{"id":1800,"date":"2025-11-13T20:41:28","date_gmt":"2025-11-13T17:41:28","guid":{"rendered":"https:\/\/www.dchost.com\/blog\/samesitelax-mi-strict-mi-secure-ve-httponly-ile-nginx-apachede-cerezleri-tertemiz-nasil-kurarsin\/"},"modified":"2025-11-13T20:41:28","modified_gmt":"2025-11-13T17:41:28","slug":"samesitelax-mi-strict-mi-secure-ve-httponly-ile-nginx-apachede-cerezleri-tertemiz-nasil-kurarsin","status":"publish","type":"post","link":"https:\/\/www.dchost.com\/blog\/samesitelax-mi-strict-mi-secure-ve-httponly-ile-nginx-apachede-cerezleri-tertemiz-nasil-kurarsin\/","title":{"rendered":"SameSite=Lax m\u0131 Strict mi? Secure ve HttpOnly ile Nginx\/Apache\u2019de \u00c7erezleri Tertemiz Nas\u0131l Kurars\u0131n?"},"content":{"rendered":"<div class=\"dchost-blog-content-wrapper\"><div id=\"toc_container\" class=\"toc_transparent no_bullets\"><p class=\"toc_title\">\u0130&ccedil;indekiler<\/p><ul class=\"toc_list\"><li><a href=\"#Ofiste_Kucuk_Bir_Panigin_Hikayesi_Tarayici_Nazi_Cerez_Bayraklari_ve_Bir_Kahve\"><span class=\"toc_number toc_depth_1\">1<\/span> Ofiste K\u00fc\u00e7\u00fck Bir Pani\u011fin Hikayesi: Taray\u0131c\u0131 \u201cNaz\u0131\u201d, \u00c7erez Bayraklar\u0131 ve Bir Kahve<\/a><\/li><li><a href=\"#Bu_Bayraklar_Neyi_Kurtariyor_Biraz_Ic_Yuzunu_Anlatalim\"><span class=\"toc_number toc_depth_1\">2<\/span> Bu Bayraklar Neyi Kurtar\u0131yor? Biraz \u0130\u00e7 Y\u00fcz\u00fcn\u00fc Anlatal\u0131m<\/a><\/li><li><a href=\"#SameSiteLax_mi_Strict_mi_Peki_ya_None_Ne_Zaman\"><span class=\"toc_number toc_depth_1\">3<\/span> SameSite=Lax m\u0131 Strict mi? Peki ya None Ne Zaman?<\/a><\/li><li><a href=\"#Nginxte_Cerez_Bayraklarini_Eklemek_Proxy_Arkasinda_Zarif_Dokunus\"><span class=\"toc_number toc_depth_1\">4<\/span> Nginx\u2019te \u00c7erez Bayraklar\u0131n\u0131 Eklemek: Proxy Arkas\u0131nda Zarif Dokunu\u015f<\/a><\/li><li><a href=\"#Apachede_Cerez_Bayraklari_mod_headers_ile_Son_Dokunus\"><span class=\"toc_number toc_depth_1\">5<\/span> Apache\u2019de \u00c7erez Bayraklar\u0131: mod_headers ile \u201cSon Dokunu\u015f\u201d<\/a><\/li><li><a href=\"#Uygulama_Kodunda_Dogru_Ayar_Node_PHP_Laravel_Django_Spring\"><span class=\"toc_number toc_depth_1\">6<\/span> Uygulama Kodunda Do\u011fru Ayar: Node, PHP, Laravel, Django, Spring<\/a><\/li><li><a href=\"#ProxyCDN_Arkasinda_Guvenli_Akis_Kucuk_Bir_Yol_Haritasi\"><span class=\"toc_number toc_depth_1\">7<\/span> Proxy\/CDN Arkas\u0131nda G\u00fcvenli Ak\u0131\u015f: K\u00fc\u00e7\u00fck Bir Yol Haritas\u0131<\/a><\/li><li><a href=\"#Odeme_SSO_ve_Iframe_Donusleri_Neden_Oturum_Kayboldu_Sorunsalini_Yumusatmak\"><span class=\"toc_number toc_depth_1\">8<\/span> \u00d6deme, SSO ve \u0130frame D\u00f6n\u00fc\u015fleri: \u201cNeden Oturum Kayboldu?\u201d Sorunsal\u0131n\u0131 Yumu\u015fatmak<\/a><\/li><li><a href=\"#Dogru_Bayrak_Dogru_Omur_Dogru_Kapsam_Kucuk_Ayarlarin_Buyuk_Farki\"><span class=\"toc_number toc_depth_1\">9<\/span> Do\u011fru Bayrak + Do\u011fru \u00d6m\u00fcr + Do\u011fru Kapsam: K\u00fc\u00e7\u00fck Ayarlar\u0131n B\u00fcy\u00fck Fark\u0131<\/a><\/li><li><a href=\"#Set-Cookie_Nasil_Gorunmeli_Gozumuz_Alissin\"><span class=\"toc_number toc_depth_1\">10<\/span> Set-Cookie Nas\u0131l G\u00f6r\u00fcnmeli? G\u00f6z\u00fcm\u00fcz Al\u0131\u015fs\u0131n<\/a><\/li><li><a href=\"#Test_Dogrulama_ve_Kucuk_Araclar\"><span class=\"toc_number toc_depth_1\">11<\/span> Test, Do\u011frulama ve K\u00fc\u00e7\u00fck Ara\u00e7lar<\/a><\/li><li><a href=\"#Lets_Encrypt_Sertifikalar_ve_Secure_Bayraginin_Hakkini_Vermek\"><span class=\"toc_number toc_depth_1\">12<\/span> Let\u2019s Encrypt, Sertifikalar ve Secure Bayra\u011f\u0131n\u0131n \u201cHakk\u0131n\u0131 Vermek\u201d<\/a><\/li><li><a href=\"#Kucuk_Tuzaklar_HttpOnly_Her_Zaman_Mi_Ve_Gorunmez_Bozulmalar\"><span class=\"toc_number toc_depth_1\">13<\/span> K\u00fc\u00e7\u00fck Tuzaklar: HttpOnly Her Zaman M\u0131? Ve \u201cG\u00f6r\u00fcnmez\u201d Bozulmalar<\/a><\/li><li><a href=\"#Adim_Adim_Uygulama_Basit_Bir_Yol_Haritasi\"><span class=\"toc_number toc_depth_1\">14<\/span> Ad\u0131m Ad\u0131m Uygulama: Basit Bir Yol Haritas\u0131<\/a><\/li><li><a href=\"#Kapanis_Kucuk_Bayraklar_Buyuk_Sukunet\"><span class=\"toc_number toc_depth_1\">15<\/span> Kapan\u0131\u015f: K\u00fc\u00e7\u00fck Bayraklar, B\u00fcy\u00fck S\u00fckunet<\/a><\/li><\/ul><\/div>\n<h2 id=\"section-1\"><span id=\"Ofiste_Kucuk_Bir_Panigin_Hikayesi_Tarayici_Nazi_Cerez_Bayraklari_ve_Bir_Kahve\">Ofiste K\u00fc\u00e7\u00fck Bir Pani\u011fin Hikayesi: Taray\u0131c\u0131 \u201cNaz\u0131\u201d, \u00c7erez Bayraklar\u0131 ve Bir Kahve<\/span><\/h2>\n<p>Hi\u00e7 beklemedi\u011fin bir anda, giri\u015f formu d\u00fczg\u00fcn \u00e7al\u0131\u015fmas\u0131na ra\u011fmen kullan\u0131c\u0131lar\u0131n \u201chesaba giremiyorum\u201d diye yazd\u0131\u011f\u0131n\u0131 g\u00f6rd\u00fcn m\u00fc? Ben bir kere de\u011fil, birka\u00e7 kere ya\u015fad\u0131m. Hatta birinde kart \u00f6demesi sayfas\u0131ndan d\u00f6nd\u00fc\u011f\u00fcm\u00fczde oturum \u201cyok olmu\u015f\u201d gibi davran\u0131yordu. Ekipte herkes do\u011fru parolay\u0131 girdi\u011fine yemin ediyordu, loglarda hata g\u00f6r\u00fcnm\u00fcyordu, ama taray\u0131c\u0131 sessiz bir \u015fekilde oturum \u00e7erezini reddediyordu. \u0130\u015fte o g\u00fcn, masadaki kahvemi b\u0131rak\u0131p \u015fu k\u00fc\u00e7\u00fck ama kritik ba\u015fl\u0131klara tekrar bakt\u0131m: <strong>SameSite<\/strong>, <strong>Secure<\/strong> ve <strong>HttpOnly<\/strong>.<\/p>\n<p>Bug\u00fcn tam da bu konuyu, biraz sohbet havas\u0131nda ve bolca ger\u00e7ek \u00f6rnekle konu\u015fal\u0131m istiyorum. Neyi, nerede, ni\u00e7in i\u015faretledi\u011fimizi bilince, hem g\u00fcvenli\u011fi art\u0131r\u0131yoruz hem de o garip \u201cpayment d\u00f6n\u00fc\u015f\u00fcnde \u00e7\u0131k\u0131\u015f yapm\u0131\u015fs\u0131n gibi\u201d hissini \u00e7\u00f6z\u00fcyoruz. Yaz\u0131n\u0131n devam\u0131nda \u00f6nce bu bayraklar\u0131n ne i\u015fe yarad\u0131\u011f\u0131n\u0131 netle\u015ftirece\u011fiz. Sonra Nginx ve Apache taraf\u0131nda nas\u0131l eklenir, uygulama kodunda nas\u0131l do\u011fru ayarlan\u0131r, proxy\/CDN arada iken neleri unutmamak gerekir, hepsini ad\u0131m ad\u0131m ele alaca\u011f\u0131z. En sonda da pratik test y\u00f6ntemleri ve k\u00fc\u00e7\u00fck t\u00fcyolarla tamamlar\u0131z.<\/p>\n<h2 id=\"section-2\"><span id=\"Bu_Bayraklar_Neyi_Kurtariyor_Biraz_Ic_Yuzunu_Anlatalim\">Bu Bayraklar Neyi Kurtar\u0131yor? Biraz \u0130\u00e7 Y\u00fcz\u00fcn\u00fc Anlatal\u0131m<\/span><\/h2>\n<p>\u00c7erez, taray\u0131c\u0131n\u0131n elindeki k\u00fc\u00e7\u00fck bir not gibi. Sunucu \u201cbu kullan\u0131c\u0131 Ahmet\u201d der, taray\u0131c\u0131 da onu bir \u00e7erezle hat\u0131rlar. Ama bu notu herkes g\u00f6rebilsin mi, her durumda yollans\u0131n m\u0131, g\u00fcvenli olmayan ba\u011flant\u0131da bile gitsin mi? Cevaplar\u0131 netle\u015ftirmek i\u00e7in \u00fc\u00e7 arkada\u015f var: <strong>SameSite<\/strong>, <strong>Secure<\/strong> ve <strong>HttpOnly<\/strong>. Her biri, taray\u0131c\u0131n\u0131n \u201cbu \u00e7erez ne zaman, nas\u0131l g\u00f6nderilsin\u201d karar\u0131n\u0131 \u015fekillendiriyor.<\/p>\n<p><strong>Secure<\/strong>, \u00e7erezin sadece HTTPS ile ta\u015f\u0131nmas\u0131n\u0131 sa\u011flar. Yani \u201c\u015fifrelenmemi\u015f yoldan ge\u00e7irme\u201d demenin k\u0131sa yolu. <strong>HttpOnly<\/strong>, JavaScript\u2019in \u00e7ereze dokunmas\u0131n\u0131 engeller; XSS gibi bir senaryoda sald\u0131rgan okuyamas\u0131n diye. <strong>SameSite<\/strong> ise \u00e7erezin site d\u0131\u015f\u0131ndan gelen isteklerle g\u00f6nderilmesini bir \u00f6l\u00e7\u00fcde k\u0131s\u0131tlar. B\u00f6ylece CSRF gibi \u201cba\u015fka siteden gelen istek, kullan\u0131c\u0131n\u0131n oturumuyla i\u015f yapt\u0131rs\u0131n\u201d senaryolar\u0131nda fren g\u00f6revi g\u00f6r\u00fcr. Basit g\u00f6r\u00fcn\u00fcyor ama ayar\u0131n\u0131 do\u011fru yapmak, \u00f6zellikle y\u00f6nlendirmeler ve \u00f6deme\/SSO d\u00f6n\u00fc\u015fleri olan projelerde, ince bir i\u015f.<\/p>\n<h2 id=\"section-3\"><span id=\"SameSiteLax_mi_Strict_mi_Peki_ya_None_Ne_Zaman\">SameSite=Lax m\u0131 Strict mi? Peki ya None Ne Zaman?<\/span><\/h2>\n<p>Mesela \u015f\u00f6yle d\u00fc\u015f\u00fcn\u00fcn: Sitenize bir sosyal a\u011fdan link t\u0131klanarak gelindi. Taray\u0131c\u0131, \u201cba\u015fka siteden gelindi\u011fine\u201d bakar. E\u011fer \u00e7ereziniz <strong>SameSite=Strict<\/strong> ise, bu ziyarette oturum \u00e7erezi g\u00f6nderilmeyebilir ve kullan\u0131c\u0131 sanki \u00e7\u0131k\u0131\u015f yapm\u0131\u015f gibidir. Bu, baz\u0131 projelerde istenen davran\u0131\u015ft\u0131r \u00e7\u00fcnk\u00fc en kat\u0131 g\u00fcvenli\u011fi sa\u011flar. Ama \u00e7o\u011fu m\u00fc\u015fteri yolculu\u011fu ilk ziyareti d\u0131\u015far\u0131dan, bir linkten ba\u015flat\u0131r. O y\u00fczden Strict, bazen fazla kat\u0131 gelebilir.<\/p>\n<p><strong>SameSite=Lax<\/strong>, g\u00fcnl\u00fck hayatta daha yumu\u015fak davran\u0131r. D\u0131\u015f linkten ge\u00e7i\u015flerde \u00e7erezi \u00e7o\u011fu normal gezintide korur, ancak \u201carka planda\u201d yap\u0131lan baz\u0131 isteklerde tutucu olabilir. Bir\u00e7o\u011fumuzun giri\u015f formu ve normal sayfa gezinme ak\u0131\u015f\u0131nda Lax gayet tatl\u0131 \u00e7al\u0131\u015f\u0131r. E\u011fer projenin \u201cba\u015fka domain i\u00e7inde iframe ile \u00e7al\u0131\u015fan widget\u201d gibi bir ihtiyac\u0131 yoksa, Lax genelde hem g\u00fcvenlik hem kullan\u0131m a\u00e7\u0131s\u0131ndan dengeli noktad\u0131r.<\/p>\n<p>Bir de <strong>SameSite=None<\/strong> var. Bu, her t\u00fcrl\u00fc site d\u0131\u015f\u0131 senaryoda \u00e7erezin g\u00f6nderilmesine izin verir ama bir \u015fart\u0131 beraberinde getirir: <strong>Secure zorunludur<\/strong>. Yani None kullan\u0131yorsan\u0131z HTTPS d\u0131\u015f\u0131 yollar kapal\u0131 olmal\u0131. Bu ayar genelde \u00fc\u00e7\u00fcnc\u00fc taraf entegrasyonlar\u0131, SSO ve \u00f6deme servislerinde iframe veya domainler aras\u0131 ak\u0131\u015f gerekiyorsa anlaml\u0131 olur. K\u0131saca \u00f6zetleyeyim: \u00e7o\u011fu uygulama i\u00e7in Lax iyi bir ba\u015flang\u0131\u00e7t\u0131r; i\u015fe yaramazsa kontroll\u00fc bir \u015fekilde None\u2019a ge\u00e7ilir; Strict ise \u00e7ok kapal\u0131 politikalarda de\u011ferli bir g\u00fcvenlik kilidi sunar.<\/p>\n<h2 id=\"section-4\"><span id=\"Nginxte_Cerez_Bayraklarini_Eklemek_Proxy_Arkasinda_Zarif_Dokunus\">Nginx\u2019te \u00c7erez Bayraklar\u0131n\u0131 Eklemek: Proxy Arkas\u0131nda Zarif Dokunu\u015f<\/span><\/h2>\n<p>Uygulaman\u0131z Nginx\u2019in arkas\u0131nda \u00e7al\u0131\u015f\u0131yorsa, bazen upstream uygulama \u00e7erezleri flagsiz b\u0131rak\u0131r ve siz Nginx\u2019te \u201cson anda\u201d d\u00fczeltmek istersiniz. Burada iki yol kullan\u0131yorum. E\u011fer Nginx s\u00fcr\u00fcm\u00fcn\u00fcz destekliyorsa <strong>proxy_cookie_flags<\/strong> ile \u201c\u015fu isimli \u00e7erezlere Secure, HttpOnly ve SameSite ekle\u201d diyebilirsiniz. Daha eski veya farkl\u0131 senaryolarda ise <strong>proxy_cookie_path<\/strong> hilesiyle Set-Cookie sat\u0131r\u0131na ek nitelikler koymak m\u00fcmk\u00fcn.<\/p>\n<p>\u0130lk olarak, isme g\u00f6re bayrak eklemek pratik olur. \u00d6rne\u011fin oturum \u00e7erezi JSESSIONID veya sessionid ise a\u015fa\u011f\u0131dakine benzer:<\/p>\n<pre class=\"language-nginx line-numbers\"><code class=\"language-nginx\">location \/ {\n    proxy_pass http:\/\/app;\n    # Belirli bir \u00e7erez ad\u0131 i\u00e7in bayraklar\n    proxy_cookie_flags sessionid Secure HttpOnly SameSite=Lax;\n    # Ad desenini de kullanabilirsiniz\n    proxy_cookie_flags ~*session Secure HttpOnly SameSite=Lax;\n}\n<\/code><\/pre>\n<p>E\u011fer bu direktif sizde yoksa, \u015fu y\u00f6ntemi deneyebilirsiniz. Upstream Set-Cookie geldi\u011finde path\u2019e dokunur gibi g\u00f6r\u00fcnen ama asl\u0131nda bayrak ekleyen bir d\u00fczenleme:<\/p>\n<pre class=\"language-nginx line-numbers\"><code class=\"language-nginx\">location \/ {\n    proxy_pass http:\/\/app;\n    proxy_cookie_path \/ &quot;\/; Secure; HttpOnly; SameSite=Lax&quot;;\n}\n<\/code><\/pre>\n<p>Burada dikkat edilecek nokta, bu y\u00f6ntemin t\u00fcm \u00e7erezlere dokunmas\u0131d\u0131r. Baz\u0131 \u00e7erezlerin HttpOnly olmamas\u0131 gerekebilir (\u00f6rne\u011fin istemci taraf\u0131nda JS\u2019in okumas\u0131 gereken bir tercih \u00e7erezi). Bu durumda sadece oturum \u00e7erezi gibi kritik olanlar\u0131 hedefleyen y\u00f6ntemi tercih etmek daha sa\u011fl\u0131kl\u0131. Ayr\u0131ca, Nginx TLS ayarlar\u0131n\u0131z\u0131 g\u00fc\u00e7lendirmek, Secure bayra\u011f\u0131n\u0131n hakk\u0131n\u0131 verir; bu konuda <a href=\"https:\/\/www.dchost.com\/blog\/nginx-apachede-ecdsa-rsa-ikili-ssl-uyumluluk-mu-hiz-mi-ikisini-birden-nasil-alirsin\/\">Nginx\/Apache\u2019de ECDSA + RSA ikili SSL kullan\u0131m\u0131<\/a> ile uyumluluk ve h\u0131z aras\u0131nda g\u00fczel bir denge kurulabilir.<\/p>\n<h2 id=\"section-5\"><span id=\"Apachede_Cerez_Bayraklari_mod_headers_ile_Son_Dokunus\">Apache\u2019de \u00c7erez Bayraklar\u0131: mod_headers ile \u201cSon Dokunu\u015f\u201d<\/span><\/h2>\n<p>Apache taraf\u0131nda, <strong>mod_headers<\/strong> ile Set-Cookie ba\u015fl\u0131\u011f\u0131n\u0131 d\u00fczenlemek g\u00fcnl\u00fck i\u015fim haline geldi. \u0130ki tarz var: ya t\u00fcm Set-Cookie sat\u0131rlar\u0131na ekleme yapars\u0131n\u0131z, ya da belirli bir \u00e7erez ad\u0131na hedefli d\u00fczenleme koyars\u0131n\u0131z. Genel ekleme yaparsan\u0131z istenmeyen \u00e7erezler de HttpOnly olup JS\u2019ten kaybolabilir, buna dikkat.<\/p>\n<p>Genel ekleme \u00f6rne\u011fi \u015f\u00f6yle:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">&lt;IfModule mod_headers.c&gt;\n  Header edit Set-Cookie ^(.*)$ &quot;$1; HttpOnly; Secure; SameSite=Lax&quot;\n&lt;\/IfModule&gt;\n<\/code><\/pre>\n<p>Daha hedefli bir yakla\u015f\u0131m i\u00e7in, mesela JSESSIONID veya session gibi belirli bir \u00e7erezi yakalay\u0131p bayrak eklemek ho\u015f olur:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">&lt;IfModule mod_headers.c&gt;\n  Header edit Set-Cookie &quot;^(JSESSIONID=.*)$&quot; &quot;$1; HttpOnly; Secure; SameSite=Lax&quot;\n&lt;\/IfModule&gt;\n<\/code><\/pre>\n<p>Apache yap\u0131land\u0131r\u0131rken \u015funu da not edin: HTTPS arkas\u0131nda oldu\u011funuzdan emin olun. Load balancer \u00f6n\u00fcnde TLS bitiyor ve Apache\u2019ye HTTP geliyorsa, Secure bayra\u011f\u0131 i\u015fini yapar ama uygulama \u201cbu istek g\u00fcvenli mi\u201d alg\u0131s\u0131n\u0131 do\u011fru kuramaz. X-Forwarded-Proto gibi ba\u015fl\u0131klar\u0131n do\u011fru ta\u015f\u0131nd\u0131\u011f\u0131ndan ve uygulaman\u0131n proxy\u2019ye g\u00fcvendi\u011finden emin olmak gerekiyor.<\/p>\n<h2 id=\"section-6\"><span id=\"Uygulama_Kodunda_Dogru_Ayar_Node_PHP_Laravel_Django_Spring\">Uygulama Kodunda Do\u011fru Ayar: Node, PHP, Laravel, Django, Spring<\/span><\/h2>\n<p>En sa\u011flam yol, \u00e7erezi uygulaman\u0131n kendisinin do\u011fru bayraklarla set etmesi. Bu hem niyetini net ifade eder hem de proxy katman\u0131na ba\u011f\u0131ml\u0131l\u0131\u011f\u0131 azalt\u0131r. A\u015fa\u011f\u0131da pratik \u00f6rneklerle birka\u00e7 dil ve \u00e7er\u00e7eve payla\u015f\u0131yorum. Mesela Express\u2019te oturum \u00e7erezi i\u00e7in ayarlar \u00e7ok okunakl\u0131:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">\/\/ Express (Node.js)\napp.set('trust proxy', 1); \/\/ LB\/CDN arkas\u0131nda do\u011fru g\u00fcven alg\u0131s\u0131 i\u00e7in\napp.use(session({\n  secret: 'bir-nihai-sir',\n  name: 'sessionid',\n  cookie: {\n    httpOnly: true,\n    secure: true,       \/\/ \u00fcretimde HTTPS \u015fart\n    sameSite: 'lax',    \/\/ 'strict' veya 'none' ihtiyaca g\u00f6re\n    path: '\/',\n  }\n}));\n<\/code><\/pre>\n<p>PHP\u2019de modern imzal\u0131 parametrelerle <code>setcookie<\/code> gayet okunakl\u0131 hale geldi. K\u00fc\u00e7\u00fck ama etkili bir \u00f6rnek:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">\/\/ PHP (7.3+)\nsetcookie(\n  'sessionid',\n  $value,\n  [\n    'expires'  =&gt; time() + 3600,\n    'path'     =&gt; '\/',\n    'secure'   =&gt; true,\n    'httponly' =&gt; true,\n    'samesite' =&gt; 'Lax',\n  ]\n);\n<\/code><\/pre>\n<p>Laravel\u2019de i\u015f daha da g\u00fczel, \u00e7\u00fcnk\u00fc yap\u0131land\u0131rma dosyalar\u0131yla d\u00fczeni tutarl\u0131 k\u0131labiliyorsun. <code>config\/session.php<\/code> i\u00e7inde \u015funlar\u0131 seviyorum:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">\/\/ Laravel (config\/session.php)\n'require_https' =&gt; true,\n'http_only' =&gt; true,\n'same_site' =&gt; 'lax', \/\/ 'strict' \/ 'none' se\u00e7enekleri ak\u0131\u015fa g\u00f6re\n'secure' =&gt; env('SESSION_SECURE_COOKIE', true),\n<\/code><\/pre>\n<p>Django taraf\u0131nda oturum \u00e7erezi ve CSRF \u00e7erezi ayr\u0131 d\u00fc\u015f\u00fcn\u00fclmeli. Oturum \u00e7erezi HttpOnly olmal\u0131 ama CSRF \u00e7erezi \u00e7o\u011fu projede JS ile okunur. O y\u00fczden CSRF \u00e7erezine HttpOnly vermek projene g\u00f6re k\u0131r\u0131c\u0131 olabilir. G\u00fczel bir ba\u015flang\u0131\u00e7:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\"># Django settings.py\nSESSION_COOKIE_SECURE = True\nSESSION_COOKIE_HTTPONLY = True\nSESSION_COOKIE_SAMESITE = 'Lax'\nCSRF_COOKIE_SECURE = True\n# CSRF_COOKIE_HTTPONLY = False  # Varsay\u0131lan \u00e7o\u011fu projede b\u0131rak\u0131l\u0131r; ihtiyaca g\u00f6re de\u011ferlendirin\n<\/code><\/pre>\n<p>Spring Boot\u2019ta ayarlar da sadele\u015fti. Oturum \u00e7erezi i\u00e7in do\u011frudan yap\u0131land\u0131rma yeterli:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\"># Spring Boot (application.properties veya yml)\nserver.servlet.session.cookie.secure=true\nserver.servlet.session.cookie.http-only=true\nserver.servlet.session.cookie.same-site=lax\n<\/code><\/pre>\n<p>Burada ortak payda \u015fu: \u00fcretim ortam\u0131nda <strong>HTTPS zorunlu<\/strong>. Aksi halde Secure bayra\u011f\u0131 olan \u00e7erez hi\u00e7 gitmez ve \u201cbazen \u00e7al\u0131\u015f\u0131yor bazen de\u011fil\u201d gibi can s\u0131k\u0131c\u0131 senaryolar ya\u015fanabilir. Ayr\u0131ca proxy arkas\u0131nda \u00e7al\u0131\u015f\u0131yorsan\u0131z uygulaman\u0131n \u201cg\u00fcvenli ba\u011flant\u0131 alg\u0131s\u0131n\u0131\u201d X-Forwarded-Proto, X-Forwarded-For vb. ba\u015fl\u0131klara g\u00f6re do\u011fru kurmas\u0131n\u0131 sa\u011flay\u0131n.<\/p>\n<h2 id=\"section-7\"><span id=\"ProxyCDN_Arkasinda_Guvenli_Akis_Kucuk_Bir_Yol_Haritasi\">Proxy\/CDN Arkas\u0131nda G\u00fcvenli Ak\u0131\u015f: K\u00fc\u00e7\u00fck Bir Yol Haritas\u0131<\/span><\/h2>\n<p>Bir\u00e7ok projede TLS, CDN veya load balancer katman\u0131nda sonlan\u0131yor. Uygulama ile reverse proxy aras\u0131nda HTTP konu\u015fulsa bile taray\u0131c\u0131yla olan hat g\u00fcvenli olmal\u0131. Bu noktada iki \u015feye dikkat ediyorum. Birincisi, uygulamada \u201ctrust proxy\u201d veya e\u015fde\u011feri ayar\u0131 yaparak gelen iste\u011fin asl\u0131nda HTTPS \u00fczerinden geldi\u011fini anlayabilmek. \u0130kincisi, Secure i\u015faretli \u00e7erezin arada yanl\u0131\u015fl\u0131kla d\u00fc\u015fmemesi.<\/p>\n<p>HAProxy, Nginx veya bulut sa\u011flay\u0131c\u0131n\u0131n CDN\u2019i devredeyse, do\u011fru ba\u015fl\u0131klar\u0131n ayarland\u0131\u011f\u0131na emin olun. \u00d6rne\u011fin X-Forwarded-Proto=https de\u011ferini set etmek ve uygulamada buna g\u00fcvenmek, \u201cg\u00fcvenli mi\u201d alg\u0131s\u0131n\u0131 netle\u015ftirir. Bu konularla ilgileniyorsan\u0131z, katman 7 ak\u0131\u015flar\u0131n\u0131 sade sade anlatt\u0131\u011f\u0131m <a href=\"https:\/\/www.dchost.com\/blog\/haproxy-ile-l4-l7-yuk-dengeleme-nasil-sifir-kesinti-sunar-health-check-sticky-sessions-ve-tls-passthroughu-sade-sade-konusalim\/\">HAProxy ile L4\/L7 y\u00fck dengeleme yaz\u0131s\u0131na<\/a> g\u00f6z atmak ho\u015f bir tamamlay\u0131c\u0131 olabilir.<\/p>\n<p>Baz\u0131 servisler \u00e7erezi kendileri set eder ve siz proxy\u2019de sadece dokunmak istersiniz. Bu durumda Nginx\u2019te belirli \u00e7erezleri hedefleyen proxy_cookie_flags yakla\u015f\u0131m\u0131, Apache\u2019de mod_headers ile isim bazl\u0131 edit en risksiz olan\u0131d\u0131r. T\u00fcm \u00e7erezleri toptan d\u00fczenlemek, ileride \u201c\u015fu k\u00fc\u00e7\u00fck tercih \u00e7erezi JS\u2019te g\u00f6r\u00fcnm\u00fcyor\u201d s\u00fcrprizi do\u011furabilir.<\/p>\n<h2 id=\"section-8\"><span id=\"Odeme_SSO_ve_Iframe_Donusleri_Neden_Oturum_Kayboldu_Sorunsalini_Yumusatmak\">\u00d6deme, SSO ve \u0130frame D\u00f6n\u00fc\u015fleri: \u201cNeden Oturum Kayboldu?\u201d Sorunsal\u0131n\u0131 Yumu\u015fatmak<\/span><\/h2>\n<p>En \u00e7ok sorun \u00e7\u0131karan yerler, kullan\u0131c\u0131y\u0131 d\u0131\u015f siteye g\u00f6nderip geri ald\u0131\u011f\u0131m\u0131z ak\u0131\u015flar. \u00d6deme sayfas\u0131, SSO sa\u011flay\u0131c\u0131s\u0131 veya \u00fc\u00e7\u00fcnc\u00fc taraf widget bu kategoride. E\u011fer oturum \u00e7erezi Strict ise, d\u00f6n\u00fc\u015fte taray\u0131c\u0131 bu \u00e7erezi g\u00f6ndermeyebilir ve \u201c\u00e7\u0131k\u0131\u015f yapm\u0131\u015fs\u0131n\u201d gibi g\u00f6r\u00fcn\u00fcr. Lax \u00e7o\u011fu zaman bu ak\u0131\u015fa daha anlay\u0131\u015fl\u0131d\u0131r ama baz\u0131 \u00f6zel POST d\u00f6n\u00fc\u015flerinde yine ketum davranabilir.<\/p>\n<p>Bu durumda iki ad\u0131ml\u0131 bir \u00e7\u00f6z\u00fcm\u00fc seviyorum. \u0130lk olarak, ger\u00e7ekten gerekiyorsa belirli ak\u0131\u015flar i\u00e7in <strong>SameSite=None<\/strong> kullanmak ve bu \u00e7ereze mutlaka <strong>Secure<\/strong> eklemek. \u0130kinci olarak, server taraf\u0131nda <strong>CSRF<\/strong> korumas\u0131n\u0131 do\u011fru kurmak; \u00e7\u00fcnk\u00fc None dedi\u011finizde \u00e7apraz site istekleri de \u00e7erezi ta\u015f\u0131yabilir. None her derde deva de\u011fil ama \u201czorunlu\u201d entegrasyonlarda tek do\u011fru tercih olabiliyor. Burada uygulaman\u0131n oturum s\u00fcresini, token yenileme ak\u0131\u015f\u0131n\u0131 ve y\u00f6nlendirme logi\u011fini beraber d\u00fc\u015f\u00fcnmek gerekiyor.<\/p>\n<p>E-ticaret taraf\u0131nda bu ayarlar bir de uyumluluk ve denetim d\u00fcnyas\u0131na ba\u011flan\u0131r. Kredi kart\u0131 verisi uygulamaya girmese bile, oturum y\u00f6netimi ve g\u00fcvenli iletim konular\u0131 \u00f6nemlidir. Bu \u00e7izgiyi daha geni\u015f \u00e7er\u00e7evede konu\u015fmak istersen, <a href=\"https:\/\/www.dchost.com\/blog\/e%e2%80%91ticarette-pci-dssi-dert-etmeden-nasil-uyumlu-kalirsin-hosting-tarafinda-gercekten-ne-yapmak-gerekir\/\">e\u2011ticarette PCI DSS ile uyumlu kalma \u00fczerine notlar\u0131m\u0131<\/a> faydal\u0131 bulabilirsin.<\/p>\n<h2 id=\"section-9\"><span id=\"Dogru_Bayrak_Dogru_Omur_Dogru_Kapsam_Kucuk_Ayarlarin_Buyuk_Farki\">Do\u011fru Bayrak + Do\u011fru \u00d6m\u00fcr + Do\u011fru Kapsam: K\u00fc\u00e7\u00fck Ayarlar\u0131n B\u00fcy\u00fck Fark\u0131<\/span><\/h2>\n<p>Bayraklar tek ba\u015f\u0131na yetmez; <strong>Domain<\/strong>, <strong>Path<\/strong> ve \u00e7erezin <strong>\u00f6mr\u00fc<\/strong> de davran\u0131\u015f\u0131 de\u011fi\u015ftirir. Sitenin sadece belirli bir b\u00f6l\u00fcm\u00fcnde ge\u00e7erli olmas\u0131 gerekiyorsa Path yard\u0131m\u0131yla alan\u0131 daraltmak iyi bir fikir. Subdomain\u2019ler aras\u0131nda payla\u015f\u0131m gerekliyse Domain\u2019i dikkatle ayarlay\u0131n ve gereksiz geni\u015f b\u0131rakmay\u0131n. \u201cK\u00f6k domain herkese a\u00e7\u0131k olsun\u201d yakla\u015f\u0131m\u0131 bazen g\u00fcvenlik riskini b\u00fcy\u00fct\u00fcr.<\/p>\n<p>Oturum \u00e7erezini genelde taray\u0131c\u0131 oturumu boyunca ya\u015fatmak, kal\u0131c\u0131 \u00e7erezi ise makul bir tarihte bitirmek iyi bir dengedir. \u00c7ok uzun \u00f6m\u00fcr, kay\u0131p cihaz veya payla\u015f\u0131lan bilgisayarda risk demek olabilir. \u00c7ok k\u0131sa \u00f6m\u00fcr ise kullan\u0131c\u0131y\u0131 yorar. Burada ekip\u00e7e karar al\u0131p UI ak\u0131\u015f\u0131yla senkron gitmek en g\u00fczeli.<\/p>\n<h2 id=\"section-10\"><span id=\"Set-Cookie_Nasil_Gorunmeli_Gozumuz_Alissin\">Set-Cookie Nas\u0131l G\u00f6r\u00fcnmeli? G\u00f6z\u00fcm\u00fcz Al\u0131\u015fs\u0131n<\/span><\/h2>\n<p>Taray\u0131c\u0131 geli\u015ftirici ara\u00e7lar\u0131nda Network sekmesini a\u00e7\u0131p yan\u0131t ba\u015fl\u0131klar\u0131na bakmak, en h\u0131zl\u0131 te\u015fhis yolu. \u0130deal bir oturum \u00e7erezi \u015f\u00f6yle g\u00f6r\u00fcn\u00fcr:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">Set-Cookie: sessionid=abc123; Path=\/; HttpOnly; Secure; SameSite=Lax; Expires=Tue, 12 Nov 2026 10:00:00 GMT\n<\/code><\/pre>\n<p>E\u011fer bir entegrasyon i\u00e7in None gerekiyorsa:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">Set-Cookie: sessionid=abc123; Path=\/; HttpOnly; Secure; SameSite=None\n<\/code><\/pre>\n<p>G\u00f6zle teyit ettikten sonra, uygulama ve proxy katman\u0131nda yazd\u0131\u011f\u0131n\u0131z kurallar\u0131n do\u011fru \u00e7erezlere de\u011fdi\u011fini an\u0131nda anlars\u0131n\u0131z. Gerekirse k\u0131sa s\u00fcreli\u011fine staging\u2019de loglar\u0131 art\u0131r\u0131p \u201cSet-Cookie\u201d ba\u015fl\u0131klar\u0131n\u0131 kay\u0131t alt\u0131na al\u0131n. B\u00f6ylece prod\u2019a ge\u00e7meden s\u00fcrprizleri yakalars\u0131n\u0131z.<\/p>\n<h2 id=\"section-11\"><span id=\"Test_Dogrulama_ve_Kucuk_Araclar\">Test, Do\u011frulama ve K\u00fc\u00e7\u00fck Ara\u00e7lar<\/span><\/h2>\n<p>Taray\u0131c\u0131 taraf\u0131nda Chrome\/Firefox geli\u015ftirici ara\u00e7lar\u0131 ilk durak. Uygun bayraklar g\u00f6r\u00fcn\u00fcyor mu, istekler cross-site oldu\u011funda \u00e7erez gidiyor mu, hepsini pratikte test edebilirsiniz. Ayr\u0131ca resmi belgeler hem sentaks hem davran\u0131\u015f \u00f6rnekleri a\u00e7\u0131s\u0131ndan net bir referans sa\u011flar. Ben \u00e7o\u011fu zaman ayr\u0131nt\u0131 i\u00e7in <a href=\"https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/HTTP\/Headers\/Set-Cookie\" rel=\"nofollow noopener\" target=\"_blank\">MDN\u2019in Set-Cookie sayfas\u0131na<\/a> bak\u0131yorum; <a href=\"https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/HTTP\/Headers\/Set-Cookie#samesitesamesite-value\" rel=\"nofollow noopener\" target=\"_blank\">SameSite davran\u0131\u015flar\u0131n\u0131 \u00f6zetleyen b\u00f6l\u00fcm\u00fc<\/a> de tahmin y\u00fcr\u00fctmek yerine h\u0131zl\u0131ca do\u011frulamay\u0131 sa\u011fl\u0131yor.<\/p>\n<p>G\u00fcvenli oturum y\u00f6netimi ba\u015ftan sona bir yolculuk. \u00c7erez bayraklar\u0131 bunun \u00f6nemli par\u00e7as\u0131 ama tek ba\u015f\u0131na \u00e7\u00f6z\u00fcm de\u011fil. Parola s\u0131f\u0131rlama, oturum yenileme, sabit s\u00fcrede yeniden do\u011frulama gibi s\u00fcre\u00e7ler bir arada ele al\u0131nd\u0131\u011f\u0131nda g\u00fcvenlik hissedilir \u015fekilde y\u00fckseliyor. G\u00f6z atmak istersen, <a href=\"https:\/\/cheatsheetseries.owasp.org\/cheatsheets\/Session_Management_Cheat_Sheet.html\" rel=\"nofollow noopener\" target=\"_blank\">OWASP\u2019in oturum y\u00f6netimi notlar\u0131<\/a> pratik bir kontrol listesi gibi i\u015f g\u00f6r\u00fcr.<\/p>\n<h2 id=\"section-12\"><span id=\"Lets_Encrypt_Sertifikalar_ve_Secure_Bayraginin_Hakkini_Vermek\">Let\u2019s Encrypt, Sertifikalar ve Secure Bayra\u011f\u0131n\u0131n \u201cHakk\u0131n\u0131 Vermek\u201d<\/span><\/h2>\n<p>Secure bayra\u011f\u0131, HTTPS olmadan anlam\u0131n\u0131 yitirir. Bu y\u00fczden sertifika taraf\u0131n\u0131 sa\u011flam kurmak en ba\u015ftaki g\u00f6revlerden. \u00c7ok alan ad\u0131 bar\u0131nd\u0131r\u0131yorsan, Let\u2019s Encrypt ile otomasyonu ak\u0131ll\u0131ca kurgulamak hem i\u015fini kolayla\u015ft\u0131r\u0131r hem de kesintisiz g\u00fcvenli hat sa\u011flar. Bu noktada ya\u015fad\u0131\u011f\u0131m tecr\u00fcbeleri anlatt\u0131\u011f\u0131m <a href=\"https:\/\/www.dchost.com\/blog\/lets-encrypt-rate-limitlerine-takilmadan-cok-alan-adinda-ssl-san-wildcard-acme-challenge-ve-tatli-stratejiler\/\">Let\u2019s Encrypt ile \u00e7ok alan ad\u0131nda SSL alma stratejileri<\/a> yaz\u0131s\u0131, Secure bayra\u011f\u0131yla do\u011fal bir b\u00fct\u00fcnl\u00fck kuruyor.<\/p>\n<p>Bir de sertifika t\u00fcr\u00fc ve uyumluluk konusu var. ECDSA ile daha \u00e7evik el s\u0131k\u0131\u015fmalar, RSA ile geni\u015f uyumluluk ar\u0131yorsan ikilisini ayn\u0131 anda kullanmak cidden ho\u015f bir denge sunuyor. Bunu Nginx\/Apache\u2019de nas\u0131l yapt\u0131\u011f\u0131m\u0131 ayr\u0131nt\u0131lar\u0131yla payla\u015ft\u0131m; Secure \u00e7erezler i\u00e7in g\u00fc\u00e7l\u00fc TLS, belki de at\u0131lan en de\u011ferli ad\u0131m.<\/p>\n<h2 id=\"section-13\"><span id=\"Kucuk_Tuzaklar_HttpOnly_Her_Zaman_Mi_Ve_Gorunmez_Bozulmalar\">K\u00fc\u00e7\u00fck Tuzaklar: HttpOnly Her Zaman M\u0131? Ve \u201cG\u00f6r\u00fcnmez\u201d Bozulmalar<\/span><\/h2>\n<p>HttpOnly kural\u0131n\u0131 \u00e7ok seviyorum ama her \u00e7ereze k\u00f6rlemesine uygulam\u0131yorum. Mesela CSRF tokenini cookie ile payla\u015fan baz\u0131 yap\u0131larda JS\u2019in onu okuyup header\u2019a koymas\u0131 gerekir. B\u00f6yle bir \u00e7ereze HttpOnly verirsen, token\u2019\u0131 okuyamaz ve formlar \u00e7al\u0131\u015fmaz. Bu y\u00fczden \u00e7erezleri iki kategoriye ay\u0131r: g\u00fcvenlik a\u00e7\u0131s\u0131ndan kritik olan oturum\/kimlik \u00e7erezleri ve istemcinin bilerek okumas\u0131 gereken i\u015flevsel \u00e7erezler.<\/p>\n<p>Bir ba\u015fka tuzak da Domain\/Path oyunu. \u00dcst alan ad\u0131nda set edilen \u00e7erez alt alanlarda beklenmedik etki yapabilir. Ayr\u0131ca staging\/preview alan adlar\u0131nda g\u00fcvenli olan bir davran\u0131\u015f prod ortamda cross-site kabul edilebilir. Testleri prod benzeri domainde yapmak, ger\u00e7ek\u00e7i sonu\u00e7 verir. Son olarak, taray\u0131c\u0131lar\u0131n zamanla varsay\u0131lanlar\u0131n\u0131 de\u011fi\u015ftirdi\u011fini unutma; bug\u00fcn Lax varsay\u0131lan olabilir, ama yar\u0131n yeni g\u00fcvenlik katmanlar\u0131 eklenebilir. Kodda niyeti a\u00e7\u0131k\u00e7a ifade etmek bu y\u00fczden g\u00fczel bir al\u0131\u015fkanl\u0131k.<\/p>\n<h2 id=\"section-14\"><span id=\"Adim_Adim_Uygulama_Basit_Bir_Yol_Haritasi\">Ad\u0131m Ad\u0131m Uygulama: Basit Bir Yol Haritas\u0131<\/span><\/h2>\n<p>\u0130\u015fe en kolay\u0131ndan ba\u015flayal\u0131m. \u00d6nce geli\u015ftirici ara\u00e7lar\u0131nda \u00e7erezlerin mevcut haline bak. Hangi \u00e7erezler var, hangileri oturumla ilgili, hangileri i\u015flevsel? Sonra bu \u00e7erezlerin her biri i\u00e7in olmas\u0131 gereken bayraklar\u0131 belirle. Genelde oturum \u00e7erezine HttpOnly + Secure + Lax iyi bir \u00fc\u00e7l\u00fc olur. \u00d6deme\/SSO gibi \u00f6zel ak\u0131\u015f varsa o belirli \u00e7ereze None verip Secure \u015fart\u0131n\u0131 es ge\u00e7me.<\/p>\n<p>Uygulama koduna bu niyeti yaz. Framework ayarlar\u0131 varsa onlar\u0131 kullan, yoksa setcookie veya e\u015fde\u011ferini direkt \u00e7a\u011f\u0131r. Proxy katman\u0131nda, yaln\u0131zca gerekiyorsa d\u00fczenleme yap ve belirli isimleri hedefle. Son olarak, ger\u00e7ek kullan\u0131c\u0131 ak\u0131\u015flar\u0131n\u0131 test et: d\u0131\u015f linkten gelen giri\u015f, \u00f6deme d\u00f6n\u00fc\u015f\u00fc, iframe i\u00e7i widget, tek sayfa uygulamas\u0131 istekleri. Bozulmalar genelde burada yakalan\u0131r.<\/p>\n<h2 id=\"section-15\"><span id=\"Kapanis_Kucuk_Bayraklar_Buyuk_Sukunet\">Kapan\u0131\u015f: K\u00fc\u00e7\u00fck Bayraklar, B\u00fcy\u00fck S\u00fckunet<\/span><\/h2>\n<p>\u00c7erez bayraklar\u0131 ilk bak\u0131\u015fta ufak bir ayr\u0131nt\u0131 gibi duruyor ama sistemi sakinle\u015ftiren birer g\u00fcvenlik kemeri gibiler. Do\u011fru ayarland\u0131\u011f\u0131nda CSRF ihtimalini azalt\u0131r, XSS hasar\u0131n\u0131 s\u0131n\u0131rlamaya yard\u0131mc\u0131 olur ve kullan\u0131c\u0131lar\u0131n garip \u201coturum kayb\u0131\u201d anlar\u0131n\u0131 yat\u0131\u015ft\u0131r\u0131r. Nginx\/Apache\u2019de son dokunu\u015flarla i\u015finizi g\u00f6r\u00fcrs\u00fcn\u00fcz ama en sa\u011fl\u0131kl\u0131s\u0131 uygulaman\u0131n \u00e7erezi do\u011frudan do\u011fruya do\u011fru bayraklarla set etmesi.<\/p>\n<p>Pratik bir tavsiye: \u00f6nce \u00fcretime yak\u0131n bir ortamda ger\u00e7ek ak\u0131\u015flar\u0131 test edin, geli\u015ftirici ara\u00e7lar\u0131nda Set-Cookie\u2019yi g\u00f6z\u00fcn\u00fczle g\u00f6r\u00fcn, sonra proxy kurallar\u0131n\u0131 ekleyin. TLS taraf\u0131n\u0131 da ihmal etmeyin; <a href=\"https:\/\/www.dchost.com\/blog\/nginx-apachede-ecdsa-rsa-ikili-ssl-uyumluluk-mu-hiz-mi-ikisini-birden-nasil-alirsin\/\">ikili sertifika stratejileri<\/a> ve <a href=\"https:\/\/www.dchost.com\/blog\/lets-encrypt-rate-limitlerine-takilmadan-cok-alan-adinda-ssl-san-wildcard-acme-challenge-ve-tatli-stratejiler\/\">Let\u2019s Encrypt ipu\u00e7lar\u0131<\/a> ile Secure bayra\u011f\u0131 hak etti\u011fi zemini bulur. Yolun sonundaki his \u015fu: kurcalad\u0131\u011f\u0131n o \u00fc\u00e7 kelime, sitede fark edilmez bir huzur yarat\u0131r.<\/p>\n<p>Umar\u0131m bu yaz\u0131 i\u015fini kolayla\u015ft\u0131rm\u0131\u015ft\u0131r. Sorular\u0131n varsa not al, akl\u0131na tak\u0131lan ak\u0131\u015flar\u0131 birlikte par\u00e7alar\u0131z. Bir dahaki yaz\u0131da yine ger\u00e7ek \u00f6rneklerle bulu\u015fal\u0131m; belki de s\u0131rada ters proxy ile cache kontrol\u00fcnde hayat kurtaran k\u00fc\u00e7\u00fck sihirler var.<\/p>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>\u0130&ccedil;indekiler1 Ofiste K\u00fc\u00e7\u00fck Bir Pani\u011fin Hikayesi: Taray\u0131c\u0131 \u201cNaz\u0131\u201d, \u00c7erez Bayraklar\u0131 ve Bir Kahve2 Bu Bayraklar Neyi Kurtar\u0131yor? Biraz \u0130\u00e7 Y\u00fcz\u00fcn\u00fc Anlatal\u0131m3 SameSite=Lax m\u0131 Strict mi? Peki ya None Ne Zaman?4 Nginx\u2019te \u00c7erez Bayraklar\u0131n\u0131 Eklemek: Proxy Arkas\u0131nda Zarif Dokunu\u015f5 Apache\u2019de \u00c7erez Bayraklar\u0131: mod_headers ile \u201cSon Dokunu\u015f\u201d6 Uygulama Kodunda Do\u011fru Ayar: Node, PHP, Laravel, Django, Spring7 Proxy\/CDN [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":1801,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-1800","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-teknoloji"],"_links":{"self":[{"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/posts\/1800","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/comments?post=1800"}],"version-history":[{"count":0,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/posts\/1800\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/media\/1801"}],"wp:attachment":[{"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/media?parent=1800"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/categories?post=1800"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/tags?post=1800"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}