{"id":1250,"date":"2025-11-03T18:06:14","date_gmt":"2025-11-03T15:06:14","guid":{"rendered":"https:\/\/www.dchost.com\/blog\/http-guvenlik-basliklari-rehberi-hsts-csp-ve-digerlerini-ne-zaman-nasil-uygulamalisin\/"},"modified":"2025-11-03T18:06:14","modified_gmt":"2025-11-03T15:06:14","slug":"http-guvenlik-basliklari-rehberi-hsts-csp-ve-digerlerini-ne-zaman-nasil-uygulamalisin","status":"publish","type":"post","link":"https:\/\/www.dchost.com\/blog\/http-guvenlik-basliklari-rehberi-hsts-csp-ve-digerlerini-ne-zaman-nasil-uygulamalisin\/","title":{"rendered":"HTTP G\u00fcvenlik Ba\u015fl\u0131klar\u0131 Rehberi: HSTS, CSP ve Di\u011ferlerini Ne Zaman, Nas\u0131l Uygulamal\u0131s\u0131n?"},"content":{"rendered":"<div class=\"dchost-blog-content-wrapper\"><p>Ofiste bir \u00f6\u011fle aras\u0131yd\u0131, kahvemi al\u0131p oturdum. M\u00fc\u015fterilerden biri, &#8220;Sitede her \u015fey yolundayd\u0131, bir ayar yapt\u0131m, \u015fimdi baz\u0131 sayfalar y\u00fcklenmiyor&#8221; dedi. \u0130lk bak\u0131\u015fta performans meselesi sand\u0131m ama bir \u015fey g\u00f6z\u00fcme tak\u0131ld\u0131: kar\u0131\u015f\u0131k i\u00e7erik uyar\u0131lar\u0131, baz\u0131 sayfalar embed \u00e7al\u0131\u015ft\u0131r\u0131rken beyaz ekran, arada bir taray\u0131c\u0131dan sert uyar\u0131lar. Tan\u0131d\u0131k geldi mi? Genelde bu karma\u015fan\u0131n ortas\u0131nda d\u00f6rt k\u00fc\u00e7\u00fck c\u00fcmle saklan\u0131r: HSTS, CSP, X-Frame-Options ve X-Content-Type-Options. Hepsi de birer <strong>HTTP g\u00fcvenlik ba\u015fl\u0131\u011f\u0131<\/strong>. Ufak header\u2019lar, b\u00fcy\u00fck etkiler.<\/p>\n<p>Bu yaz\u0131da sana bir geli\u015ftirici arkada\u015f\u0131na anlat\u0131r gibi yakla\u015faca\u011f\u0131m. &#8220;Ne i\u015fe yarar, nerede ters k\u00f6\u015fe yapar, nas\u0131l g\u00fcvenle uygulars\u0131n&#8221; hepsini \u00f6rneklerle konu\u015fal\u0131m. Mesela HSTS ile ilk a\u00e7\u0131l\u0131\u015fta minik bir de\u011ferle ba\u015flamak neden ak\u0131ll\u0131ca, CSP\u2019yi neden hemen s\u0131k\u0131 hale getirmemek gerekir, X-Frame-Options ile hangi sayfan\u0131n iframe i\u00e7inde kalmas\u0131 gerekti\u011fini nas\u0131l belirleriz gibi sorular\u0131n yan\u0131tlar\u0131n\u0131 birlikte arayaca\u011f\u0131z. Arada ger\u00e7ek hayattan senaryolarla destekleyece\u011fim, k\u00fc\u00e7\u00fck kod par\u00e7ac\u0131klar\u0131 da ekleyece\u011fim. Haz\u0131rsan ba\u015flayal\u0131m.<\/p>\n<div id=\"toc_container\" class=\"toc_transparent no_bullets\"><p class=\"toc_title\">\u0130&ccedil;indekiler<\/p><ul class=\"toc_list\"><li><a href=\"#Kafadaki_Sis_Dagilsin_Guvenlik_Basligi_Dedigin_Nedir\"><span class=\"toc_number toc_depth_1\">1<\/span> Kafadaki Sis Da\u011f\u0131ls\u0131n: G\u00fcvenlik Ba\u015fl\u0131\u011f\u0131 Dedi\u011fin Nedir?<\/a><\/li><li><a href=\"#HSTS_8220Hep_HTTPS_Kullan8221_Demenin_Ince_Yolu\"><span class=\"toc_number toc_depth_1\">2<\/span> HSTS: &#8220;Hep HTTPS Kullan&#8221; Demenin \u0130nce Yolu<\/a><ul><li><a href=\"#HSTS_nasil_eklenir\"><span class=\"toc_number toc_depth_2\">2.1<\/span> HSTS nas\u0131l eklenir?<\/a><\/li><\/ul><\/li><li><a href=\"#CSP_Tarayiciya_Su_Kaynaktan_Script_Al_Digerini_Calistirma_Demek\"><span class=\"toc_number toc_depth_1\">3<\/span> CSP: Taray\u0131c\u0131ya \u201c\u015eu Kaynaktan Script Al, Di\u011ferini \u00c7al\u0131\u015ft\u0131rma\u201d Demek<\/a><ul><li><a href=\"#Basit_bir_CSP_ile_baslamak\"><span class=\"toc_number toc_depth_2\">3.1<\/span> Basit bir CSP ile ba\u015flamak<\/a><\/li><\/ul><\/li><li><a href=\"#X-Frame-Options_ve_Clickjacking_Penceremi_Kimse_Tasimayacak\"><span class=\"toc_number toc_depth_1\">4<\/span> X-Frame-Options ve Clickjacking: Penceremi Kimse Ta\u015f\u0131mayacak<\/a><ul><li><a href=\"#Hizli_uygulama\"><span class=\"toc_number toc_depth_2\">4.1<\/span> H\u0131zl\u0131 uygulama<\/a><\/li><\/ul><\/li><li><a href=\"#X-Content-Type-Options_8220Turunu_Tahmin_Etme_Ben_Soylerim8221\"><span class=\"toc_number toc_depth_1\">5<\/span> X-Content-Type-Options: &#8220;T\u00fcr\u00fcn\u00fc Tahmin Etme, Ben S\u00f6ylerim&#8221;<\/a><\/li><li><a href=\"#Sahaya_Surmek_Nginx_Apache_htaccess_cPanel_ve_Cloudflare_Ile_Adim_Adim\"><span class=\"toc_number toc_depth_1\">6<\/span> Sahaya S\u00fcrmek: Nginx, Apache, .htaccess, cPanel ve Cloudflare \u0130le Ad\u0131m Ad\u0131m<\/a><ul><li><a href=\"#Uygularken_dikkat_edecegin_kucuk_ama_kritik_nuanslar\"><span class=\"toc_number toc_depth_2\">6.1<\/span> Uygularken dikkat edece\u011fin k\u00fc\u00e7\u00fck ama kritik n\u00fcanslar<\/a><\/li><\/ul><\/li><li><a href=\"#Dogrulama_Test_ve_Kademeli_Yayin_Kirmadan_Sertlestir\"><span class=\"toc_number toc_depth_1\">7<\/span> Do\u011frulama, Test ve Kademeli Yay\u0131n: K\u0131rmadan Sertle\u015ftir<\/a><\/li><li><a href=\"#Kapanis_Kucuk_Basliklar_Buyuk_Etki\"><span class=\"toc_number toc_depth_1\">8<\/span> Kapan\u0131\u015f: K\u00fc\u00e7\u00fck Ba\u015fl\u0131klar, B\u00fcy\u00fck Etki<\/a><\/li><\/ul><\/div>\n<h2 id=\"section-1\"><span id=\"Kafadaki_Sis_Dagilsin_Guvenlik_Basligi_Dedigin_Nedir\">Kafadaki Sis Da\u011f\u0131ls\u0131n: G\u00fcvenlik Ba\u015fl\u0131\u011f\u0131 Dedi\u011fin Nedir?<\/span><\/h2>\n<p>Taray\u0131c\u0131y\u0131 bir misafir gibi d\u00fc\u015f\u00fcn. Siteni a\u00e7t\u0131\u011f\u0131nda ona baz\u0131 kurallar s\u00f6ylersin: &#8220;\u015eu kap\u0131dan gir, \u015fu odaya bak, \u015funlara izin var, \u015funlara yok.&#8221; \u0130\u015fte <strong>HTTP g\u00fcvenlik ba\u015fl\u0131klar\u0131<\/strong> tam bu kurallar\u0131 yazd\u0131\u011f\u0131n k\u00fc\u00e7\u00fck notlar. Sunucudan taray\u0131c\u0131ya giden yan\u0131t\u0131n tepesine ili\u015ftiriliyorlar ve taray\u0131c\u0131 bu notlara g\u00f6re davran\u0131yor.<\/p>\n<p>Mesela, &#8220;Sadece g\u00fcvenli ba\u011flant\u0131 kullan&#8221; dersen HSTS devreye giriyor. &#8220;\u015eu alanlar d\u0131\u015f\u0131nda script \u00e7al\u0131\u015ft\u0131rma&#8221; dedi\u011finde CSP konu\u015fuyor. &#8220;Ben ba\u015fka bir sitenin i\u00e7ine g\u00f6m\u00fclmek istemiyorum&#8221; diyece\u011fin zaman X-Frame-Options\u2019\u0131 kullan\u0131yorsun. &#8220;\u0130\u00e7eri\u011fin t\u00fcr\u00fcn\u00fc tahmin etmeye \u00e7al\u0131\u015fma&#8221; dedi\u011finde ise X-Content-Type-Options s\u00f6z\u00fc al\u0131yor. D\u00f6rt ba\u015fl\u0131k, d\u00f6rt net kural. Ne kadar net olursan, taray\u0131c\u0131 o kadar iyi anl\u0131yor.<\/p>\n<p>\u0130\u015fin g\u00fczel taraf\u0131, hepsi k\u00fc\u00e7\u00fck ayarlar. Fakat etkisi b\u00fcy\u00fck. Yanl\u0131\u015f uyguland\u0131\u011f\u0131nda ise beklenmedik kilitlenmeler olabilir. O y\u00fczden bu ba\u015fl\u0131klar\u0131 pizza hamuru gibi d\u00fc\u015f\u00fcn; \u00f6nce yumu\u015fak ba\u015fla, k\u0131vam\u0131 bulduk\u00e7a sertle\u015fsin. B\u00f6yle yakla\u015f\u0131nca hem g\u00fcvenli\u011fi art\u0131r\u0131r, hem de \u00fcretimde s\u00fcrpriz ya\u015famazs\u0131n.<\/p>\n<h2 id=\"section-2\"><span id=\"HSTS_8220Hep_HTTPS_Kullan8221_Demenin_Ince_Yolu\">HSTS: &#8220;Hep HTTPS Kullan&#8221; Demenin \u0130nce Yolu<\/span><\/h2>\n<p>HSTS (HTTP Strict-Transport-Security), taray\u0131c\u0131ya &#8220;Bu siteye yaln\u0131zca HTTPS ile gel, ba\u015fka yolu unut&#8221; deme \u015fekli. Pratikte ne sa\u011flar? Ziyaret\u00e7in bir kez HTTPS ile girdi mi, bir sonraki geli\u015finde taray\u0131c\u0131 HTTP\u2019yi akl\u0131ndan bile ge\u00e7irmez. Ortadaki adam sald\u0131r\u0131lar\u0131na kar\u015f\u0131 sa\u011flam bir kilit, kar\u0131\u015f\u0131k i\u00e7erik uyar\u0131lar\u0131n\u0131 azaltan bir pratik ve y\u00f6nlendirme trafi\u011fini sadele\u015ftiren bir dokunu\u015f.<\/p>\n<p>Burada en kritik konu <strong>max-age<\/strong> ve <strong>includeSubDomains<\/strong>. \u0130lk denemede \u00e7ok uzun bir s\u00fcre verme. K\u00fc\u00e7\u00fck bir de\u011ferle ba\u015fla, sorun yoksa kademeli y\u00fckselt. Alt alan adlar\u0131n bu kurala haz\u0131r de\u011filse includeSubDomains ekleme, yoksa bir test alt alan\u0131 beklenmedik \u015fekilde kilitlenebilir. Haz\u0131rl\u0131k tamamsa, sonra ekle. Bu i\u015fi aceleye getirmeyince sihir gibi \u00e7al\u0131\u015f\u0131yor.<\/p>\n<h3><span id=\"HSTS_nasil_eklenir\">HSTS nas\u0131l eklenir?<\/span><\/h3>\n<p>Nginx kullan\u0131yorsan sunucu blo\u011funda \u015f\u00f6yle bir sat\u0131r i\u015fini g\u00f6r\u00fcr:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">add_header Strict-Transport-Security &quot;max-age=31536000; includeSubDomains; preload&quot; always;<\/code><\/pre>\n<p>Apache i\u00e7in ya sanal host config&#8217;e ya da .htaccess&#8217;e ekleyebilirsin:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">Header always set Strict-Transport-Security &quot;max-age=31536000; includeSubDomains; preload&quot;<\/code><\/pre>\n<p>&#8220;Preload&#8221; ne peki? K\u0131saca, b\u00fcy\u00fck taray\u0131c\u0131lar\u0131n listesine ad\u0131n\u0131 yazd\u0131rmak gibi. B\u00f6ylece daha ilk ziyarette bile taray\u0131c\u0131 seni sadece HTTPS ile d\u00fc\u015f\u00fcn\u00fcr. Ba\u015fvuru s\u00fcreci i\u00e7in <a href=\"https:\/\/hstspreload.org\/\" rel=\"nofollow noopener\" target=\"_blank\">HSTS preload listesine ba\u015fvuru sayfas\u0131n\u0131<\/a> ziyaret edebilirsin. Ama tekrar hat\u0131rlatay\u0131m: preload karar\u0131 geri d\u00f6n\u00fc\u015f\u00fc zor bir ad\u0131m; subdomain\u2019lerin ve y\u00f6nlendirmelerin tam oturdu\u011fundan emin ol.<\/p>\n<p>Bu arada g\u00fcvenlik sadece ba\u015fl\u0131kla olmaz; a\u011fa inen katmanda da i\u015f var. Sald\u0131r\u0131 y\u00fczeyini daraltmak i\u00e7in <a href=\"https:\/\/www.dchost.com\/blog\/guvenlik-duvari-firewall-nedir-ve-neden-onemlidir\/\">g\u00fcvenlik duvar\u0131n\u0131n neden kritik bir katman oldu\u011funa dair<\/a> pratik notlara g\u00f6z atman\u0131 \u00f6neririm. HSTS, firewall ve iyi yap\u0131land\u0131r\u0131lm\u0131\u015f TLS birle\u015fince, giri\u015f kap\u0131s\u0131 \u00e7ok daha sa\u011flam olur.<\/p>\n<h2 id=\"section-3\"><span id=\"CSP_Tarayiciya_Su_Kaynaktan_Script_Al_Digerini_Calistirma_Demek\">CSP: Taray\u0131c\u0131ya \u201c\u015eu Kaynaktan Script Al, Di\u011ferini \u00c7al\u0131\u015ft\u0131rma\u201d Demek<\/span><\/h2>\n<p>CSP (Content-Security-Policy), belki de en etkili ama ilk kurulumda en nazl\u0131 ba\u015fl\u0131k. \u00c7\u00fcnk\u00fc sayfadaki kaynaklar\u0131n nereden, nas\u0131l y\u00fcklenece\u011fini tek tek tan\u0131ml\u0131yorsun. Yanl\u0131\u015f yap\u0131land\u0131r\u0131rsan beklenmedik \u015fekilde butonlar \u00e7al\u0131\u015fmaz, bir widget kaybolur, hatta analitik script\u2019in bile y\u00fcklenmez. O y\u00fczden CSP\u2019yi bir g\u00fcnde s\u0131k\u0131la\u015ft\u0131rmaya \u00e7al\u0131\u015fmak yerine, ad\u0131m ad\u0131m, \u00f6l\u00e7erek ilerlemek ak\u0131ll\u0131ca.<\/p>\n<p>Ben genelde &#8220;Report-Only&#8221; ile ba\u015fl\u0131yorum. Yani kurallar\u0131 yaz\u0131yorum ama taray\u0131c\u0131ya \u015fimdilik sadece raporla demi\u015f oluyorum. B\u00f6ylece neyin k\u0131r\u0131laca\u011f\u0131n\u0131 \u00fcretimde g\u00f6r\u00fcp notas\u0131n\u0131 al\u0131yorum. Sonra kurallar\u0131 netle\u015ftirip ger\u00e7ek moda (enforcement) ge\u00e7iriyorum. Mesela \u015f\u00f6yle d\u00fc\u015f\u00fcnebilirsin: \u0130lk olarak sadece kendi alan ad\u0131ndan script ve stil y\u00fcklenmesine izin ver. Sonra kulland\u0131\u011f\u0131n CDN\u2019leri ekle. En son inline script\u2019lere bir <strong>nonce<\/strong> mekanizmas\u0131 ekle. Teker teker oturtunca ta\u015flar yerini buluyor.<\/p>\n<h3><span id=\"Basit_bir_CSP_ile_baslamak\">Basit bir CSP ile ba\u015flamak<\/span><\/h3>\n<p>A\u015fa\u011f\u0131daki politika ba\u015flang\u0131\u00e7 i\u00e7in i\u015f g\u00f6r\u00fcr. Kendi ihtiya\u00e7lar\u0131na g\u00f6re geni\u015fletirsin:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">Content-Security-Policy: default-src 'self'; script-src 'self' https:\/\/cdn.example.com 'nonce-r4nd0m'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self'; frame-ancestors 'self'; upgrade-insecure-requests;<\/code><\/pre>\n<p>Buradaki nonce\u2019\u0131 her yan\u0131t i\u00e7in rastgele \u00fcretip sayfadaki inline script\u2019e eklersin: <code>&lt;script nonce=\"r4nd0m\"&gt;...&lt;\/script&gt;<\/code>. Sunucu taraf\u0131nda templating ile bunu yerle\u015ftirmek kolay. &#8220;Report-Only&#8221; s\u00fcr\u00fcm\u00fc de \u015f\u00f6yle g\u00f6r\u00fcn\u00fcr:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">Content-Security-Policy-Report-Only: default-src 'self'; ... ; report-to csp-endpoint;<\/code><\/pre>\n<p>Politikalar\u0131 yazarken a\u00e7\u0131klamalar\u0131n ve \u00f6rneklerin toplu halde bulundu\u011fu bir kaynak istersen, <a href=\"https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/HTTP\/CSP\" rel=\"nofollow noopener\" target=\"_blank\">CSP i\u00e7in MDN\u2019nin kapsaml\u0131 k\u0131lavuzunu<\/a> referans alman \u00e7ok i\u015fine yarar. Orada &#8220;hangi direktif ne yapar&#8221; net net anlat\u0131l\u0131yor.<\/p>\n<p>G\u00fcvenlik tek ba\u015f\u0131na de\u011fil; performans ve a\u011f katman\u0131yla kol kola. \u00d6rne\u011fin, HTTP\/2 veya HTTP\/3\u2019e ge\u00e7ti\u011finde kaynak y\u00fckleme stratejin de de\u011fi\u015fir. Bu ba\u015fl\u0131klar\u0131 elden ge\u00e7irirken, <a href=\"https:\/\/www.dchost.com\/blog\/http-3-protokolu-web-hosting-performansina-etkileri\/\">HTTP\/3 protokol\u00fcn\u00fcn performansa etkilerini<\/a> akl\u0131nda tutmak g\u00fczel olur. G\u00fcvenli\u011fi s\u0131karken h\u0131z\u0131 da korumak m\u00fcmk\u00fcn.<\/p>\n<h2 id=\"section-4\"><span id=\"X-Frame-Options_ve_Clickjacking_Penceremi_Kimse_Tasimayacak\">X-Frame-Options ve Clickjacking: Penceremi Kimse Ta\u015f\u0131mayacak<\/span><\/h2>\n<p>Ba\u015f\u0131na gelmi\u015f olabilir: Bir kullan\u0131c\u0131, sitenin bir b\u00f6l\u00fcm\u00fcn\u00fcn ba\u015fka bir sitede iframe i\u00e7inde a\u00e7\u0131ld\u0131\u011f\u0131n\u0131 s\u00f6yl\u00fcyor. Her \u015fey normal g\u00f6r\u00fcnse de, \u00fcstte g\u00f6r\u00fcnmez bir katmanla t\u0131klamay\u0131 \u00e7alma giri\u015fimleri yap\u0131labiliyor. Buna clickjacking deniyor. X-Frame-Options da bu noktada bir c\u00fcmleyle \u00e7\u00f6z\u00fcm: &#8220;Beni kimse i\u00e7ine g\u00f6mmesin&#8221; ya da &#8220;Sadece ben kendimi g\u00f6merim&#8221; diyebilirsin.<\/p>\n<p>Pratikte iki ayar s\u0131k kullan\u0131l\u0131r: <strong>DENY<\/strong> ya da <strong>SAMEORIGIN<\/strong>. \u0130lki &#8220;asla i\u00e7ime al\u0131nma&#8221; demek; ikincisi &#8220;kendi alan ad\u0131m i\u00e7inden g\u00f6m\u00fclebilirim&#8221; demek. D\u0131\u015f bir uygulama paneline bilin\u00e7li g\u00f6mmen gerekiyorsa strateji de\u011fi\u015fir; o durumda modern yakla\u015f\u0131m olarak CSP\u2019nin <strong>frame-ancestors<\/strong> direktifini kullanmak daha esnek ve g\u00fcncel bir yol.<\/p>\n<h3><span id=\"Hizli_uygulama\">H\u0131zl\u0131 uygulama<\/span><\/h3>\n<p>Nginx:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">add_header X-Frame-Options &quot;SAMEORIGIN&quot; always;<\/code><\/pre>\n<p>Apache \/ .htaccess:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">Header always set X-Frame-Options &quot;SAMEORIGIN&quot;<\/code><\/pre>\n<p>Iframe kullanan birka\u00e7 sayfan varsa, \u00f6nce nerede hangi alan ad\u0131ndan g\u00f6m\u00fcld\u00fc\u011f\u00fcn\u00fc not et. Gerekirse bu sayfalarda X-Frame-Options yerine CSP\u2019de <code>frame-ancestors<\/code> ile daha ince ayar yap. Bu esneklik, \u00f6zellikle \u00f6deme sa\u011flay\u0131c\u0131lar\u0131 veya canl\u0131 destek widget\u2019lar\u0131yla \u00e7al\u0131\u015f\u0131rken yumu\u015fak bir ge\u00e7i\u015f sa\u011flar.<\/p>\n<h2 id=\"section-5\"><span id=\"X-Content-Type-Options_8220Turunu_Tahmin_Etme_Ben_Soylerim8221\">X-Content-Type-Options: &#8220;T\u00fcr\u00fcn\u00fc Tahmin Etme, Ben S\u00f6ylerim&#8221;<\/span><\/h2>\n<p>Taray\u0131c\u0131lar bazen gelen i\u00e7eri\u011fin t\u00fcr\u00fcn\u00fc tahmin etmeye \u00e7al\u0131\u015f\u0131r. Normalde masum g\u00f6r\u00fcn\u00fcr ama baz\u0131 durumlarda istenmeyen y\u00fcr\u00fctmelere kap\u0131 aralayabilir. <strong>X-Content-Type-Options: nosniff<\/strong> diyerek, &#8220;ne g\u00f6nderiyorsam onu kabul et, fazlas\u0131n\u0131 tahmin etme&#8221; mesaj\u0131n\u0131 verirsin. K\u00fc\u00e7\u00fck ama etkisi temiz bir ayar.<\/p>\n<p>Nginx i\u00e7in:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">add_header X-Content-Type-Options &quot;nosniff&quot; always;<\/code><\/pre>\n<p>Apache \/ .htaccess i\u00e7in:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">Header always set X-Content-Type-Options &quot;nosniff&quot;<\/code><\/pre>\n<p>Tabii ki bu ba\u015fl\u0131k tek ba\u015f\u0131na yetmez; statik dosyalar\u0131n\u0131n do\u011fru <code>Content-Type<\/code> ile servis edildi\u011finden emin ol. CSS dosyan <code>text\/css<\/code>, JS dosyan <code>application\/javascript<\/code> olarak gitsin. K\u00fc\u00e7\u00fck temizlikler, b\u00fcy\u00fck s\u00fcrprizleri \u00f6nl\u00fcyor.<\/p>\n<h2 id=\"section-6\"><span id=\"Sahaya_Surmek_Nginx_Apache_htaccess_cPanel_ve_Cloudflare_Ile_Adim_Adim\">Sahaya S\u00fcrmek: Nginx, Apache, .htaccess, cPanel ve Cloudflare \u0130le Ad\u0131m Ad\u0131m<\/span><\/h2>\n<p>\u015eimdi i\u015fi mutfa\u011fa ta\u015f\u0131yal\u0131m. &#8220;Ben Nginx kullan\u0131yorum, nereden ba\u015flar\u0131m?&#8221; diyorsan, \u00f6nerim <strong>server<\/strong> blo\u011funda t\u00fcm ba\u015fl\u0131klar\u0131 bir araya getirmen. Hem d\u00fczenli olur hem de nerede ne yapt\u0131\u011f\u0131n\u0131 unutmam\u0131\u015f olursun. A\u015fa\u011f\u0131daki paket, temel bir ba\u015flang\u0131\u00e7 profili:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">add_header Strict-Transport-Security &quot;max-age=31536000; includeSubDomains; preload&quot; always;\nadd_header Content-Security-Policy &quot;default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self'; frame-ancestors 'self'; upgrade-insecure-requests;&quot; always;\nadd_header X-Frame-Options &quot;SAMEORIGIN&quot; always;\nadd_header X-Content-Type-Options &quot;nosniff&quot; always;<\/code><\/pre>\n<p>Apache taraf\u0131nda sanal host config\u2019i tercih edebilirsin. Payla\u015f\u0131ml\u0131 ortamda .htaccess ile de olur. \u00d6rnek bir .htaccess par\u00e7as\u0131:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">&lt;IfModule mod_headers.c&gt;\n  Header always set Strict-Transport-Security &quot;max-age=31536000; includeSubDomains; preload&quot;\n  Header always set Content-Security-Policy &quot;default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self'; frame-ancestors 'self'; upgrade-insecure-requests;&quot;\n  Header always set X-Frame-Options &quot;SAMEORIGIN&quot;\n  Header always set X-Content-Type-Options &quot;nosniff&quot;\n&lt;\/IfModule&gt;<\/code><\/pre>\n<p>cPanel kullan\u0131yorsan, dosya y\u00f6neticisiyle k\u00f6k dizine .htaccess eklemek genelde en h\u0131zl\u0131s\u0131. Kurulum ve ortam y\u00f6netimi taraf\u0131nda yard\u0131ma ihtiya\u00e7 duyarsan, sunucu katman\u0131n\u0131 sa\u011flam kurmak i\u00e7in <a href=\"https:\/\/www.dchost.com\/blog\/vps-sunucu-guvenligi-pratik-olceklenebilir-ve-dogrulanabilir-yaklasimlar\/\">VPS sunucu g\u00fcvenli\u011fini pratik ve \u00f6l\u00e7eklenebilir ad\u0131mlarla ele alan bu rehber<\/a> iyi bir e\u015flik\u00e7i olur. Altyap\u0131 oturduk\u00e7a, ba\u015fl\u0131klar\u0131n etkisi de daha g\u00f6r\u00fcn\u00fcr hale gelir.<\/p>\n<p>CDN ya da Cloudflare kullan\u0131yorsan i\u015f daha da kolay. &#8220;Rules&#8221; b\u00f6l\u00fcm\u00fcnde HTTP Response Header ekleme kurallar\u0131yla, tek bir panelden t\u00fcm kenar noktalar\u0131na bu ba\u015fl\u0131klar\u0131 yayabilirsin. Da\u011f\u0131t\u0131k bir yap\u0131daysan, bu merkezi y\u00f6ntem hem tutarl\u0131l\u0131k sa\u011flar hem de unutulan bir sunucunun a\u00e7\u0131k kap\u0131 b\u0131rakma ihtimalini azalt\u0131r.<\/p>\n<h3><span id=\"Uygularken_dikkat_edecegin_kucuk_ama_kritik_nuanslar\">Uygularken dikkat edece\u011fin k\u00fc\u00e7\u00fck ama kritik n\u00fcanslar<\/span><\/h3>\n<p>HSTS\u2019i ilk g\u00fcn &#8220;sonsuz&#8221; gibi uzun bir s\u00fcreyle a\u00e7ma. \u00d6nce k\u00fc\u00e7\u00fck bir s\u00fcreyle dene, sonra y\u00fckselt. CSP\u2019yi &#8220;Report-Only&#8221; modda g\u00f6zlemle; konsolda g\u00f6rd\u00fc\u011f\u00fcn ihlallere bak, CDN\u2019lerini ve \u00fc\u00e7\u00fcnc\u00fc taraf servislerini tek tek ekle. X-Frame-Options ile baz\u0131 sayfalar\u0131n bilin\u00e7li olarak g\u00f6m\u00fclmesi gerekiyorsa, o sayfalar i\u00e7in farkl\u0131 bir kural uygula veya CSP\u2019de <code>frame-ancestors<\/code> ile esnek davran.<\/p>\n<p>\u0130\u015fin g\u00fcvenlik taraf\u0131n\u0131 g\u00fc\u00e7lendirirken, a\u011f katman\u0131n\u0131 da ihmal etme. Anl\u0131k dalgalanmalar\u0131 ve kapasite denemelerini hesaba katmak i\u00e7in <a href=\"https:\/\/www.dchost.com\/blog\/ddos-saldirilari-ve-korunma-yontemleri\/\">DDoS sald\u0131r\u0131lar\u0131n\u0131 ve korunma y\u00f6ntemlerini daha pratik bir g\u00f6zle<\/a> okuman yol g\u00f6sterici olur. Ba\u015fl\u0131klar uygulamada, a\u011f ve uygulama katman\u0131 savunmada olursa, iyi bir denge yakalars\u0131n.<\/p>\n<h2 id=\"section-7\"><span id=\"Dogrulama_Test_ve_Kademeli_Yayin_Kirmadan_Sertlestir\">Do\u011frulama, Test ve Kademeli Yay\u0131n: K\u0131rmadan Sertle\u015ftir<\/span><\/h2>\n<p>Benim sevdi\u011fim test rutini \u00e7ok basit. \u00d6nce terminalde bir <code>curl -I<\/code> ile bakar\u0131m:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">curl -I https:\/\/seninsiten.com<\/code><\/pre>\n<p>Yan\u0131tta ba\u015fl\u0131klar\u0131n gelip gelmedi\u011fini kontrol ederim. Ard\u0131ndan taray\u0131c\u0131 konsolunu a\u00e7\u0131p hem a\u011f sekmesinde hem konsolda uyar\u0131 var m\u0131 diye bakar\u0131m. CSP ihlalleri burada \u00e7ok net g\u00f6r\u00fcn\u00fcr. Sonra k\u00fc\u00e7\u00fck bir kullan\u0131c\u0131 grubuna yayar, hatalar\u0131 dinler, kademeli olarak t\u00fcm trafi\u011fe a\u00e7ar\u0131m.<\/p>\n<p>Bir de otomatik kontrol ho\u015fuma gider. Zaman zaman <a href=\"https:\/\/securityheaders.com\/\" rel=\"nofollow noopener\" target=\"_blank\">Security Headers taramas\u0131 ile ba\u015fl\u0131k puan\u0131n\u0131<\/a> kontrol eder, de\u011fi\u015fikliklerin etkisini g\u00f6r\u00fcr\u00fcm. A notu bazen tek hedef gibi g\u00f6r\u00fcn\u00fcr ama as\u0131l mesele, sitenin i\u015f hedeflerini bozmadan g\u00fcvenli\u011fi art\u0131rmak. Bu y\u00fczden s\u0131k\u0131l\u0131k seviyesini \u00fcr\u00fcn\u00fcn gereksinimlerine g\u00f6re ayarlamak en mant\u0131kl\u0131s\u0131.<\/p>\n<p>Son bir nokta: Ba\u015fl\u0131klar, uygulaman\u0131n g\u00fcvenli kodland\u0131\u011f\u0131 ve altyap\u0131n\u0131n sa\u011flam oldu\u011fu varsay\u0131m\u0131yla parl\u0131yor. Kod taraf\u0131nda input do\u011frulamalar\u0131, \u00e7\u0131kt\u0131 ka\u00e7\u0131\u015flar\u0131, oturum y\u00f6netimi gibi klasik konular da ayn\u0131 denklemde. G\u00fcvenli\u011fi katmanl\u0131 d\u00fc\u015f\u00fcnmek iyi bir al\u0131\u015fkanl\u0131k. Bu ba\u011flamda, trafik y\u00f6netimini ve segmentasyonu d\u00fc\u015f\u00fcn\u00fcrken <a href=\"https:\/\/www.dchost.com\/blog\/guvenlik-duvari-firewall-nedir-ve-neden-onemlidir\/\">g\u00fcvenlik duvar\u0131n\u0131n rol\u00fc<\/a> ve a\u011f katman\u0131 savunmas\u0131 hat\u0131rlanmal\u0131. Bir de performans taraf\u0131ndan &#8220;ben h\u0131zdan feragat etmek istemiyorum&#8221; diyorsan; modern protokoller, \u00f6nbellek ve s\u0131k\u0131\u015ft\u0131rma ile ayn\u0131 anda iki hedefi tutturmak m\u00fcmk\u00fcn. Bu denge i\u00e7in <a href=\"https:\/\/www.dchost.com\/blog\/http-3-protokolu-web-hosting-performansina-etkileri\/\">HTTP\/3 hakk\u0131nda bu notlar<\/a> akl\u0131n\u0131n bir k\u00f6\u015fesinde dursun.<\/p>\n<h2 id=\"section-8\"><span id=\"Kapanis_Kucuk_Basliklar_Buyuk_Etki\">Kapan\u0131\u015f: K\u00fc\u00e7\u00fck Ba\u015fl\u0131klar, B\u00fcy\u00fck Etki<\/span><\/h2>\n<p>Toparlayal\u0131m. HSTS ile &#8220;yaln\u0131zca g\u00fcvenli ba\u011flant\u0131&#8221; netle\u015fiyor. CSP ile &#8220;hangi kaynaktan ne y\u00fcklenecek&#8221; keskinle\u015fiyor. X-Frame-Options ile clickjacking kap\u0131s\u0131 kapan\u0131yor. X-Content-Type-Options ile taray\u0131c\u0131 &#8220;tahmin etme, ben s\u00f6yl\u00fcyorum&#8221; mesaj\u0131n\u0131 al\u0131yor. D\u00f6rd\u00fc birlikte, sald\u0131r\u0131 y\u00fczeyini sessizce ama etkili \u015fekilde daralt\u0131yor.<\/p>\n<p>Uygularken aceleye gerek yok. \u00d6nce k\u00fc\u00e7\u00fck bir HSTS s\u00fcresi, sonra y\u00fckselt. CSP\u2019yi Report-Only ile g\u00f6zlemle, hangi CDN\u2019e ve hangi \u00fc\u00e7\u00fcnc\u00fc tarafa ger\u00e7ekten ihtiyac\u0131n oldu\u011funa karar ver. X-Frame-Options\u2019\u0131 genel kuralla koy, istisnai sayfalar\u0131 CSP\u2019nin <code>frame-ancestors<\/code>\u2019\u0131na emanet et. X-Content-Type-Options\u2019\u0131 unutma; \u00fcst\u00fcne bir de do\u011fru i\u00e7erik t\u00fcrleriyle dosyalar\u0131 servis et. Bu ritmi oturttu\u011funda, s\u00fcrprizlerin say\u0131s\u0131 h\u0131zla azal\u0131r.<\/p>\n<p>\u0130\u015fin altyap\u0131 taraf\u0131 i\u00e7in de bir not b\u0131rakay\u0131m: Sunucunun temel g\u00fcvenli\u011fi, g\u00fcncellemeler, izleme ve log\u2019lar bir b\u00fct\u00fcn. Detayl\u0131 bir yol haritas\u0131 ararsan, <a href=\"https:\/\/www.dchost.com\/blog\/vps-sunucu-guvenligi-pratik-olceklenebilir-ve-dogrulanabilir-yaklasimlar\/\">VPS g\u00fcvenli\u011fi rehberi<\/a> iyi bir pusula olur. Umar\u0131m bu yaz\u0131, seni ba\u015fl\u0131klara bir ad\u0131m daha yakla\u015ft\u0131r\u0131r. Tak\u0131ld\u0131\u011f\u0131n yerde d\u00f6n\u00fcp bakabilece\u011fin bir rehber olarak burada kals\u0131n. Bir sonraki yaz\u0131da g\u00f6r\u00fc\u015f\u00fcr\u00fcz; bu arada bug\u00fcn k\u00fc\u00e7\u00fck bir HSTS\u2019i devreye al\u0131p, CSP\u2019yi Report-Only ile denemeye ba\u015flamaya ne dersin?<\/p>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Ofiste bir \u00f6\u011fle aras\u0131yd\u0131, kahvemi al\u0131p oturdum. M\u00fc\u015fterilerden biri, &#8220;Sitede her \u015fey yolundayd\u0131, bir ayar yapt\u0131m, \u015fimdi baz\u0131 sayfalar y\u00fcklenmiyor&#8221; dedi. \u0130lk bak\u0131\u015fta performans meselesi sand\u0131m ama bir \u015fey g\u00f6z\u00fcme tak\u0131ld\u0131: kar\u0131\u015f\u0131k i\u00e7erik uyar\u0131lar\u0131, baz\u0131 sayfalar embed \u00e7al\u0131\u015ft\u0131r\u0131rken beyaz ekran, arada bir taray\u0131c\u0131dan sert uyar\u0131lar. Tan\u0131d\u0131k geldi mi? Genelde bu karma\u015fan\u0131n ortas\u0131nda d\u00f6rt k\u00fc\u00e7\u00fck c\u00fcmle [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":1251,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-1250","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-genel"],"_links":{"self":[{"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/posts\/1250","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/comments?post=1250"}],"version-history":[{"count":0,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/posts\/1250\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/media\/1251"}],"wp:attachment":[{"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/media?parent=1250"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/categories?post=1250"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/tags?post=1250"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}