sa\u011flanan stillere izin verir.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"img-src-Gorsel-Dosyalari-Icin-Kaynak-Belirleme\"><\/span>`img-src`: G\u00f6rsel Dosyalar\u0131 \u0130\u00e7in Kaynak Belirleme<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Bu y\u00f6nerge, resimlerin (`<img>`, `background-image` vb.) hangi kaynaklardan y\u00fcklenebilece\u011fini kontrol eder. Bu, yetkisiz veya uygunsuz g\u00f6rsellerin sitenizde g\u00f6sterilmesini engeller. \u00d6rne\u011fin, `img-src &#8216;self&#8217; data: https:\/\/img.example.com;` kural\u0131, yerel g\u00f6rsellere, base64 format\u0131nda kodlanm\u0131\u015f sat\u0131r i\u00e7i (inline) g\u00f6rsellere (`data:`) ve `img.example.com` alan ad\u0131ndan gelen g\u00f6rsellere izin verir.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"font-src-Yazi-Tipi-Dosyalarinin-Kontrolu\"><\/span>`font-src`: Yaz\u0131 Tipi Dosyalar\u0131n\u0131n Kontrol\u00fc<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Web sitenizde kullan\u0131lan \u00f6zel yaz\u0131 tiplerinin (fontlar\u0131n) hangi kaynaklardan y\u00fcklenebilece\u011fini `font-src` y\u00f6nergesi ile belirlersiniz. Bu, genellikle Google Fonts gibi harici font hizmetlerini veya kendi sunucunuzdaki font dosyalar\u0131n\u0131 beyaz listeye eklemek i\u00e7in kullan\u0131l\u0131r. \u00d6rnek: `font-src &#8216;self&#8217; https:\/\/fonts.gstatic.com;`.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"connect-src-API-ve-AJAX-Isteklerinin-Yonetimi\"><\/span>`connect-src`: API ve AJAX \u0130steklerinin Y\u00f6netimi<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>`connect-src`, `XMLHttpRequest`, `Fetch API`, `WebSocket` ve `EventSource` gibi komut dosyas\u0131 aray\u00fczleri taraf\u0131ndan yap\u0131labilecek ba\u011flant\u0131lar\u0131 k\u0131s\u0131tlar. Yani, sayfan\u0131zdaki JavaScript&#8217;in hangi API u\u00e7 noktalar\u0131na veya sunuculara istek g\u00f6nderebilece\u011fini kontrol eder. Bu, verilerinizin yetkisiz sunuculara s\u0131zd\u0131r\u0131lmas\u0131n\u0131 \u00f6nlemek i\u00e7in kritik bir y\u00f6nergedir.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"frame-src-Iframe-Iceriklerinin-Kisitlanmasi\"><\/span>`frame-src`: Iframe \u0130\u00e7eriklerinin K\u0131s\u0131tlanmas\u0131<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Bu y\u00f6nerge, sayfan\u0131zda `<iframe>` veya `<frame>` etiketleri i\u00e7ine hangi kaynaklar\u0131n y\u00fcklenebilece\u011fini belirler. Sitenizin, g\u00fcvenilmeyen veya k\u00f6t\u00fc ama\u00e7l\u0131 i\u00e7erik bar\u0131nd\u0131ran ba\u015fka siteleri \u00e7er\u00e7evelemesini engeller. Bu y\u00f6nerge, `child-src` y\u00f6nergesi taraf\u0131ndan ge\u00e7ersiz k\u0131l\u0131nd\u0131\u011f\u0131 i\u00e7in art\u0131k \u00f6nerilmemektedir, ancak geriye d\u00f6n\u00fck uyumluluk i\u00e7in hala kullan\u0131labilir.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"media-src-Ses-ve-Video-Dosyalarinin-Kontrolu\"><\/span>`media-src`: Ses ve Video Dosyalar\u0131n\u0131n Kontrol\u00fc<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>`media-src`, `<audio>` ve `<video>` etiketleri taraf\u0131ndan y\u00fcklenebilecek ses ve video dosyalar\u0131n\u0131n kaynaklar\u0131n\u0131 kontrol eder. Bu, yaln\u0131zca g\u00fcvendi\u011finiz medya sunucular\u0131ndan i\u00e7erik ak\u0131\u015f\u0131 yap\u0131lmas\u0131n\u0131 sa\u011flar. \u00d6rnek: `media-src https:\/\/media.example.com;`.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Gelismis-CSP-Yapilandirmasi-ve-Yonergeleri\"><\/span>Geli\u015fmi\u015f CSP Yap\u0131land\u0131rmas\u0131 ve Y\u00f6nergeleri<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Temel CSP y\u00f6nergeleri web sitenizin g\u00fcvenli\u011fini \u00f6nemli \u00f6l\u00e7\u00fcde art\u0131r\u0131rken, modern web uygulamalar\u0131n\u0131n dinamik do\u011fas\u0131 genellikle daha karma\u015f\u0131k ve esnek politikalara ihtiya\u00e7 duyar. Geli\u015fmi\u015f CSP y\u00f6nergeleri, g\u00fcvenlikten \u00f6d\u00fcn vermeden bu esnekli\u011fi sa\u011flamak, politika ihlallerini izlemek ve clickjacking gibi daha sofistike sald\u0131r\u0131lara kar\u015f\u0131 koruma sa\u011flamak i\u00e7in tasarlanm\u0131\u015ft\u0131r.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"report-uri-ve-report-to-Ihlal-Raporlamasi\"><\/span>`report-uri` ve `report-to`: \u0130hlal Raporlamas\u0131<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Bir CSP politikas\u0131n\u0131 ilk kez uygularken, sitenin baz\u0131 i\u015flevlerini yanl\u0131\u015fl\u0131kla bozma riski vard\u0131r. \u0130hlal raporlamas\u0131, bu sorunu \u00e7\u00f6zmek i\u00e7in kritik bir ara\u00e7t\u0131r.<\/p>\n<ul>\n<li><b>`report-uri` (Kullan\u0131mdan Kalk\u0131yor):<\/b> Bu y\u00f6nerge, CSP politikas\u0131n\u0131 ihlal eden bir durum olu\u015ftu\u011funda taray\u0131c\u0131n\u0131n JSON format\u0131nda bir rapor g\u00f6nderece\u011fi bir URL belirtir. Bu raporlar, engellenen kayna\u011f\u0131, ihlal edilen y\u00f6nergeyi ve sayfan\u0131n URL&#8217;sini i\u00e7erir. Bu sayede, politikan\u0131z\u0131 canl\u0131ya almadan \u00f6nce hangi kaynaklar\u0131n eksik oldu\u011funu tespit edip d\u00fczeltebilirsiniz.<\/li>\n<li><b>`report-to`:<\/b> `report-uri`&#8217;nin yerini alan daha modern ve esnek bir y\u00f6nergedir. Reporting API ile birlikte \u00e7al\u0131\u015farak, raporlar\u0131n nas\u0131l ve nereye g\u00f6nderilece\u011fi konusunda daha fazla kontrol sa\u011flar.<\/li>\n<\/ul>\n<h3><span class=\"ez-toc-section\" id=\"nonce-Kullanimi-Tek-Seferlik-Inline-Script-Izinleri\"><\/span>`nonce` Kullan\u0131m\u0131: Tek Seferlik Inline Script \u0130zinleri<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>CSP, varsay\u0131lan olarak g\u00fcvenlik nedeniyle sat\u0131r i\u00e7i (inline) betikleri (`<script>...<\/script>`) engeller. Ancak bazen, \u00f6zellikle eski sistemlerle \u00e7al\u0131\u015f\u0131rken, inline script kullanmak ka\u00e7\u0131n\u0131lmaz olabilir. `nonce` (number used once &#8211; bir kez kullan\u0131lan say\u0131) bu soruna g\u00fcvenli bir \u00e7\u00f6z\u00fcm sunar. Sunucu, her sayfa iste\u011fi i\u00e7in kriptografik olarak g\u00fcvenli, rastgele bir `nonce` de\u011feri \u00fcretir. Bu de\u011fer hem CSP ba\u015fl\u0131\u011f\u0131ndaki `script-src` y\u00f6nergesine hem de izin verilecek inline `<script>` etiketine eklenir.\n<br \/><b>\u00d6rnek:<\/b>\n<br \/>CSP Ba\u015fl\u0131\u011f\u0131: `Content-Security-Policy: script-src 'nonce-aBcDeF12345';`\n<br \/>HTML Kodu: `<script nonce=\"aBcDeF12345\">...<\/script>`<br \/>\n<br \/>Taray\u0131c\u0131, yaln\u0131zca `nonce` de\u011feri ba\u015fl\u0131ktaki de\u011ferle e\u015fle\u015fen inline script'i \u00e7al\u0131\u015ft\u0131r\u0131r.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"hash-Kullanimi-Belirli-Script-ve-Style-Bloklarina-Izin-Verme\"><\/span>`hash` Kullan\u0131m\u0131: Belirli Script ve Style Bloklar\u0131na \u0130zin Verme<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>`hash` kullan\u0131m\u0131, `nonce`'a bir alternatiftir ve statik inline script veya style bloklar\u0131na izin vermek i\u00e7in kullan\u0131l\u0131r. Sunucu, izin verilecek inline kod blo\u011funun i\u00e7eri\u011finin bir kriptografik \u00f6zetini (SHA256, SHA384 veya SHA512) hesaplar. Bu \u00f6zet de\u011feri, CSP ba\u015fl\u0131\u011f\u0131ndaki ilgili y\u00f6nergeye eklenir.<br \/>\n<br \/><b>\u00d6rnek:<\/b><br \/>\n<br \/>CSP Ba\u015fl\u0131\u011f\u0131: `Content-Security-Policy: script-src 'sha256-qznLcsROx4GACP2dm0UCKCzCG-HiZ1guq6ZZDob_Tng=';`<br \/>\n<br \/>Taray\u0131c\u0131, sayfadaki inline script'lerin \u00f6zetini hesaplar ve ba\u015fl\u0131kta belirtilen \u00f6zetle e\u015fle\u015fenleri \u00e7al\u0131\u015ft\u0131r\u0131r. Bu y\u00f6ntem, kodun i\u00e7eri\u011fi de\u011fi\u015fmedi\u011fi s\u00fcrece ge\u00e7erlidir.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"unsafe-inline-ve-unsafe-eval-Kullaniminin-Riskleri\"><\/span>`unsafe-inline` ve `unsafe-eval` Kullan\u0131m\u0131n\u0131n Riskleri<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Bazen geli\u015ftiriciler, CSP'yi h\u0131zl\u0131ca uygulamak i\u00e7in `unsafe-inline` ve `unsafe-eval` anahtar kelimelerini kullanma yoluna gidebilirler.<\/p>\n<ul>\n<li><b>`unsafe-inline`:<\/b> T\u00fcm inline script (`<script>...`) ve stil (`style=\"...\"`) kullan\u0131m\u0131na izin verir. Bu, CSP'nin XSS'e kar\u015f\u0131 sa\u011flad\u0131\u011f\u0131 temel korumay\u0131 tamamen devre d\u0131\u015f\u0131 b\u0131rak\u0131r ve kesinlikle ka\u00e7\u0131n\u0131lmas\u0131 gerekir.<\/li>\n<li><b>`unsafe-eval`:<\/b> `eval()`, `setTimeout()` gibi string'den kod \u00fcreten JavaScript fonksiyonlar\u0131n\u0131n kullan\u0131m\u0131na izin verir. Bu da kod enjeksiyonu sald\u0131r\u0131lar\u0131na kap\u0131 aralad\u0131\u011f\u0131 i\u00e7in son derece risklidir.<\/li>\n<\/ul>\n<p>Bu ifadeler, CSP politikas\u0131n\u0131n etkinli\u011fini ciddi \u015fekilde azaltt\u0131\u011f\u0131 i\u00e7in yaln\u0131zca ba\u015fka hi\u00e7bir \u00e7\u00f6z\u00fcm\u00fcn m\u00fcmk\u00fcn olmad\u0131\u011f\u0131 ge\u00e7ici durumlarda ve b\u00fcy\u00fck bir dikkatle kullan\u0131lmal\u0131d\u0131r.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"frame-ancestors-Clickjackinge-Karsi-Modern-Cozum\"><\/span>`frame-ancestors`: Clickjacking'e Kar\u015f\u0131 Modern \u00c7\u00f6z\u00fcm<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>`frame-ancestors` y\u00f6nergesi, sitenizin hangi kaynaklar taraf\u0131ndan `<iframe>`, `<frame>`, `<object>`, `<embed>` veya `<applet>` gibi etiketler kullan\u0131larak \u00e7er\u00e7evelenebilece\u011fini (embed edilebilece\u011fini) kontrol eder. Bu, clickjacking sald\u0131r\u0131lar\u0131na kar\u015f\u0131 en etkili savunma mekanizmas\u0131d\u0131r.<\/p>\n<ul>\n<li>`frame-ancestors 'none'`: Sitenizin hi\u00e7bir \u015fekilde \u00e7er\u00e7evelenmesini engeller. En g\u00fcvenli se\u00e7enektir.<\/li>\n<li>`frame-ancestors 'self'`: Sitenizin yaln\u0131zca kendi sayfalar\u0131 taraf\u0131ndan \u00e7er\u00e7evelenmesine izin verir.<\/li>\n<li>`frame-ancestors https:\/\/partner.example.com;`: Sitenizin yaln\u0131zca belirtilen kaynak taraf\u0131ndan \u00e7er\u00e7evelenmesine izin verir.<\/li>\n<\/ul>\n<h3><span class=\"ez-toc-section\" id=\"form-action-Form-Gonderim-Hedeflerini-Sinirlama\"><\/span>`form-action`: Form G\u00f6nderim Hedeflerini S\u0131n\u0131rlama<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Bu y\u00f6nerge, HTML formlar\u0131n\u0131n (`<\/p>\n<form>`) verilerini g\u00f6nderebilece\u011fi ge\u00e7erli hedefleri (URL'leri) belirtir. K\u00f6t\u00fc ama\u00e7l\u0131 bir kodun, form verilerini (kullan\u0131c\u0131 adlar\u0131, \u015fifreler, kredi kart\u0131 bilgileri vb.) ele ge\u00e7irip kendi sunucusuna g\u00f6ndermesini engellemek i\u00e7in kullan\u0131l\u0131r. \u00d6rnek: `form-action 'self' https:\/\/payment.example.com;`.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"upgrade-insecure-requests-Otomatik-HTTPS-Yonlendirmesi\"><\/span>`upgrade-insecure-requests`: Otomatik HTTPS Y\u00f6nlendirmesi<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Bu y\u00f6nerge, taray\u0131c\u0131ya sitedeki t\u00fcm g\u00fcvensiz HTTP URL'lerini, sayfay\u0131 ger\u00e7ekten getirmeden \u00f6nce otomatik olarak HTTPS'e y\u00fckseltmesini s\u00f6yler. Bu, \u00f6zellikle eski i\u00e7eriklerde unutulmu\u015f HTTP linklerinden kaynaklanan karma i\u00e7erik (mixed content) hatalar\u0131n\u0131 \u00f6nlemeye yard\u0131mc\u0131 olur ve sitenizin tamamen <a href=\"https:\/\/www.ihs.com.tr\/ssl\/\" target=\"_blank\">SSL<\/a> \u00fczerinden hizmet vermesini sa\u011flar. Sitenizin tamam\u0131 HTTPS'i destekliyorsa, bu y\u00f6nergeyi kullanmak iyi bir pratiktir.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"CSP-Disindaki-Diger-Onemli-Guvenlik-Basliklari\"><\/span>CSP D\u0131\u015f\u0131ndaki Di\u011fer \u00d6nemli G\u00fcvenlik Ba\u015fl\u0131klar\u0131<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Content Security Policy (CSP), web g\u00fcvenli\u011finin g\u00fc\u00e7l\u00fc bir arac\u0131 olsa da, kapsaml\u0131 bir savunma stratejisi i\u00e7in tek ba\u015f\u0131na yeterli de\u011fildir. Di\u011fer HTTP g\u00fcvenlik ba\u015fl\u0131klar\u0131, CSP'nin kapsamad\u0131\u011f\u0131 farkl\u0131 sald\u0131r\u0131 vekt\u00f6rlerine kar\u015f\u0131 koruma sa\u011flar. Bu ba\u015fl\u0131klar\u0131 birlikte kullanmak, web siteniz i\u00e7in katmanl\u0131 ve sa\u011flam bir g\u00fcvenlik mimarisi olu\u015fturur.<\/p>\n<div class=\"karsilastirma\">\n<table>\n<thead>\n<tr>\n<th>G\u00fcvenlik Ba\u015fl\u0131\u011f\u0131<\/th>\n<th>Temel Amac\u0131<\/th>\n<th>Korudu\u011fu Sald\u0131r\u0131 T\u00fcr\u00fc<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><strong>HTTP Strict Transport Security (HSTS)<\/strong><\/td>\n<td>Taray\u0131c\u0131y\u0131 yaln\u0131zca HTTPS \u00fczerinden ileti\u015fim kurmaya zorlar.<\/td>\n<td>Protokol d\u00fc\u015f\u00fcrme, SSL-stripping, cookie ka\u00e7\u0131rma.<\/td>\n<\/tr>\n<tr>\n<td><strong>X-Frame-Options<\/strong><\/td>\n<td>Sitenin `<iframe>` i\u00e7inde g\u00f6r\u00fcnt\u00fclenip g\u00f6r\u00fcnt\u00fclenemeyece\u011fini kontrol eder.<\/td>\n<td>Clickjacking (T\u0131klama Gasp\u0131).<\/td>\n<\/tr>\n<tr>\n<td><strong>X-Content-Type-Options<\/strong><\/td>\n<td>Taray\u0131c\u0131n\u0131n MIME t\u00fcr\u00fc \"koklamas\u0131n\u0131\" (sniffing) engeller.<\/td>\n<td>MIME t\u00fcr\u00fc kar\u0131\u015f\u0131kl\u0131\u011f\u0131 sald\u0131r\u0131lar\u0131.<\/td>\n<\/tr>\n<tr>\n<td><strong>Referrer-Policy<\/strong><\/td>\n<td>Ba\u015fka bir siteye gidildi\u011finde ne kadar referrer bilgisi g\u00f6nderilece\u011fini kontrol eder.<\/td>\n<td>URL \u00fczerinden veri s\u0131z\u0131nt\u0131s\u0131.<\/td>\n<\/tr>\n<tr>\n<td><strong>Permissions-Policy<\/strong><\/td>\n<td>Taray\u0131c\u0131 \u00f6zelliklerinin (kamera, mikrofon, co\u011frafi konum vb.) kullan\u0131m\u0131n\u0131 kontrol eder.<\/td>\n<td>\u0130stenmeyen \u00f6zellik eri\u015fimleri.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<h3><span class=\"ez-toc-section\" id=\"HTTP-Strict-Transport-Security-HSTS\"><\/span>HTTP Strict Transport Security (HSTS)<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>HSTS, bir web sitesinin yaln\u0131zca g\u00fcvenli bir HTTPS ba\u011flant\u0131s\u0131 \u00fczerinden eri\u015filebilir oldu\u011funu taray\u0131c\u0131ya bildiren bir g\u00fcvenlik politikas\u0131 mekanizmas\u0131d\u0131r. Bir taray\u0131c\u0131, HSTS ba\u015fl\u0131\u011f\u0131n\u0131 (`Strict-Transport-Security`) ald\u0131ktan sonra, belirtilen s\u00fcre boyunca o siteye yap\u0131lacak t\u00fcm istekleri otomatik olarak HTTP'den HTTPS'e \u00e7evirir. Bu, kullan\u0131c\u0131lar\u0131n yanl\u0131\u015fl\u0131kla sitenin g\u00fcvensiz HTTP versiyonuna girmesini ve araya girme (man-in-the-middle) sald\u0131r\u0131lar\u0131na maruz kalmas\u0131n\u0131 engeller. \u00d6rnek: `Strict-Transport-Security: max-age=31536000; includeSubDomains`.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"X-Frame-Options\"><\/span>X-Frame-Options<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Bu ba\u015fl\u0131k, sitenizin ba\u015fka bir site taraf\u0131ndan `<iframe>`, `<frame>` veya `<object>` i\u00e7inde g\u00f6r\u00fcnt\u00fclenip g\u00f6r\u00fcnt\u00fclenemeyece\u011fini belirterek clickjacking sald\u0131r\u0131lar\u0131na kar\u015f\u0131 koruma sa\u011flar. \u00dc\u00e7 olas\u0131 de\u011feri vard\u0131r:<\/p>\n<ul>\n<li><b>DENY:<\/b> Sitenin hi\u00e7bir \u015fekilde bir \u00e7er\u00e7eve i\u00e7inde g\u00f6r\u00fcnt\u00fclenmesine izin vermez.<\/li>\n<li><b>SAMEORIGIN:<\/b> Sitenin yaln\u0131zca kendi kaynak sayfalar\u0131 taraf\u0131ndan \u00e7er\u00e7evelenmesine izin verir.<\/li>\n<li><b>ALLOW-FROM uri:<\/b> Belirtilen URI taraf\u0131ndan \u00e7er\u00e7evelenmesine izin verir (bu se\u00e7enek modern taray\u0131c\u0131lar taraf\u0131ndan tam desteklenmemektedir).<\/li>\n<\/ul>\n<p>CSP'nin `frame-ancestors` y\u00f6nergesi daha modern ve esnek bir alternatif olsa da, `X-Frame-Options` daha eski taray\u0131c\u0131larla uyumluluk i\u00e7in hala yayg\u0131n olarak kullan\u0131lmaktad\u0131r.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"X-Content-Type-Options\"><\/span>X-Content-Type-Options<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Bu ba\u015fl\u0131k, taray\u0131c\u0131n\u0131n sunucu taraf\u0131ndan beyan edilen `Content-Type`'\u0131 ge\u00e7ersiz k\u0131lmas\u0131n\u0131 ve dosya i\u00e7eri\u011fini analiz ederek MIME t\u00fcr\u00fcn\u00fc \"koklamas\u0131n\u0131\" (sniffing) engeller. Yaln\u0131zca tek bir de\u011feri vard\u0131r: `nosniff`. Bu ba\u015fl\u0131\u011f\u0131n kullan\u0131lmas\u0131, sald\u0131rganlar\u0131n zarars\u0131z gibi g\u00f6r\u00fcnen bir dosyay\u0131 (\u00f6rne\u011fin bir resim) k\u00f6t\u00fc ama\u00e7l\u0131 bir betik olarak taray\u0131c\u0131ya y\u00fcr\u00fctt\u00fcrmesini \u00f6nler.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Referrer-Policy\"><\/span>Referrer-Policy<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Bir kullan\u0131c\u0131 sitenizdeki bir linke t\u0131klayarak ba\u015fka bir siteye ge\u00e7ti\u011finde, taray\u0131c\u0131 genellikle `Referer` ba\u015fl\u0131\u011f\u0131 ile kullan\u0131c\u0131n\u0131n hangi sayfadan geldi\u011fi bilgisini yeni siteye g\u00f6nderir. Bu URL, hassas bilgiler i\u00e7erebilir. `Referrer-Policy` ba\u015fl\u0131\u011f\u0131, bu bilginin ne kadar\u0131n\u0131n payla\u015f\u0131laca\u011f\u0131n\u0131 kontrol etmenizi sa\u011flar. `no-referrer` (hi\u00e7bir bilgi g\u00f6nderme), `strict-origin-when-cross-origin` (farkl\u0131 bir kayna\u011fa gidildi\u011finde sadece ana alan ad\u0131n\u0131 g\u00f6nder) gibi \u00e7e\u015fitli politika se\u00e7enekleri sunar.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Permissions-Policy-Feature-Policy\"><\/span>Permissions-Policy (Feature-Policy)<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Eski ad\u0131yla `Feature-Policy` olan `Permissions-Policy`, web sitenizin ve g\u00f6md\u00fc\u011f\u00fc \u00fc\u00e7\u00fcnc\u00fc taraf i\u00e7eriklerin, co\u011frafi konum, mikrofon, kamera, tam ekran modu gibi g\u00fc\u00e7l\u00fc taray\u0131c\u0131 \u00f6zelliklerini kullan\u0131p kullanamayaca\u011f\u0131n\u0131 kontrol etmenizi sa\u011flayan bir mekanizmad\u0131r. Bu, gizlilik i\u00e7in \u00f6nemlidir ve sitenizin istenmeyen \u00f6zelliklere eri\u015fmesini veya \u00fc\u00e7\u00fcnc\u00fc parti bir script'in bu \u00f6zellikleri k\u00f6t\u00fcye kullanmas\u0131n\u0131 engeller. \u00d6rne\u011fin, `Permissions-Policy: geolocation=(), camera=(), microphone=()` ba\u015fl\u0131\u011f\u0131, bu \u00f6zelliklerin kullan\u0131m\u0131n\u0131 tamamen devre d\u0131\u015f\u0131 b\u0131rak\u0131r.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"CSP-Politikasini-Adim-Adim-Uygulama-Rehberi\"><\/span>CSP Politikas\u0131n\u0131 Ad\u0131m Ad\u0131m Uygulama Rehberi<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Etkili bir Content Security Policy (CSP) olu\u015fturmak, mevcut bir web sitesinin i\u015flevselli\u011fini bozmadan dikkatli bir planlama ve a\u015famal\u0131 bir yakla\u015f\u0131m gerektirir. Sadece bir politika belirleyip hemen zorunlu k\u0131lmak yerine, raporlama modunu kullanarak, politikay\u0131 test edip iyile\u015ftirerek ilerlemek en g\u00fcvenli yoldur. Bu, sitenizin kullan\u0131c\u0131 deneyimini olumsuz etkilemeden g\u00fcvenli\u011fi art\u0131rman\u0131z\u0131 sa\u011flar.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Asama-1-Mevcut-Kaynaklarin-Tespiti-ve-Analizi\"><\/span>A\u015fama 1: Mevcut Kaynaklar\u0131n Tespiti ve Analizi<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>CSP olu\u015fturman\u0131n ilk ad\u0131m\u0131, web sitenizin d\u00fczg\u00fcn \u00e7al\u0131\u015fmas\u0131 i\u00e7in hangi kaynaklara ihtiya\u00e7 duydu\u011funu tam olarak anlamakt\u0131r. Bu analiz s\u00fcrecinde a\u015fa\u011f\u0131daki unsurlar\u0131 listelemelisiniz:<\/p>\n<ul>\n<li><b>JavaScript Dosyalar\u0131:<\/b> Kendi yazd\u0131\u011f\u0131n\u0131z betikler, jQuery gibi k\u00fct\u00fcphaneler, Google Analytics gibi analiz ara\u00e7lar\u0131 ve reklam a\u011flar\u0131n\u0131n script'leri.<\/li>\n<li><b>CSS Dosyalar\u0131:<\/b> Kendi stil dosyalar\u0131n\u0131z, Google Fonts gibi harici font sa\u011flay\u0131c\u0131lar\u0131n\u0131n CSS'leri ve kulland\u0131\u011f\u0131n\u0131z UI framework'lerinin (Bootstrap vb.) stilleri.<\/li>\n<li><b>G\u00f6rseller, Videolar ve Sesler:<\/b> Resimlerin, videolar\u0131n ve di\u011fer medya dosyalar\u0131n\u0131n bar\u0131nd\u0131r\u0131ld\u0131\u011f\u0131 t\u00fcm alan adlar\u0131 ve CDN'ler.<\/li>\n<li><b>Fontlar:<\/b> Kulland\u0131\u011f\u0131n\u0131z \u00f6zel yaz\u0131 tiplerinin kaynaklar\u0131.<\/li>\n<li><b>API'ler ve D\u0131\u015f Servisler:<\/b> Sitenizin veri al\u0131\u015fveri\u015fi yapt\u0131\u011f\u0131 t\u00fcm API u\u00e7 noktalar\u0131.<\/li>\n<li><b>Iframe'ler:<\/b> YouTube videolar\u0131, Google Maps haritalar\u0131 gibi sitenize g\u00f6md\u00fc\u011f\u00fcn\u00fcz t\u00fcm d\u0131\u015f i\u00e7erikler.<\/li>\n<\/ul>\n<p>Taray\u0131c\u0131n\u0131z\u0131n geli\u015ftirici ara\u00e7lar\u0131ndaki \"Network\" (A\u011f) sekmesi, sayfan\u0131z\u0131n y\u00fckledi\u011fi t\u00fcm kaynaklar\u0131 g\u00f6rmek i\u00e7in m\u00fckemmel bir ba\u015flang\u0131\u00e7 noktas\u0131d\u0131r.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Asama-2-Raporlama-Modunda-Politika-Olusturma-Report-Only\"><\/span>A\u015fama 2: Raporlama Modunda Politika Olu\u015fturma (Report-Only)<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>T\u00fcm kaynaklar\u0131n\u0131z\u0131 listeledikten sonra, ilk CSP politikan\u0131z\u0131 olu\u015fturmaya haz\u0131rs\u0131n\u0131z. Ancak bu politikay\u0131 hemen zorunlu k\u0131lmak yerine, \"sadece raporla\" modunda uygulamal\u0131s\u0131n\u0131z. Bu modda, taray\u0131c\u0131 politika ihlallerini engellemez, bunun yerine sadece belirtilen adrese bir rapor g\u00f6nderir. Bu, sitenizin i\u015flevselli\u011fini bozmadan politikan\u0131zdaki eksiklikleri veya hatalar\u0131 g\u00f6rmenizi sa\u011flar.<\/p>\n<p>Bu a\u015famada, HTTP yan\u0131t ba\u015fl\u0131\u011f\u0131 olarak `Content-Security-Policy` yerine `Content-Security-Policy-Report-Only` kullan\u0131l\u0131r. Ba\u015fl\u0131\u011f\u0131n i\u00e7eri\u011fi ise analiz a\u015famas\u0131nda belirledi\u011finiz kaynaklar\u0131 i\u00e7eren y\u00f6nergelerden olu\u015fur. \u00d6rne\u011fin:<\/p>\n<p><code>Content-Security-Policy-Report-Only: default-src 'self'; script-src 'self' https:\/\/www.google-analytics.com; style-src 'self' https:\/\/fonts.googleapis.com; report-uri \/csp-reports;<\/code><\/p>\n<h3><span class=\"ez-toc-section\" id=\"Asama-3-Gelen-Raporlarin-Incelenmesi-ve-Politikanin-Iyilestirilmesi\"><\/span>A\u015fama 3: Gelen Raporlar\u0131n \u0130ncelenmesi ve Politikan\u0131n \u0130yile\u015ftirilmesi<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Raporlama modunu devreye ald\u0131ktan sonra, `report-uri` ile belirtti\u011finiz u\u00e7 noktaya gelen ihlal raporlar\u0131n\u0131 d\u00fczenli olarak izlemeniz gerekir. Bu raporlar, politikan\u0131zda unuttu\u011funuz veya g\u00f6zden ka\u00e7\u0131rd\u0131\u011f\u0131n\u0131z kaynaklar\u0131 size g\u00f6sterecektir. \u00d6rne\u011fin, bir \u00fc\u00e7\u00fcnc\u00fc parti eklentinin kendi CDN'inden bir script y\u00fcklemeye \u00e7al\u0131\u015ft\u0131\u011f\u0131n\u0131 ve bu kayna\u011f\u0131n politikan\u0131zda olmad\u0131\u011f\u0131n\u0131 fark edebilirsiniz. Gelen raporlar\u0131 analiz ederek, politikan\u0131z\u0131 yava\u015f yava\u015f daha do\u011fru ve kapsaml\u0131 hale getirebilirsiniz. Bu s\u00fcre\u00e7, sitenizin t\u00fcm b\u00f6l\u00fcmlerinin ve i\u015flevlerinin kullan\u0131c\u0131lar taraf\u0131ndan test edilmesiyle daha etkili olur ve birka\u00e7 g\u00fcn veya hafta s\u00fcrebilir.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Asama-4-Politikayi-Zorunlu-Kilma-Enforce-ve-Canliya-Alma\"><\/span>A\u015fama 4: Politikay\u0131 Zorunlu K\u0131lma (Enforce) ve Canl\u0131ya Alma<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Raporlama modunda art\u0131k \u00e7ok az say\u0131da veya hi\u00e7 ihlal raporu almad\u0131\u011f\u0131n\u0131za emin oldu\u011funuzda, politikan\u0131z\u0131 zorunlu k\u0131lma zaman\u0131 gelmi\u015ftir. Bu, `Content-Security-Policy-Report-Only` ba\u015fl\u0131\u011f\u0131n\u0131 `Content-Security-Policy` olarak de\u011fi\u015ftirmekle yap\u0131l\u0131r. Bu andan itibaren, taray\u0131c\u0131lar politikan\u0131za uymayan t\u00fcm kaynaklar\u0131 aktif olarak engellemeye ba\u015flayacakt\u0131r. G\u00fcvenlik a\u011f\u0131n\u0131 daha da s\u0131k\u0131la\u015ft\u0131rmak i\u00e7in hem `Content-Security-Policy` hem de `Content-Security-Policy-Report-Only` ba\u015fl\u0131klar\u0131n\u0131 ayn\u0131 anda kullanabilirsiniz. Bu sayede, mevcut politikan\u0131z zorunlu k\u0131l\u0131n\u0131rken, gelecekteki de\u011fi\u015fiklikleri test etmek i\u00e7in daha k\u0131s\u0131tlay\u0131c\u0131 bir \"report-only\" politikas\u0131 y\u00fcr\u00fctebilirsiniz.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Asama-5-Surekli-Izleme-ve-Guncelleme\"><\/span>A\u015fama 5: S\u00fcrekli \u0130zleme ve G\u00fcncelleme<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Web siteleri statik de\u011fildir; yeni \u00f6zellikler eklenir, \u00fc\u00e7\u00fcnc\u00fc parti servisler g\u00fcncellenir veya kald\u0131r\u0131l\u0131r. Bu nedenle, CSP politikan\u0131z da ya\u015fayan bir belge olmal\u0131d\u0131r. Politikay\u0131 canl\u0131ya ald\u0131ktan sonra bile ihlal raporlar\u0131n\u0131 izlemeye devam etmek \u00f6nemlidir. Sitenize yeni bir \u00f6zellik veya servis ekledi\u011finizde, bu servisin gerektirdi\u011fi yeni kaynaklar\u0131 CSP politikan\u0131za da eklemeyi unutmamal\u0131s\u0131n\u0131z. D\u00fczenli g\u00f6zden ge\u00e7irme ve g\u00fcncelleme, CSP politikan\u0131z\u0131n hem etkili kalmas\u0131n\u0131 hem de sitenizin i\u015flevselli\u011fini engellememesini sa\u011flar.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Sik-Karsilasilan-Sorunlar-ve-Cozum-Yollari\"><\/span>S\u0131k Kar\u015f\u0131la\u015f\u0131lan Sorunlar ve \u00c7\u00f6z\u00fcm Yollar\u0131<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Content Security Policy (CSP) uygulamak, web g\u00fcvenli\u011fini art\u0131rman\u0131n g\u00fc\u00e7l\u00fc bir yolu olsa da, \u00f6zellikle karma\u015f\u0131k ve dinamik sitelerde baz\u0131 zorluklar ortaya \u00e7\u0131karabilir. \u00dc\u00e7\u00fcnc\u00fc parti servislerin entegrasyonundan, dinamik i\u00e7erik y\u00f6netimine kadar s\u0131k kar\u015f\u0131la\u015f\u0131lan sorunlar\u0131 ve bunlar\u0131n \u00fcstesinden gelme yollar\u0131n\u0131 bilmek, CSP uygulama s\u00fcrecini \u00e7ok daha p\u00fcr\u00fczs\u00fcz hale getirir.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Ucuncu-Parti-Servislerin-Google-Analytics-Facebook-Pixel-vb-Entegrasyonu\"><\/span>\u00dc\u00e7\u00fcnc\u00fc Parti Servislerin (Google Analytics, Facebook Pixel vb.) Entegrasyonu<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p><b>Sorun:<\/b> \u00c7o\u011fu web sitesi, analiz, reklam, m\u00fc\u015fteri deste\u011fi veya sosyal medya entegrasyonu i\u00e7in Google Analytics, Facebook Pixel, Intercom gibi \u00fc\u00e7\u00fcnc\u00fc parti betiklere g\u00fcvenir. Bu servisler genellikle birden \u00e7ok alan ad\u0131ndan script, stil ve resim dosyalar\u0131 y\u00fckler ve bu kaynaklar zamanla de\u011fi\u015febilir.<\/p>\n<p><b>\u00c7\u00f6z\u00fcm Yolu:<\/b><\/p>\n<ul>\n<li><b>Belgeleri \u0130nceleyin:<\/b> Bu servislerin \u00e7o\u011fu, kendi dok\u00fcmantasyonlar\u0131nda CSP ile uyumlu \u00e7al\u0131\u015fmak i\u00e7in hangi alan adlar\u0131n\u0131n beyaz listeye eklenmesi gerekti\u011fini belirtir. \u0130lk olarak bu belgeleri kontrol edin.<\/li>\n<li><b>Raporlama Modunu Kullan\u0131n:<\/b> Servisi entegre ederken CSP'nizi raporlama modunda (`Content-Security-Policy-Report-Only`) \u00e7al\u0131\u015ft\u0131rarak servisin y\u00fcklemeye \u00e7al\u0131\u015ft\u0131\u011f\u0131 ancak politikan\u0131zda eksik olan t\u00fcm kaynaklar\u0131 tespit edin.<\/li>\n<li><b>Spesifik Olun:<\/b> `script-src *;` gibi a\u015f\u0131r\u0131 genel kurallar kullanmaktan ka\u00e7\u0131n\u0131n. Sadece servisin \u00e7al\u0131\u015fmas\u0131 i\u00e7in mutlak gerekli olan alan adlar\u0131n\u0131 politikan\u0131za ekleyin. \u00d6rne\u011fin, Google Analytics i\u00e7in `script-src https:\/\/www.google-analytics.com; connect-src https:\/\/www.google-analytics.com;` gibi spesifik kurallar belirleyin.<\/li>\n<\/ul>\n<h3><span class=\"ez-toc-section\" id=\"Dinamik-Olarak-Olusturulan-Iceriklerin-Yonetimi\"><\/span>Dinamik Olarak Olu\u015fturulan \u0130\u00e7eriklerin Y\u00f6netimi<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p><b>Sorun:<\/b> Baz\u0131 web uygulamalar\u0131, sunucu veya istemci taraf\u0131nda dinamik olarak inline script veya stil bloklar\u0131 olu\u015fturur. CSP, varsay\u0131lan olarak bu inline kodlar\u0131 engelledi\u011fi i\u00e7in bu durum sitenin i\u015flevselli\u011fini bozabilir.<\/p>\n<p><b>\u00c7\u00f6z\u00fcm Yolu:<\/b><\/p>\n<ul>\n<li><b>`nonce` Kullan\u0131m\u0131:<\/b> Sunucu taraf\u0131nda olu\u015fturulan her istek i\u00e7in benzersiz bir `nonce` (bir kez kullan\u0131lan say\u0131) de\u011feri \u00fcretin. Bu de\u011feri hem CSP ba\u015fl\u0131\u011f\u0131na hem de dinamik olarak olu\u015fturulan `<script>` etiketine ekleyerek o beti\u011fin g\u00fcvenli oldu\u011funu bildirin. Bu, dinamik inline script'ler i\u00e7in en g\u00fcvenli y\u00f6ntemdir.<\/li>\n<li><b>`hash` Kullan\u0131m\u0131:<\/b> E\u011fer inline script'in i\u00e7eri\u011fi statik fakat dinamik olarak sayfaya ekleniyorsa, bu script'in i\u00e7eri\u011finin bir SHA \u00f6zetini (`hash`) hesaplay\u0131p CSP ba\u015fl\u0131\u011f\u0131n\u0131za ekleyebilirsiniz.<\/li>\n<li><b>Refactoring (Yeniden D\u00fczenleme):<\/b> En ideal \u00e7\u00f6z\u00fcm, inline kod kullan\u0131m\u0131ndan tamamen ka\u00e7\u0131nmakt\u0131r. M\u00fcmk\u00fcnse, dinamik olarak olu\u015fturulan kodlar\u0131 harici `.js` dosyalar\u0131na ta\u015f\u0131y\u0131n ve bu dosyalar\u0131 `script-src` y\u00f6nergesi ile izin verilenler listesine ekleyin.<\/li>\n<\/ul>\n<h3><span class=\"ez-toc-section\" id=\"Asiri-Kisitlayici-Politikalarin-Site-Fonksiyonlarini-Bozmasi\"><\/span>A\u015f\u0131r\u0131 K\u0131s\u0131tlay\u0131c\u0131 Politikalar\u0131n Site Fonksiyonlar\u0131n\u0131 Bozmas\u0131<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p><b>Sorun:<\/b> G\u00fcvenli\u011fi en \u00fcst d\u00fczeye \u00e7\u0131karma amac\u0131yla olu\u015fturulan \u00e7ok kat\u0131 bir CSP politikas\u0131, sitenin temel i\u015flevlerinin (\u00f6rne\u011fin, resimlerin g\u00f6r\u00fcnt\u00fclenmemesi, formlar\u0131n g\u00f6nderilememesi veya men\u00fclerin \u00e7al\u0131\u015fmamas\u0131) bozulmas\u0131na neden olabilir.<\/p>\n<p><b>\u00c7\u00f6z\u00fcm Yolu:<\/b><\/p>\n<ul>\n<li><b>A\u015famal\u0131 Yakla\u015f\u0131m:<\/b> Politikay\u0131 hemen zorunlu k\u0131lmak yerine, daima `Content-Security-Policy-Report-Only` ile ba\u015flay\u0131n. Gelen ihlal raporlar\u0131, hangi me\u015fru kaynaklar\u0131 engelledi\u011finizi size g\u00f6sterecektir.<\/li>\n<li><b>Geni\u015f Ba\u015flay\u0131p Daralt\u0131n:<\/b> \u0130lk ba\u015fta daha genel bir politika ile ba\u015flayabilirsiniz (\u00f6rne\u011fin, `default-src 'self' *.example.com;`). Raporlar\u0131 analiz ettik\u00e7e, bu kurallar\u0131 yava\u015f yava\u015f daha spesifik hale getirerek g\u00fcvenli\u011fi art\u0131r\u0131n.<\/li>\n<li><b>Taray\u0131c\u0131 Geli\u015ftirici Konsolunu Kullan\u0131n:<\/b> CSP ihlalleri, taray\u0131c\u0131n\u0131n geli\u015ftirici konsolunda ayr\u0131nt\u0131l\u0131 bir \u015fekilde raporlan\u0131r. Bir \u00f6zelli\u011fin neden \u00e7al\u0131\u015fmad\u0131\u011f\u0131n\u0131 anlamak i\u00e7in konsoldaki hata mesajlar\u0131n\u0131 dikkatlice inceleyin.<\/li>\n<\/ul>\n<h3><span class=\"ez-toc-section\" id=\"CSP-Hatalarini-Ayiklama-Debugging-Teknikleri\"><\/span>CSP Hatalar\u0131n\u0131 Ay\u0131klama (Debugging) Teknikleri<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p><b>Sorun:<\/b> Bir CSP kural\u0131n\u0131n neden bir kayna\u011f\u0131 engelledi\u011fini veya bir \u00f6zelli\u011fin neden bozuldu\u011funu anlamak bazen zor olabilir.<\/p>\n<p><b>\u00c7\u00f6z\u00fcm Yolu:<\/b><\/p>\n<ul>\n<li><b>Geli\u015ftirici Konsolu:<\/b> En iyi dostunuzdur. Konsoldaki CSP hata mesajlar\u0131, engellenen kayna\u011f\u0131n URL'sini ve ihlal edilen CSP y\u00f6nergesini (`script-src`, `img-src` vb.) a\u00e7\u0131k\u00e7a belirtir.<\/li>\n<li><b>Online CSP De\u011ferlendiricileri:<\/b> Google'\u0131n CSP Evaluator gibi \u00e7evrimi\u00e7i ara\u00e7lar, yazd\u0131\u011f\u0131n\u0131z CSP politikas\u0131n\u0131 analiz ederek potansiyel hatalar\u0131, zay\u0131fl\u0131klar\u0131 ve s\u00f6zdizimi sorunlar\u0131n\u0131 size bildirir.<\/li>\n<li><b>A\u011f (Network) Sekmesi:<\/b> Taray\u0131c\u0131n\u0131n geli\u015ftirici ara\u00e7lar\u0131ndaki A\u011f sekmesi, engellenen istekleri (genellikle k\u0131rm\u0131z\u0131 renkle i\u015faretlenir) ve bunlar\u0131n durumunu g\u00f6sterir. \u0130ste\u011fin detaylar\u0131na bakarak engellenme nedenini \u00f6\u011frenebilirsiniz.<\/li>\n<\/ul>\n<div class=\"karsilastirma\">\n<table>\n<thead>\n<tr>\n<th>Sorun<\/th>\n<th>En \u0130yi \u00c7\u00f6z\u00fcm Y\u00f6ntemi<\/th>\n<th>Ka\u00e7\u0131n\u0131lmas\u0131 Gerekenler<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><strong>\u00dc\u00e7\u00fcnc\u00fc Parti Script'ler<\/strong><\/td>\n<td>Servis dok\u00fcmantasyonunu incelemek ve raporlama modu ile eksik kaynaklar\u0131 bulmak.<\/td>\n<td>`script-src *;` gibi genel izinler vermek.<\/td>\n<\/tr>\n<tr>\n<td><strong>Dinamik Inline Script'ler<\/strong><\/td>\n<td>Kodu harici dosyalara ta\u015f\u0131mak veya `nonce` kullanmak.<\/td>\n<td>`unsafe-inline` anahtar kelimesini kal\u0131c\u0131 olarak kullanmak.<\/td>\n<\/tr>\n<tr>\n<td><strong>Bozulan Site Fonksiyonlar\u0131<\/strong><\/td>\n<td>A\u015famal\u0131 olarak, `Report-Only` modunda test ederek politikay\u0131 s\u0131k\u0131la\u015ft\u0131rmak.<\/td>\n<td>Politikay\u0131 test etmeden do\u011frudan canl\u0131ya almak.<\/td>\n<\/tr>\n<tr>\n<td><strong>Hata Ay\u0131klama (Debugging)<\/strong><\/td>\n<td>Taray\u0131c\u0131 geli\u015ftirici konsolundaki hata mesajlar\u0131n\u0131 dikkatle okumak.<\/td>\n<td>Hatalar\u0131 g\u00f6z ard\u0131 etmek veya deneme-yan\u0131lma ile rastgele kurallar eklemek.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<h2><span class=\"ez-toc-section\" id=\"Guvenlik-Basligi-Yapilandirmaniz-Icin-Neden-IHS-Telekomu-Tercih-Etmelisiniz\"><\/span>G\u00fcvenlik Ba\u015fl\u0131\u011f\u0131 Yap\u0131land\u0131rman\u0131z \u0130\u00e7in Neden \u0130HS Telekom'u Tercih Etmelisiniz?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Web sitenizin g\u00fcvenli\u011fini HTTP g\u00fcvenlik ba\u015fl\u0131klar\u0131 ve \u00f6zellikle CSP ile g\u00fc\u00e7lendirmek, teknik bilgi ve do\u011fru altyap\u0131 gerektiren bir s\u00fcre\u00e7tir. Bu noktada, do\u011fru <a href=\"https:\/\/www.ihs.com.tr\/web-hosting\/\" target=\"_blank\">hosting<\/a> sa\u011flay\u0131c\u0131s\u0131yla \u00e7al\u0131\u015fmak, s\u00fcreci basitle\u015ftirir ve en iyi sonu\u00e7lar\u0131 alman\u0131z\u0131 sa\u011flar. \u0130HS Telekom, sundu\u011fu uzmanl\u0131k, geli\u015fmi\u015f altyap\u0131 ve kullan\u0131c\u0131 dostu ara\u00e7larla bu g\u00fcvenlik katman\u0131n\u0131 web sitenize kolayca entegre etmenize yard\u0131mc\u0131 olur.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Uzman-Teknik-Destek-ve-Guvenlik-Danismanligi\"><\/span>Uzman Teknik Destek ve G\u00fcvenlik Dan\u0131\u015fmanl\u0131\u011f\u0131<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>CSP ve di\u011fer g\u00fcvenlik ba\u015fl\u0131klar\u0131n\u0131 yap\u0131land\u0131rmak, \u00f6zellikle karma\u015f\u0131k siteler i\u00e7in zorlay\u0131c\u0131 olabilir. Hangi y\u00f6nergelerin kullan\u0131laca\u011f\u0131, \u00fc\u00e7\u00fcnc\u00fc parti servislerin nas\u0131l entegre edilece\u011fi veya bir hatan\u0131n nas\u0131l ay\u0131klanaca\u011f\u0131 gibi konularda uzman bir deste\u011fe ihtiya\u00e7 duyabilirsiniz. \u0130HS Telekom'un deneyimli teknik destek ekibi, g\u00fcvenlik ba\u015fl\u0131klar\u0131 konusundaki sorular\u0131n\u0131z\u0131 yan\u0131tlayarak ve do\u011fru yap\u0131land\u0131rmay\u0131 yapman\u0131z i\u00e7in size yol g\u00f6stererek bu s\u00fcreci sizin i\u00e7in kolayla\u015ft\u0131r\u0131r. G\u00fcvenlik dan\u0131\u015fmanl\u0131\u011f\u0131 hizmetiyle, sitenizin ihtiya\u00e7lar\u0131na en uygun politikay\u0131 olu\u015fturman\u0131za yard\u0131mc\u0131 olurlar.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Guvenlik-Odakli-Optimize-Edilmis-Sunucu-Altyapisi\"><\/span>G\u00fcvenlik Odakl\u0131 Optimize Edilmi\u015f Sunucu Altyap\u0131s\u0131<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>G\u00fcvenlik ba\u015fl\u0131klar\u0131n\u0131n etkinli\u011fi, \u00fczerinde \u00e7al\u0131\u015ft\u0131klar\u0131 <a href=\"https:\/\/www.ihs.com.tr\/sunucu-kiralama\/\" target=\"_blank\">sunucu<\/a> altyap\u0131s\u0131yla do\u011frudan ili\u015fkilidir. \u0130HS Telekom, en g\u00fcncel yaz\u0131l\u0131mlar\u0131 kullanan, d\u00fczenli olarak g\u00fcvenlik taramalar\u0131ndan ge\u00e7irilen ve performans i\u00e7in optimize edilmi\u015f bir sunucu altyap\u0131s\u0131 sunar. \u0130ster payla\u015f\u0131ml\u0131 bir hosting paketi, ister bir <a href=\"https:\/\/www.ihs.com.tr\/sunucu-kiralama\/vds-sunucu.html\" target=\"_blank\">VDS<\/a> veya <a href=\"https:\/\/www.ihs.com.tr\/sunucu-kiralama\/vps-server.html\" target=\"_blank\">VPS<\/a> olsun, sunucular\u0131m\u0131z g\u00fcvenlik ba\u015fl\u0131klar\u0131n\u0131 sorunsuz bir \u015fekilde uygulaman\u0131z i\u00e7in gereken t\u00fcm modern mod\u00fcllere ve yap\u0131land\u0131rma esnekli\u011fine sahiptir. \u00d6zellikle <a href=\"https:\/\/www.ihs.com.tr\/web-hosting\/wordpress-hosting.html\" target=\"_blank\">WordPress hosting<\/a> paketlerimiz, pop\u00fcler g\u00fcvenlik a\u00e7\u0131klar\u0131na kar\u015f\u0131 proaktif koruma mekanizmalar\u0131 i\u00e7erir.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Kolay-Yonetim-Panelleri-ile-Hizli-Entegrasyon\"><\/span>Kolay Y\u00f6netim Panelleri ile H\u0131zl\u0131 Entegrasyon<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Komut sat\u0131r\u0131 veya karma\u015f\u0131k yap\u0131land\u0131rma dosyalar\u0131yla u\u011fra\u015fmak istemeyen kullan\u0131c\u0131lar i\u00e7in \u0130HS Telekom, cPanel ve Plesk gibi sekt\u00f6r standard\u0131 y\u00f6netim panelleri sunar. Bu paneller, `.htaccess` dosyalar\u0131n\u0131 d\u00fczenlemenize veya \u00f6zel Nginx kurallar\u0131 eklemenize olanak tan\u0131yan kullan\u0131c\u0131 dostu aray\u00fczler sa\u011flar. Bu sayede, g\u00fcvenlik ba\u015fl\u0131klar\u0131n\u0131z\u0131 birka\u00e7 t\u0131klama ile veya basit bir metin d\u00fczenleyici arac\u0131l\u0131\u011f\u0131yla sitenize h\u0131zl\u0131ca entegre edebilirsiniz. Bu, teknik bilgisi az olan kullan\u0131c\u0131lar\u0131n bile web sitelerinin g\u00fcvenli\u011fini \u00f6nemli \u00f6l\u00e7\u00fcde art\u0131rmas\u0131na olanak tan\u0131r.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Web-Sitenizin-Guvenligini-ve-Performansini-Artirma-Garantisi\"><\/span>Web Sitenizin G\u00fcvenli\u011fini ve Performans\u0131n\u0131 Art\u0131rma Garantisi<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>G\u00fcvenlik ve performans birbiriyle yak\u0131ndan ili\u015fkilidir. G\u00fcvenli bir web sitesi, kullan\u0131c\u0131lar\u0131n g\u00fcvenini kazan\u0131r ve marka itibar\u0131n\u0131 art\u0131r\u0131r. \u0130HS Telekom, sundu\u011fu g\u00fcvenilir altyap\u0131, \u00fccretsiz <a href=\"https:\/\/www.ihs.com.tr\/blog\/ssl-sertifikasi-nedir-onemlidir\/\" target=\"_blank\">SSL sertifikas\u0131<\/a> deste\u011fi ve g\u00fcvenlik ba\u015fl\u0131klar\u0131 gibi modern standartlar\u0131 kolayca uygulaman\u0131za olanak tan\u0131yan ortam\u0131yla sadece sitenizi korumakla kalmaz, ayn\u0131 zamanda HTTP\/2 ve optimize edilmi\u015f sunucu yap\u0131land\u0131rmalar\u0131yla sitenizin daha h\u0131zl\u0131 y\u00fcklenmesine de yard\u0131mc\u0131 olur. G\u00fcvenli ve h\u0131zl\u0131 bir web sitesi, daha iyi kullan\u0131c\u0131 deneyimi ve daha y\u00fcksek arama motoru s\u0131ralamalar\u0131 anlam\u0131na gelir. Projeniz i\u00e7in en uygun <a href=\"https:\/\/www.ihs.com.tr\/domain\/alan-adi-domain-tescili.html\" target=\"_blank\">domain sorgulama<\/a> ve tescil i\u015flemlerinden ba\u015flayarak, t\u00fcm dijital varl\u0131\u011f\u0131n\u0131z\u0131 \u0130HS Telekom g\u00fcvencesiyle y\u00f6netebilirsiniz.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Web sitenizin g\u00fcvenli\u011fi, dijital varl\u0131\u011f\u0131n\u0131z\u0131n en kritik bile\u015fenlerinden biridir. Kullan\u0131c\u0131 verilerini korumak, marka itibar\u0131n\u0131 sa\u011flamla\u015ft\u0131rmak ve siber sald\u0131r\u0131lara kar\u015f\u0131 bir savunma hatt\u0131&hellip;<\/p>\n","protected":false},"author":3,"featured_media":15955,"comment_status":"open","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[400],"tags":[],"class_list":["post-15954","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ssl-sertifikasi"],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/www.ihs.com.tr\/blog\/wp-json\/wp\/v2\/posts\/15954","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ihs.com.tr\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ihs.com.tr\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ihs.com.tr\/blog\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ihs.com.tr\/blog\/wp-json\/wp\/v2\/comments?post=15954"}],"version-history":[{"count":1,"href":"https:\/\/www.ihs.com.tr\/blog\/wp-json\/wp\/v2\/posts\/15954\/revisions"}],"predecessor-version":[{"id":15956,"href":"https:\/\/www.ihs.com.tr\/blog\/wp-json\/wp\/v2\/posts\/15954\/revisions\/15956"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.ihs.com.tr\/blog\/wp-json\/wp\/v2\/media\/15955"}],"wp:attachment":[{"href":"https:\/\/www.ihs.com.tr\/blog\/wp-json\/wp\/v2\/media?parent=15954"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ihs.com.tr\/blog\/wp-json\/wp\/v2\/categories?post=15954"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ihs.com.tr\/blog\/wp-json\/wp\/v2\/tags?post=15954"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}