網站安全設定

趁著這此網站體檢，將一些安全設定寫一下

1. Clickjacking and X-Frame-Options

If mod_headers is installed：

Header always append X-Frame-Options SAMEORIGIN

or

header('X-Frame-Options: SAMEORIGIN');

header("X-Frame-Options: DENY");

or

<script> if (top != self) top.location.href="http://your.website.xxx/" ; </script>

2. Cookie secure & HttpOnly flag 

ini_set('session.cookie_secure',1);  /* https useful*/

ini_set('session.cookie_httponly',1);

ini_set('session.use_only_cookies',1);

3.HTML form without CSRF protection

如果沒有用圖形辨識，可以考慮下面簡便的session作法

1. http://bkcore.com/blog/code/nocsrf-php-class.html