HARU 站台健檢

外觀

動態掃描(已登入)

來源:動態掃描(已登入)

以 customer 角色登入後的掃描結果,涵蓋會員頁面、訂單頁面等前台登入區域。

Absence of Anti-CSRF Tokens

  • CWE:352
  • 影響:5 個 URL 受影響
  • 調整方式:Phase: Architecture and DesignUse a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.For example, use anti-CSRF packages such as the OWASP CSRFGuard.Phase: ImplementationEnsure that your application is free of cross-site scripting issues, because most CSRF defenses can be bypassed using attacker-controlled script.Phase: Architecture and DesignGenerate a unique nonce for each form, place the nonce into the form, and verify the nonce upon receipt of the form. Be sure that the nonce is not predictable (CWE-330).Note that this can be bypassed using XSS.Identify especially dangerous operations. When the user performs a dangerous operation, send a separate confirmation request to ensure that the user intended to perform that operation.Note that this can be bypassed using XSS.Use the ESAPI Session Management control.This control includes a component for CSRF.Do not use the GET method for any request that triggers a state change.Phase: ImplementationCheck the HTTP Referer header to see if the request originated from an expected page. This could break legitimate functionality, because users or proxies may have disabled sending the Referer for privacy reasons.
  • 驗收:調整後重新掃描,該告警不再出現
受影響 URL 範例
  • GET https://letsharu.com/
  • POST https://letsharu.com/my-account/

CSP: Failure to Define Directive with No Fallback

  • CWE:693
  • 影響:3 個 URL 受影響
  • 調整方式:Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header.
  • 驗收:調整後重新掃描,該告警不再出現
受影響 URL 範例
  • GET https://letsharu.com/
  • GET https://letsharu.com/sitemap.xml
  • POST https://letsharu.com/my-account/

CSP: Wildcard Directive

  • CWE:693
  • 影響:3 個 URL 受影響
  • 調整方式:Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header.
  • 驗收:調整後重新掃描,該告警不再出現
受影響 URL 範例
  • GET https://letsharu.com/
  • GET https://letsharu.com/sitemap.xml
  • POST https://letsharu.com/my-account/

CSP: script-src unsafe-inline

  • CWE:693
  • 影響:3 個 URL 受影響
  • 調整方式:Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header.
  • 驗收:調整後重新掃描,該告警不再出現
受影響 URL 範例
  • GET https://letsharu.com/
  • GET https://letsharu.com/sitemap.xml
  • POST https://letsharu.com/my-account/

CSP: style-src unsafe-inline

  • CWE:693
  • 影響:3 個 URL 受影響
  • 調整方式:Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header.
  • 驗收:調整後重新掃描,該告警不再出現
受影響 URL 範例
  • GET https://letsharu.com/
  • GET https://letsharu.com/sitemap.xml
  • POST https://letsharu.com/my-account/

Multiple X-Frame-Options Header Entries

  • CWE:1021
  • 影響:5 個 URL 受影響
  • 調整方式:Ensure only a single X-Frame-Options header is present in the response.
  • 驗收:調整後重新掃描,該告警不再出現
受影響 URL 範例
  • GET https://letsharu.com/my-account/
  • GET https://letsharu.com/my-account/?action=register
  • GET https://letsharu.com/my-account/lost-password/
  • GET https://letsharu.com/register/
  • POST https://letsharu.com/my-account/

Sub Resource Integrity Attribute Missing

  • CWE:345
  • 影響:5 個 URL 受影響
  • 調整方式:Provide a valid integrity attribute to the tag.
  • 驗收:調整後重新掃描,該告警不再出現
受影響 URL 範例
  • GET https://letsharu.com/
  • POST https://letsharu.com/my-account/

若為第三方元件產生的告警,需評估風險並採取替代防護措施(如 WAF 規則、存取限制)。

© 2026 cloudwp