{"id":3164,"date":"2025-12-08T14:31:45","date_gmt":"2025-12-08T11:31:45","guid":{"rendered":"https:\/\/www.dchost.com\/blog\/http-guvenlik-basliklari-rehberi-hsts-csp-x-frame-options-ve-referrer-policy-dogru-nasil-kurulur\/"},"modified":"2025-12-08T14:31:45","modified_gmt":"2025-12-08T11:31:45","slug":"http-guvenlik-basliklari-rehberi-hsts-csp-x-frame-options-ve-referrer-policy-dogru-nasil-kurulur","status":"publish","type":"post","link":"https:\/\/www.dchost.com\/blog\/http-guvenlik-basliklari-rehberi-hsts-csp-x-frame-options-ve-referrer-policy-dogru-nasil-kurulur\/","title":{"rendered":"HTTP G\u00fcvenlik Ba\u015fl\u0131klar\u0131 Rehberi: HSTS, CSP, X\u2011Frame\u2011Options ve Referrer\u2011Policy Do\u011fru Nas\u0131l Kurulur?"},"content":{"rendered":"<div class=\"dchost-blog-content-wrapper\"><p>G\u00fcvenlik denetimlerinde en s\u0131k g\u00f6rd\u00fc\u011f\u00fcm\u00fcz sorunlardan biri, sunucu taraf\u0131 yamalar\u0131n g\u00fcncel olmas\u0131na ra\u011fmen <strong>HTTP g\u00fcvenlik ba\u015fl\u0131klar\u0131n\u0131n<\/strong> ya hi\u00e7 tan\u0131mlanmam\u0131\u015f ya da eksik\/yanl\u0131\u015f ayarlanm\u0131\u015f olmas\u0131. Uygulama kodu taraf\u0131nda XSS, CSRF, SQL injection a\u00e7\u0131klar\u0131n\u0131 kapatmak elbette kritik; ancak taray\u0131c\u0131ya do\u011fru talimatlar\u0131 vermedi\u011finiz s\u00fcrece, g\u00fc\u00e7l\u00fc bir savunma hatt\u0131 kurmu\u015f say\u0131lmazs\u0131n\u0131z. \u00d6zellikle HSTS, CSP, X\u2011Frame\u2011Options ve Referrer\u2011Policy gibi ba\u015fl\u0131klar, hem sald\u0131r\u0131 y\u00fczeyini daralt\u0131r hem de KVKK \/ GDPR gibi reg\u00fclasyonlara uyumda \u00f6nemli rol oynar.<\/p>\n<p>Bu rehberi, DCHost altyap\u0131s\u0131nda bar\u0131nd\u0131r\u0131lan web sitelerinde yapt\u0131\u011f\u0131m\u0131z g\u00fcvenlik sertle\u015ftirme \u00e7al\u0131\u015fmalar\u0131ndaki ger\u00e7ek tecr\u00fcbelerimize dayanarak haz\u0131rlad\u0131k. Ama\u00e7; teorik tan\u0131mlardan \u00e7ok, bu ba\u015fl\u0131klar\u0131 <strong>Nginx\/Apache \u00fczerinde pratik olarak nas\u0131l ayarlaman\u0131z<\/strong> gerekti\u011fini, hangi s\u0131rayla devreye alman\u0131z\u0131n daha g\u00fcvenli oldu\u011funu ve yay\u0131na almadan \u00f6nce hangi kontrolleri yapman\u0131z gerekti\u011fini netle\u015ftirmek. \u00d6zellikle canl\u0131 e\u2011ticaret, SaaS veya kurumsal sitelerde, tek sat\u0131rl\u0131k hatal\u0131 bir HSTS veya CSP politikas\u0131 beklenmedik kesintilere yol a\u00e7abilir. Gelin bu riskleri en ba\u015ftan bertaraf edecek, ad\u0131m ad\u0131m ilerleyen bir yakla\u015f\u0131m kural\u0131m.<\/p>\n<div id=\"toc_container\" class=\"toc_transparent no_bullets\"><p class=\"toc_title\">\u0130&ccedil;indekiler<\/p><ul class=\"toc_list\"><li><a href=\"#HTTP_Guvenlik_Basliklarinin_Rolu_ve_Tehdit_Modeli\"><span class=\"toc_number toc_depth_1\">1<\/span> HTTP G\u00fcvenlik Ba\u015fl\u0131klar\u0131n\u0131n Rol\u00fc ve Tehdit Modeli<\/a><\/li><li><a href=\"#Baslamadan_Once_HTTPS_SSLTLS_ve_Test_Ortami_Zorunlulugu\"><span class=\"toc_number toc_depth_1\">2<\/span> Ba\u015flamadan \u00d6nce: HTTPS, SSL\/TLS ve Test Ortam\u0131 Zorunlulu\u011fu<\/a><\/li><li><a href=\"#HSTS_Strict-Transport-Security_Dogru_Nasil_Ayarlanir\"><span class=\"toc_number toc_depth_1\">3<\/span> HSTS (Strict-Transport-Security) Do\u011fru Nas\u0131l Ayarlan\u0131r?<\/a><ul><li><a href=\"#HSTS_Direktifleri\"><span class=\"toc_number toc_depth_2\">3.1<\/span> HSTS Direktifleri<\/a><\/li><li><a href=\"#HSTS_Ayarini_Asamali_Yapmak_Neden_Onemli\"><span class=\"toc_number toc_depth_2\">3.2<\/span> HSTS Ayar\u0131n\u0131 A\u015famal\u0131 Yapmak Neden \u00d6nemli?<\/a><\/li><li><a href=\"#Nginx_Uzerinde_HSTS_Ornegi\"><span class=\"toc_number toc_depth_2\">3.3<\/span> Nginx \u00dczerinde HSTS \u00d6rne\u011fi<\/a><\/li><li><a href=\"#Apache_Uzerinde_HSTS_Ornegi\"><span class=\"toc_number toc_depth_2\">3.4<\/span> Apache \u00dczerinde HSTS \u00d6rne\u011fi<\/a><\/li><\/ul><\/li><li><a href=\"#CSP_Content-Security-Policy_XSSe_Karsi_En_Guclu_Kalkan\"><span class=\"toc_number toc_depth_1\">4<\/span> CSP (Content-Security-Policy): XSS\u2019e Kar\u015f\u0131 En G\u00fc\u00e7l\u00fc Kalkan<\/a><ul><li><a href=\"#CSP_Temel_Direktifleri\"><span class=\"toc_number toc_depth_2\">4.1<\/span> CSP Temel Direktifleri<\/a><\/li><li><a href=\"#CSPyi_Report-Only_ile_Baslatmak\"><span class=\"toc_number toc_depth_2\">4.2<\/span> CSP\u2019yi Report-Only ile Ba\u015flatmak<\/a><\/li><li><a href=\"#Basit_Bir_CSP_Ornegi\"><span class=\"toc_number toc_depth_2\">4.3<\/span> Basit Bir CSP \u00d6rne\u011fi<\/a><\/li><li><a href=\"#Nginxte_CSP_Basligi\"><span class=\"toc_number toc_depth_2\">4.4<\/span> Nginx\u2019te CSP Ba\u015fl\u0131\u011f\u0131<\/a><\/li><li><a href=\"#Apachede_CSP_Basligi\"><span class=\"toc_number toc_depth_2\">4.5<\/span> Apache\u2019de CSP Ba\u015fl\u0131\u011f\u0131<\/a><\/li><\/ul><\/li><li><a href=\"#X-Frame-Options_Clickjackinge_Karsi_Ilk_Savunma_Hatti\"><span class=\"toc_number toc_depth_1\">5<\/span> X-Frame-Options: Clickjacking\u2019e Kar\u015f\u0131 \u0130lk Savunma Hatt\u0131<\/a><ul><li><a href=\"#X-Frame-Options_Degerleri\"><span class=\"toc_number toc_depth_2\">5.1<\/span> X-Frame-Options De\u011ferleri<\/a><\/li><li><a href=\"#Nginxte_X-Frame-Options\"><span class=\"toc_number toc_depth_2\">5.2<\/span> Nginx\u2019te X-Frame-Options<\/a><\/li><li><a href=\"#Apachede_X-Frame-Options\"><span class=\"toc_number toc_depth_2\">5.3<\/span> Apache\u2019de X-Frame-Options<\/a><\/li><\/ul><\/li><li><a href=\"#Referrer-Policy_Gizlilik_Analitik_ve_Guvenlik_Dengesi\"><span class=\"toc_number toc_depth_1\">6<\/span> Referrer-Policy: Gizlilik, Analitik ve G\u00fcvenlik Dengesi<\/a><ul><li><a href=\"#Yaygin_Referrer-Policy_Degerleri\"><span class=\"toc_number toc_depth_2\">6.1<\/span> Yayg\u0131n Referrer-Policy De\u011ferleri<\/a><\/li><li><a href=\"#Nginxte_Referrer-Policy\"><span class=\"toc_number toc_depth_2\">6.2<\/span> Nginx\u2019te Referrer-Policy<\/a><\/li><li><a href=\"#Apachede_Referrer-Policy\"><span class=\"toc_number toc_depth_2\">6.3<\/span> Apache\u2019de Referrer-Policy<\/a><\/li><\/ul><\/li><li><a href=\"#Tum_Basliklari_Bir_Arada_Ornek_Guvenlik_Konfigurasyonu\"><span class=\"toc_number toc_depth_1\">7<\/span> T\u00fcm Ba\u015fl\u0131klar\u0131 Bir Arada: \u00d6rnek G\u00fcvenlik Konfig\u00fcrasyonu<\/a><ul><li><a href=\"#Nginx_Icin_Ornek_Guvenlik_Basliklari_Blogu\"><span class=\"toc_number toc_depth_2\">7.1<\/span> Nginx \u0130\u00e7in \u00d6rnek G\u00fcvenlik Ba\u015fl\u0131klar\u0131 Blo\u011fu<\/a><\/li><\/ul><\/li><li><a href=\"#Canliya_Almadan_Once_Kontrol_Listesi\"><span class=\"toc_number toc_depth_1\">8<\/span> Canl\u0131ya Almadan \u00d6nce Kontrol Listesi<\/a><ul><li><a href=\"#1_Yedek_ve_Geri_Donus_Plani\"><span class=\"toc_number toc_depth_2\">8.1<\/span> 1. Yedek ve Geri D\u00f6n\u00fc\u015f Plan\u0131<\/a><\/li><li><a href=\"#2_Staging_Ortaminda_Test\"><span class=\"toc_number toc_depth_2\">8.2<\/span> 2. Staging Ortam\u0131nda Test<\/a><\/li><li><a href=\"#3_Tarayici_Konsolu_ve_Guvenlik_Araclari\"><span class=\"toc_number toc_depth_2\">8.3<\/span> 3. Taray\u0131c\u0131 Konsolu ve G\u00fcvenlik Ara\u00e7lar\u0131<\/a><\/li><li><a href=\"#4_Kullanici_ve_SEO_Etkilerini_Izleme\"><span class=\"toc_number toc_depth_2\">8.4<\/span> 4. Kullan\u0131c\u0131 ve SEO Etkilerini \u0130zleme<\/a><\/li><\/ul><\/li><li><a href=\"#DCHost_Altyapisinda_Bu_Basliklari_Yonetmek\"><span class=\"toc_number toc_depth_1\">9<\/span> DCHost Altyap\u0131s\u0131nda Bu Ba\u015fl\u0131klar\u0131 Y\u00f6netmek<\/a><\/li><li><a href=\"#Ozet_ve_Sonraki_Adimlar\"><span class=\"toc_number toc_depth_1\">10<\/span> \u00d6zet ve Sonraki Ad\u0131mlar<\/a><\/li><\/ul><\/div>\n<h2><span id=\"HTTP_Guvenlik_Basliklarinin_Rolu_ve_Tehdit_Modeli\">HTTP G\u00fcvenlik Ba\u015fl\u0131klar\u0131n\u0131n Rol\u00fc ve Tehdit Modeli<\/span><\/h2>\n<p>\u00d6nce bu ba\u015fl\u0131klar\u0131n neyi \u00e7\u00f6zd\u00fc\u011f\u00fcn\u00fc netle\u015ftirmek \u00f6nemli. \u00c7o\u011fu zaman geli\u015ftiriciler, g\u00fcvenlik ba\u015fl\u0131klar\u0131n\u0131 bir \u201cpuan y\u00fckseltme\u201d ad\u0131m\u0131 gibi g\u00f6r\u00fcyor; oysa bunlar do\u011frudan sald\u0131r\u0131 senaryolar\u0131na kar\u015f\u0131 \u00e7al\u0131\u015f\u0131yor:<\/p>\n<ul>\n<li><strong>HSTS (Strict-Transport-Security)<\/strong>: HTTP\u2019den HTTPS\u2019e protokol d\u00fc\u015f\u00fcrme (downgrade) sald\u0131r\u0131lar\u0131n\u0131 ve kullan\u0131c\u0131lar\u0131n yanl\u0131\u015fl\u0131kla \u015fifreli olmayan ba\u011flant\u0131 kurmas\u0131n\u0131 engeller.<\/li>\n<li><strong>CSP (Content-Security-Policy)<\/strong>: XSS, veri s\u0131zd\u0131rma ve zararl\u0131 \u00fc\u00e7\u00fcnc\u00fc parti i\u00e7eriklerin y\u00fcklenmesini ciddi \u015fekilde zorla\u015ft\u0131r\u0131r.<\/li>\n<li><strong>X-Frame-Options<\/strong>: Clickjacking sald\u0131r\u0131lar\u0131n\u0131 (sitenizin ba\u015fka bir sitede iframe i\u00e7inde gizlenmesi) engeller.<\/li>\n<li><strong>Referrer-Policy<\/strong>: Ziyaret\u00e7i URL\u2019lerinizin ba\u015fka sitelere ne kadar detayla g\u00f6nderilece\u011fini kontrol ederek gizlili\u011fi ve veri s\u0131z\u0131nt\u0131s\u0131 riskini y\u00f6netir.<\/li>\n<\/ul>\n<p>Bu ba\u015fl\u0131klar\u0131 do\u011fru kullanmak, \u00f6zellikle <a href=\"https:\/\/www.dchost.com\/blog\/kvkk-ve-gdpr-uyumlu-hosting-nasil-kurulur-veri-yerellestirme-loglama-ve-silme-uzerine-sicacik-bir-yol-haritasi\/\">KVKK ve GDPR uyumlu hosting<\/a> stratejilerinde, \u201cen az ayr\u0131cal\u0131k\u201d (least privilege) prensibini taray\u0131c\u0131 taraf\u0131na da ta\u015f\u0131mak anlam\u0131na gelir. Yani taray\u0131c\u0131ya \u201cyaln\u0131zca ger\u00e7ekten ihtiya\u00e7 duydu\u011fun kaynaklara, ger\u00e7ekten ihtiya\u00e7 duydu\u011fun \u015fartlarda eri\u015f\u201d demi\u015f olursunuz.<\/p>\n<h2><span id=\"Baslamadan_Once_HTTPS_SSLTLS_ve_Test_Ortami_Zorunlulugu\">Ba\u015flamadan \u00d6nce: HTTPS, SSL\/TLS ve Test Ortam\u0131 Zorunlulu\u011fu<\/span><\/h2>\n<p>Bu rehberdeki ba\u015fl\u0131klar\u0131n \u00e7o\u011fu, <strong>HTTPS olmadan ya \u00e7al\u0131\u015fmaz ya da anlam\u0131n\u0131 kaybeder<\/strong>. \u00d6zellikle HSTS, sadece HTTPS \u00fczerinden gelen yan\u0131tlar i\u00e7in anlaml\u0131d\u0131r. Bu nedenle ilk ad\u0131m\u0131n\u0131z her zaman:<\/p>\n<ul>\n<li>Ge\u00e7erli bir SSL\/TLS sertifikas\u0131 kurmak,<\/li>\n<li>T\u00fcm HTTP trafi\u011fini kal\u0131c\u0131 301 ile HTTPS\u2019e y\u00f6nlendirmek,<\/li>\n<li>Eski, zay\u0131f protokolleri (SSLv3, TLS 1.0, TLS 1.1) kapatmak olmal\u0131.<\/li>\n<\/ul>\n<p>Bu konularda ad\u0131m ad\u0131m ilerlemek i\u00e7in <a href=\"https:\/\/www.dchost.com\/blog\/httpden-httpse-gecis-rehberi-301-yonlendirme-hsts-ve-seoyu-korumak\/\">HTTP\u2019den HTTPS\u2019e ge\u00e7i\u015f rehberi<\/a> ve <a href=\"https:\/\/www.dchost.com\/blog\/ssl-tls-1-3-standartlarinda-guncellemeler-ve-sunucu-tarafina-etkileri\/\">TLS 1.3 ve modern SSL\/TLS yap\u0131land\u0131rmas\u0131<\/a> hakk\u0131ndaki rehberlerimize mutlaka g\u00f6z at\u0131n.<\/p>\n<p>\u0130kinci kritik \u00f6nko\u015ful ise <strong>test\/staging ortam\u0131<\/strong>. CSP ve HSTS gibi ba\u015fl\u0131klar hataya \u00e7ok az tolerans tan\u0131r. Bu y\u00fczden DCHost m\u00fc\u015fterilerimize her zaman \u015fu s\u0131ray\u0131 \u00f6neriyoruz:<\/p>\n<ol>\n<li>\u00d6nce staging ortam\u0131nda ba\u015fl\u0131klar\u0131 devreye al\u0131n.<\/li>\n<li>Taray\u0131c\u0131 konsolu ve loglar \u00fczerinden hatalar\u0131 toplay\u0131n.<\/li>\n<li>Gerekirse CSP\u2019yi bir s\u00fcre <code>Report-Only<\/code> modunda \u00e7al\u0131\u015ft\u0131r\u0131n.<\/li>\n<li>Ancak her \u015fey temizken canl\u0131ya ge\u00e7in.<\/li>\n<\/ol>\n<h2><span id=\"HSTS_Strict-Transport-Security_Dogru_Nasil_Ayarlanir\">HSTS (Strict-Transport-Security) Do\u011fru Nas\u0131l Ayarlan\u0131r?<\/span><\/h2>\n<p>HSTS, taray\u0131c\u0131ya \u201cbu alan ad\u0131na her zaman HTTPS \u00fczerinden ba\u011flan\u201d diyen bir talimatt\u0131r. B\u00f6ylece kullan\u0131c\u0131 adres \u00e7ubu\u011funa <code>http:\/\/<\/code> yazsa bile taray\u0131c\u0131 kendisi otomatik olarak HTTPS\u2019e y\u00fckseltir. Bu, \u00f6zellikle kamu Wi\u2011Fi a\u011flar\u0131nda yap\u0131lan <strong>protokol d\u00fc\u015f\u00fcrme ve SSL strip<\/strong> sald\u0131r\u0131lar\u0131n\u0131 etkisiz hale getirir.<\/p>\n<h3><span id=\"HSTS_Direktifleri\">HSTS Direktifleri<\/span><\/h3>\n<ul>\n<li><strong>max-age<\/strong>: Taray\u0131c\u0131n\u0131n bu kural\u0131 ka\u00e7 saniye boyunca hat\u0131rlayaca\u011f\u0131n\u0131 belirtir. \u00d6rne\u011fin <code>31536000<\/code>, yakla\u015f\u0131k 1 y\u0131l demektir.<\/li>\n<li><strong>includeSubDomains<\/strong>: T\u00fcm alt alan adlar\u0131na da ayn\u0131 zorlamay\u0131 uygular (<code>www<\/code>, <code>api<\/code>, <code>panel<\/code> vb.).<\/li>\n<li><strong>preload<\/strong>: Sitenizi taray\u0131c\u0131lar\u0131n HSTS preload listesine eklemek i\u00e7in kullan\u0131l\u0131r. Bu listeye girdikten sonra, kullan\u0131c\u0131 sitenize ilk kez girerken bile direkt HTTPS kullan\u0131l\u0131r.<\/li>\n<\/ul>\n<h3><span id=\"HSTS_Ayarini_Asamali_Yapmak_Neden_Onemli\">HSTS Ayar\u0131n\u0131 A\u015famal\u0131 Yapmak Neden \u00d6nemli?<\/span><\/h3>\n<p>HSTS\u2019nin en tehlikeli yan\u0131, yanl\u0131\u015f yap\u0131land\u0131rman\u0131n <strong>geri d\u00f6n\u00fc\u015f\u00fc \u00e7ok zor hatalara yol a\u00e7abilmesi<\/strong>. \u00d6rne\u011fin hen\u00fcz HTTPS\u2019i d\u00fczg\u00fcn \u00e7al\u0131\u015fmayan bir alt alan ad\u0131nda <code>includeSubDomains<\/code> kullan\u0131rsan\u0131z, o alt alan ad\u0131na eri\u015fmeye \u00e7al\u0131\u015fan t\u00fcm kullan\u0131c\u0131lar\u0131n\u0131z i\u00e7in siteyi fiilen kapatm\u0131\u015f olursunuz.<\/p>\n<p>Bu y\u00fczden DCHost\u2019ta izledi\u011fimiz tipik yol haritas\u0131 \u015f\u00f6yle:<\/p>\n<ol>\n<li>\u00d6nce sadece ana alan ad\u0131 i\u00e7in, k\u0131sa bir s\u00fcreli (<code>max-age=300<\/code> gibi) HSTS ba\u015fl\u0131\u011f\u0131 g\u00f6nderin.<\/li>\n<li>Loglar\u0131 ve kullan\u0131c\u0131 geri bildirimlerini takip edin; herhangi bir sorun yoksa s\u00fcreyi kademeli olarak uzat\u0131n (\u00f6r. 1 g\u00fcn, 1 hafta, 1 ay, 1 y\u0131l).<\/li>\n<li>T\u00fcm alt alan adlar\u0131n\u0131z\u0131n HTTPS yap\u0131land\u0131rmas\u0131ndan emin olduktan sonra <code>includeSubDomains<\/code> ekleyin.<\/li>\n<li>En son a\u015famada HSTS preload listesine ba\u015fvurmay\u0131 de\u011ferlendirin.<\/li>\n<\/ol>\n<h3><span id=\"Nginx_Uzerinde_HSTS_Ornegi\">Nginx \u00dczerinde HSTS \u00d6rne\u011fi<\/span><\/h3>\n<pre class=\"language-nginx line-numbers\"><code class=\"language-nginx\">server {\n    listen 443 ssl http2;\n    server_name example.com www.example.com;\n\n    # HSTS: ilk a\u015famada k\u0131sa bir s\u00fcre deneyebilirsiniz\n    add_header Strict-Transport-Security &quot;max-age=31536000; includeSubDomains&quot; always;\n\n    ... di\u011fer ayarlar ...\n}\n<\/code><\/pre>\n<p><code>always<\/code> parametresi, hata yan\u0131tlar\u0131nda (\u00f6r. 500, 404) bile bu ba\u015fl\u0131\u011f\u0131n g\u00f6nderilmesini sa\u011flar. B\u00f6ylece kullan\u0131c\u0131 sitenizde hata sayfas\u0131 g\u00f6rse dahi, taray\u0131c\u0131s\u0131nda HSTS kayd\u0131 g\u00fcncel kal\u0131r.<\/p>\n<h3><span id=\"Apache_Uzerinde_HSTS_Ornegi\">Apache \u00dczerinde HSTS \u00d6rne\u011fi<\/span><\/h3>\n<pre class=\"language-apache line-numbers\"><code class=\"language-apache\">&lt;VirtualHost *:443&gt;\n    ServerName example.com\n\n    Header always set Strict-Transport-Security &quot;max-age=31536000; includeSubDomains&quot;\n\n    ... di\u011fer ayarlar ...\n&lt;\/VirtualHost&gt;\n<\/code><\/pre>\n<p>Not: Apache\u2019de bu ba\u015fl\u0131\u011f\u0131 kullanmadan \u00f6nce <code>mod_headers<\/code> mod\u00fcl\u00fcn\u00fcn etkin oldu\u011fundan emin olun.<\/p>\n<h2><span id=\"CSP_Content-Security-Policy_XSSe_Karsi_En_Guclu_Kalkan\">CSP (Content-Security-Policy): XSS\u2019e Kar\u015f\u0131 En G\u00fc\u00e7l\u00fc Kalkan<\/span><\/h2>\n<p>CSP, taray\u0131c\u0131ya <strong>hangi kaynaktan hangi t\u00fcr i\u00e7eri\u011fin y\u00fcklenebilece\u011fini<\/strong> s\u00f6yleyen bir beyaz liste mekanizmas\u0131d\u0131r. \u00d6rne\u011fin:<\/p>\n<ul>\n<li>JavaScript sadece kendi domain\u2019inden ve belirli CDN\u2019lerden y\u00fcklensin,<\/li>\n<li>Inline script\u2019lere izin verilmesin, sadece <code>nonce<\/code> veya hash\u2019li script\u2019ler \u00e7al\u0131\u015fabilsin,<\/li>\n<li>Form g\u00f6nderimleri sadece belirli alan adlar\u0131na yap\u0131ls\u0131n,<\/li>\n<li>Iframe i\u00e7ine sadece belirli siteler g\u00f6m\u00fclebilsin gibi.<\/li>\n<\/ul>\n<p>CSP ba\u015fl\u0131\u011f\u0131 karma\u015f\u0131k g\u00f6r\u00fcnebilir; ancak do\u011fru stratejiyle ad\u0131m ad\u0131m sade bir politika kurmak m\u00fcmk\u00fcn. Bu konuyu detayl\u0131 ele ald\u0131\u011f\u0131m\u0131z <a href=\"https:\/\/www.dchost.com\/blog\/cspyi-dogru-kurmak-wordpress-laravelde-nonce-hash-report-to-ve-inline-scriptleri-tatli-tatli-ehlilestirmek\/\">CSP\u2019yi do\u011fru kurmak<\/a> rehberini de mutlaka okuman\u0131z\u0131 \u00f6neririz.<\/p>\n<h3><span id=\"CSP_Temel_Direktifleri\">CSP Temel Direktifleri<\/span><\/h3>\n<ul>\n<li><strong>default-src<\/strong>: Di\u011fer t\u00fcm i\u00e7erik t\u00fcrleri i\u00e7in varsay\u0131lan politika.<\/li>\n<li><strong>script-src<\/strong>: JavaScript dosyalar\u0131 i\u00e7in kaynak listesi.<\/li>\n<li><strong>style-src<\/strong>: CSS dosyalar\u0131 ve inline stiller.<\/li>\n<li><strong>img-src<\/strong>: G\u00f6rsellerin y\u00fcklenebilece\u011fi kaynaklar.<\/li>\n<li><strong>connect-src<\/strong>: XHR, fetch, WebSocket gibi ba\u011flant\u0131lar\u0131n hedefleri.<\/li>\n<li><strong>frame-ancestors<\/strong>: Sitenizi iframe i\u00e7ine alabilecek \u00fcst siteleri tan\u0131mlar (X-Frame-Options yerine modern yol).<\/li>\n<\/ul>\n<h3><span id=\"CSPyi_Report-Only_ile_Baslatmak\">CSP\u2019yi Report-Only ile Ba\u015flatmak<\/span><\/h3>\n<p>Canl\u0131 bir sitede, \u00f6zellikle WordPress, WooCommerce veya karma\u015f\u0131k JavaScript SPA\u2019larda, CSP\u2019yi bir anda kat\u0131 \u015fekilde devreye almak genellikle <strong>fonksiyonellik bozulmalar\u0131na<\/strong> yol a\u00e7ar. Bu y\u00fczden en iyi y\u00f6ntem:<\/p>\n<ol>\n<li>\u00d6nce <code>Content-Security-Policy-Report-Only<\/code> ba\u015fl\u0131\u011f\u0131 ile ba\u015flamak,<\/li>\n<li>Taray\u0131c\u0131 konsolundaki CSP ihlallerini ve raporlar\u0131n\u0131 toplamak,<\/li>\n<li>Politikay\u0131 birka\u00e7 iterasyonda d\u00fczeltip sadele\u015ftirdikten sonra,<\/li>\n<li>As\u0131l <code>Content-Security-Policy<\/code> ba\u015fl\u0131\u011f\u0131n\u0131 devreye almakt\u0131r.<\/li>\n<\/ol>\n<h3><span id=\"Basit_Bir_CSP_Ornegi\">Basit Bir CSP \u00d6rne\u011fi<\/span><\/h3>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">Content-Security-Policy: \n  default-src 'self'; \n  script-src 'self' https:\/\/cdn.example.com; \n  style-src 'self' 'unsafe-inline'; \n  img-src 'self' data: https:\/\/images.example.com; \n  connect-src 'self' https:\/\/api.example.com; \n  frame-ancestors 'self';\n<\/code><\/pre>\n<p>Bu \u00f6rnekte:<\/p>\n<ul>\n<li>T\u00fcm i\u00e7erikler varsay\u0131lan olarak sadece kendi alan ad\u0131n\u0131zdan y\u00fcklenebilir.<\/li>\n<li>JavaScript i\u00e7in ek olarak bir CDN\u2019e izin veriliyor.<\/li>\n<li>CSS i\u00e7in ge\u00e7ici olarak <code>'unsafe-inline'<\/code> kullan\u0131lm\u0131\u015f (zamanla nonceler\/hash\u2019lerle kald\u0131r\u0131lmal\u0131).<\/li>\n<li>G\u00f6rseller, kendi alan ad\u0131n\u0131z ve bir g\u00f6rsel CDN\u2019inden y\u00fcklenebiliyor.<\/li>\n<li>XHR\/fetch istekleri sadece API sunucunuza gidebiliyor.<\/li>\n<li>Siteniz sadece kendi i\u00e7inde iframe olarak kullan\u0131labiliyor.<\/li>\n<\/ul>\n<h3><span id=\"Nginxte_CSP_Basligi\">Nginx\u2019te CSP Ba\u015fl\u0131\u011f\u0131<\/span><\/h3>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">add_header Content-Security-Policy &quot;default-src 'self'; script-src 'self' https:\/\/cdn.example.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:\/\/images.example.com; connect-src 'self' https:\/\/api.example.com; frame-ancestors 'self'&quot; always;\n<\/code><\/pre>\n<p>Sat\u0131r uzunlu\u011funu k\u0131saltmak i\u00e7in Nginx\u2019te de\u011fi\u015fken veya <code>map<\/code> yap\u0131lar\u0131yla CSP\u2019yi par\u00e7alara b\u00f6lmek mant\u0131kl\u0131 olabilir; b\u00fcy\u00fck kurumsal yap\u0131larda bunu s\u0131k\u00e7a tercih ediyoruz.<\/p>\n<h3><span id=\"Apachede_CSP_Basligi\">Apache\u2019de CSP Ba\u015fl\u0131\u011f\u0131<\/span><\/h3>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">Header always set Content-Security-Policy &quot;default-src 'self'; script-src 'self' https:\/\/cdn.example.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:\/\/images.example.com; connect-src 'self' https:\/\/api.example.com; frame-ancestors 'self'&quot;\n<\/code><\/pre>\n<p>CSP\u2019nin \u00f6zellikle \u00e7erez ve oturum g\u00fcvenli\u011fiyle bir arada ele al\u0131nmas\u0131 \u00f6nemli. \u00d6rne\u011fin, <a href=\"https:\/\/www.dchost.com\/blog\/samesitelax-mi-strict-mi-secure-ve-httponly-ile-nginx-apachede-cerezleri-tertemiz-nasil-kurarsin\/\">SameSite, Secure ve HttpOnly \u00e7erez ayarlar\u0131n\u0131<\/a> do\u011fru yap\u0131land\u0131r\u0131p CSP ile birlikte d\u00fc\u015f\u00fcnmek, oturum \u00e7alma (session hijacking) riskini ciddi \u00f6l\u00e7\u00fcde azalt\u0131r.<\/p>\n<h2><span id=\"X-Frame-Options_Clickjackinge_Karsi_Ilk_Savunma_Hatti\">X-Frame-Options: Clickjacking\u2019e Kar\u015f\u0131 \u0130lk Savunma Hatt\u0131<\/span><\/h2>\n<p><strong>X-Frame-Options<\/strong>, sitenizin ba\u015fka bir sitede iframe olarak g\u00f6m\u00fcl\u00fcp g\u00f6m\u00fclemeyece\u011fini kontrol eder. Clickjacking sald\u0131r\u0131lar\u0131nda, sald\u0131rgan sizin sitenizi \u015feffaf bir iframe i\u00e7inde y\u00fckler, \u00fcst\u00fcne kendi butonlar\u0131n\u0131 koyar ve kullan\u0131c\u0131y\u0131 fark\u0131nda olmadan sizin siteniz \u00fczerinde i\u015flem yapmaya zorlar.<\/p>\n<h3><span id=\"X-Frame-Options_Degerleri\">X-Frame-Options De\u011ferleri<\/span><\/h3>\n<ul>\n<li><strong>DENY<\/strong>: Siteniz hi\u00e7bir \u015fekilde iframe i\u00e7ine g\u00f6m\u00fclemez.<\/li>\n<li><strong>SAMEORIGIN<\/strong>: Siteniz sadece kendi alan ad\u0131n\u0131z alt\u0131nda iframe i\u00e7inde y\u00fcklenebilir.<\/li>\n<li><strong>ALLOW-FROM uri<\/strong>: Art\u0131k modern taray\u0131c\u0131larda b\u00fcy\u00fck \u00f6l\u00e7\u00fcde desteklenmiyor, kullan\u0131lmamas\u0131 \u00f6nerilir.<\/li>\n<\/ul>\n<p>Modern yakla\u015f\u0131mda, X-Frame-Options yan\u0131nda veya onun yerine CSP\u2019nin <code>frame-ancestors<\/code> direktifini kullanmak daha esnek ve standartlara uygun bir y\u00f6ntemdir. Ancak geriye d\u00f6n\u00fck uyumluluk i\u00e7in \u00e7o\u011fu projede her ikisini birden g\u00f6r\u00fcyoruz.<\/p>\n<h3><span id=\"Nginxte_X-Frame-Options\">Nginx\u2019te X-Frame-Options<\/span><\/h3>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">add_header X-Frame-Options &quot;SAMEORIGIN&quot; always;\n<\/code><\/pre>\n<p>E\u011fer sitenizin hi\u00e7bir yerde iframe i\u00e7inde kullan\u0131lmas\u0131na gerek yoksa, <code>DENY<\/code> daha kat\u0131 ve g\u00fcvenli bir se\u00e7imdir:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">add_header X-Frame-Options &quot;DENY&quot; always;\n<\/code><\/pre>\n<h3><span id=\"Apachede_X-Frame-Options\">Apache\u2019de X-Frame-Options<\/span><\/h3>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">Header always set X-Frame-Options &quot;SAMEORIGIN&quot;\n<\/code><\/pre>\n<p>Unutmaman\u0131z gereken nokta: CSP\u2019de <code>frame-ancestors 'none'<\/code> gibi bir kural\u0131n\u0131z varsa ve X-Frame-Options\u2019ta <code>SAMEORIGIN<\/code> derseniz, taray\u0131c\u0131 kat\u0131 olan kural\u0131 uygular. Bu nedenle \u00e7ak\u0131\u015fmayan, tutarl\u0131 kurallar yazmak \u00f6nemli.<\/p>\n<h2><span id=\"Referrer-Policy_Gizlilik_Analitik_ve_Guvenlik_Dengesi\">Referrer-Policy: Gizlilik, Analitik ve G\u00fcvenlik Dengesi<\/span><\/h2>\n<p>Her HTTP iste\u011finde taray\u0131c\u0131, iste\u011fin nereden geldi\u011fini g\u00f6steren bir <code>Referer<\/code> (evet, tarihi yaz\u0131m hatas\u0131) ba\u015fl\u0131\u011f\u0131 g\u00f6nderir. <strong>Referrer-Policy<\/strong>, bu bilginin ne kadar detayla g\u00f6nderilece\u011fini belirler. \u00d6rne\u011fin, tam URL\u2019yi mi, sadece origin\u2019i mi yoksa hi\u00e7 mi g\u00f6ndermeyeceksiniz?<\/p>\n<h3><span id=\"Yaygin_Referrer-Policy_Degerleri\">Yayg\u0131n Referrer-Policy De\u011ferleri<\/span><\/h3>\n<ul>\n<li><strong>no-referrer<\/strong>: Hi\u00e7 referrer g\u00f6nderilmez. Maksimum gizlilik, ama analitik ara\u00e7lar daha az veri g\u00f6r\u00fcr.<\/li>\n<li><strong>no-referrer-when-downgrade<\/strong>: Eski varsay\u0131lan davran\u0131\u015f; HTTPS\u2019ten HTTP\u2019ye giderken referrer g\u00f6nderilmez.<\/li>\n<li><strong>origin<\/strong>: Sadece protokol + domain + port bilgisi g\u00f6nderilir, tam yol de\u011fil.<\/li>\n<li><strong>strict-origin-when-cross-origin<\/strong>: Kendi sitenizde tam referrer, d\u0131\u015f sitelere giderken sadece origin ve HTTPS\u2019ten HTTP\u2019ye ge\u00e7erken hi\u00e7 referrer yok. Modern projeler i\u00e7in en dengeli se\u00e7eneklerden biri.<\/li>\n<\/ul>\n<p>Bizim pratikte en \u00e7ok \u00f6nerdi\u011fimiz de\u011fer, \u00e7o\u011fu kurumsal ve e\u2011ticaret sitesinde <code>strict-origin-when-cross-origin<\/code>. Hem gizlilik a\u00e7\u0131s\u0131ndan makul seviyede koruma sa\u011flar hem de analitik\/performans ara\u00e7lar\u0131n\u0131n temel ihtiya\u00e7lar\u0131n\u0131 kar\u015f\u0131lar.<\/p>\n<h3><span id=\"Nginxte_Referrer-Policy\">Nginx\u2019te Referrer-Policy<\/span><\/h3>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">add_header Referrer-Policy &quot;strict-origin-when-cross-origin&quot; always;\n<\/code><\/pre>\n<h3><span id=\"Apachede_Referrer-Policy\">Apache\u2019de Referrer-Policy<\/span><\/h3>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">Header always set Referrer-Policy &quot;strict-origin-when-cross-origin&quot;\n<\/code><\/pre>\n<p>E\u011fer \u00e7ok hassas i\u00e7erik sunuyor (\u00f6rne\u011fin gizli panel URL\u2019leri, \u00f6zel m\u00fc\u015fteri portallar\u0131) ve d\u0131\u015f ba\u011flant\u0131larda referrer\u2019in kesinlikle g\u00f6r\u00fcnmesini istemiyorsan\u0131z, <code>no-referrer<\/code> veya <code>origin<\/code> gibi daha kat\u0131 se\u00e7enekleri de de\u011ferlendirebilirsiniz.<\/p>\n<h2><span id=\"Tum_Basliklari_Bir_Arada_Ornek_Guvenlik_Konfigurasyonu\">T\u00fcm Ba\u015fl\u0131klar\u0131 Bir Arada: \u00d6rnek G\u00fcvenlik Konfig\u00fcrasyonu<\/span><\/h2>\n<p>Teoride her ba\u015fl\u0131\u011f\u0131 ayr\u0131 ayr\u0131 anlamak \u00f6nemli, ama ger\u00e7ek hayatta bunlar\u0131n hepsi ayn\u0131 sunucu konfig\u00fcrasyonunda bir araya geliyor. Tipik bir Nginx vhost\u2019unda a\u015fa\u011f\u0131daki gibi bir paket ayar kullanabilirsiniz:<\/p>\n<h3><span id=\"Nginx_Icin_Ornek_Guvenlik_Basliklari_Blogu\">Nginx \u0130\u00e7in \u00d6rnek G\u00fcvenlik Ba\u015fl\u0131klar\u0131 Blo\u011fu<\/span><\/h3>\n<pre class=\"language-nginx line-numbers\"><code class=\"language-nginx\">server {\n    listen 443 ssl http2;\n    server_name example.com www.example.com;\n\n    # Zorunlu HTTPS\n    add_header Strict-Transport-Security &quot;max-age=31536000; includeSubDomains&quot; always;\n\n    # XSS, veri s\u0131zd\u0131rma ve i\u00e7erik y\u00fckleme kontrolleri i\u00e7in CSP\n    add_header Content-Security-Policy &quot;default-src 'self'; script-src 'self' https:\/\/cdn.example.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:\/\/images.example.com; connect-src 'self' https:\/\/api.example.com; frame-ancestors 'self'&quot; always;\n\n    # Clickjacking korumas\u0131\n    add_header X-Frame-Options &quot;SAMEORIGIN&quot; always;\n\n    # Referrer gizlili\u011fi ve analitik dengesi\n    add_header Referrer-Policy &quot;strict-origin-when-cross-origin&quot; always;\n\n    # \u00d6nerilen ba\u015fka ba\u015fl\u0131klar da eklenebilir (X-Content-Type-Options, X-XSS-Protection vb.)\n\n    ... di\u011fer SSL \/ site ayarlar\u0131 ...\n}\n<\/code><\/pre>\n<p>Benzer bir blo\u011fu Apache taraf\u0131nda da <code>&lt;VirtualHost *:443&gt;<\/code> i\u00e7inde <code>Header always set ...<\/code> direktifleriyle kurabilirsiniz. Daha geni\u015f perspektiften bakmak isterseniz, bu yaz\u0131n\u0131n karde\u015fi say\u0131labilecek <a href=\"https:\/\/www.dchost.com\/blog\/http-guvenlik-basliklari-rehberi-hsts-csp-ve-digerlerini-ne-zaman-nasil-uygulamalisin\/\">genel HTTP g\u00fcvenlik ba\u015fl\u0131klar\u0131 rehberimize<\/a> de mutlaka g\u00f6z at\u0131n.<\/p>\n<h2><span id=\"Canliya_Almadan_Once_Kontrol_Listesi\">Canl\u0131ya Almadan \u00d6nce Kontrol Listesi<\/span><\/h2>\n<p>HSTS, CSP, X\u2011Frame\u2011Options ve Referrer\u2011Policy devreye al\u0131n\u0131rken en s\u0131k yap\u0131lan hatalar, do\u011frudan canl\u0131 ortamda denenmesi ve geri d\u00f6n\u00fc\u015f plan\u0131n\u0131n olmamas\u0131. DCHost taraf\u0131nda, m\u00fc\u015fterilerimizin sitelerini sertle\u015ftirirken a\u015fa\u011f\u0131daki kontrol listesini uyguluyoruz:<\/p>\n<h3><span id=\"1_Yedek_ve_Geri_Donus_Plani\">1. Yedek ve Geri D\u00f6n\u00fc\u015f Plan\u0131<\/span><\/h3>\n<ul>\n<li>\u00d6nce mevcut konfig\u00fcrasyon dosyalar\u0131n\u0131n yede\u011fini al\u0131n.<\/li>\n<li>Config de\u011fi\u015fikli\u011finin versiyon kontrol\u00fcnde tutuldu\u011fundan emin olun.<\/li>\n<li>Yanl\u0131\u015f bir HSTS veya CSP kural\u0131 durumunda eski s\u00fcr\u00fcme h\u0131zla d\u00f6nebilmek i\u00e7in net bir prosed\u00fcr olu\u015fturun.<\/li>\n<\/ul>\n<h3><span id=\"2_Staging_Ortaminda_Test\">2. Staging Ortam\u0131nda Test<\/span><\/h3>\n<ul>\n<li>T\u00fcm ba\u015fl\u0131klar\u0131 \u00f6nce staging ortam\u0131nda deneyin.<\/li>\n<li>CSP\u2019yi <code>Report-Only<\/code> modu ile ba\u015flayarak ger\u00e7ek ihlalleri g\u00f6zlemleyin.<\/li>\n<li>\u00d6deme ad\u0131mlar\u0131, giri\u015f\/\u00e7\u0131k\u0131\u015f, dosya y\u00fckleme gibi kritik ak\u0131\u015flar\u0131 manuel test edin.<\/li>\n<\/ul>\n<h3><span id=\"3_Tarayici_Konsolu_ve_Guvenlik_Araclari\">3. Taray\u0131c\u0131 Konsolu ve G\u00fcvenlik Ara\u00e7lar\u0131<\/span><\/h3>\n<ul>\n<li>Chrome\/Firefox geli\u015ftirici ara\u00e7lar\u0131nda <strong>Security<\/strong> sekmesini kontrol edin.<\/li>\n<li>Console\u2019da CSP ihlalleri veya kar\u0131\u015f\u0131k i\u00e7erik (mixed content) uyar\u0131lar\u0131 var m\u0131 bak\u0131n.<\/li>\n<li>Harici g\u00fcvenlik taray\u0131c\u0131lar\u0131ndan HTTP ba\u015fl\u0131k raporu al\u0131n (\u00f6rne\u011fin g\u00fcvenlik ba\u015fl\u0131klar\u0131n\u0131 puanlayan servisler).<\/li>\n<\/ul>\n<h3><span id=\"4_Kullanici_ve_SEO_Etkilerini_Izleme\">4. Kullan\u0131c\u0131 ve SEO Etkilerini \u0130zleme<\/span><\/h3>\n<ul>\n<li>Canl\u0131ya ald\u0131ktan sonra ilk 24\u201372 saatte destek taleplerini yak\u0131ndan takip edin.<\/li>\n<li>\u00d6zellikle \u00f6deme sayfalar\u0131, entegrasyon iframe\u2019leri, \u00fc\u00e7\u00fcnc\u00fc parti widget\u2019lar sorun \u00e7\u0131kar\u0131yor mu kontrol edin.<\/li>\n<li>HTTPS ve HSTS ge\u00e7i\u015flerinde SEO dengesini korumak i\u00e7in <a href=\"https:\/\/www.dchost.com\/blog\/httpden-httpse-gecis-rehberi-301-yonlendirme-hsts-ve-seoyu-korumak\/\">HTTPS ge\u00e7i\u015f rehberindeki<\/a> ad\u0131mlar\u0131 uygulad\u0131\u011f\u0131n\u0131zdan emin olun.<\/li>\n<\/ul>\n<h2><span id=\"DCHost_Altyapisinda_Bu_Basliklari_Yonetmek\">DCHost Altyap\u0131s\u0131nda Bu Ba\u015fl\u0131klar\u0131 Y\u00f6netmek<\/span><\/h2>\n<p>DCHost olarak, <a href=\"https:\/\/www.dchost.com\/tr\/web-hosting\">payla\u015f\u0131ml\u0131 hosting<\/a>, <a href=\"https:\/\/www.dchost.com\/tr\/vps\">VPS<\/a>, dedicated ve colocation ortamlar\u0131m\u0131zda m\u00fc\u015fterilerimizin sitelerini yay\u0131na al\u0131rken <strong>HTTP g\u00fcvenlik ba\u015fl\u0131klar\u0131n\u0131 mimari tasar\u0131m\u0131n bir par\u00e7as\u0131<\/strong> olarak ele al\u0131yoruz. \u00d6zellikle e\u2011ticaret ve SaaS projelerinde, ilk kurulum a\u015famas\u0131nda:<\/p>\n<ul>\n<li>SSL\/TLS yap\u0131land\u0131rmas\u0131n\u0131 modern protokollerle uyumlu hale getiriyor,<\/li>\n<li>Otomatik yenilenen SSL sertifikalar\u0131 (Let\u2019s Encrypt vb.) ile HTTPS s\u00fcreklili\u011fini sa\u011fl\u0131yor,<\/li>\n<li>HSTS\u2019i a\u015famal\u0131 \u015fekilde devreye alma plan\u0131 \u00f6neriyor,<\/li>\n<li>Uygulama gereksinimlerinize g\u00f6re temel bir CSP iskeleti olu\u015fturuyoruz.<\/li>\n<\/ul>\n<p>Daha geli\u015fmi\u015f kurulumlarda, CSP nonceleri, raporlama endpoint\u2019leri, \u00e7ok kirac\u0131l\u0131 (multi-tenant) SaaS\u2019ler i\u00e7in ayr\u0131 CSP profilleri gibi ihtiya\u00e7lar\u0131n\u0131zda da mimari destek veriyoruz. E\u011fer uygulaman\u0131z zaten <a href=\"https:\/\/www.dchost.com\/blog\/vps-sunucu-guvenligi-pratik-olceklenebilir-ve-dogrulanabilir-yaklasimlar\/\">VPS sunucu g\u00fcvenli\u011fi<\/a> odakl\u0131 bir planla kurguland\u0131ysa, bu ba\u015fl\u0131klar o plan\u0131n kritik bir tamamlay\u0131c\u0131s\u0131 haline geliyor.<\/p>\n<h2><span id=\"Ozet_ve_Sonraki_Adimlar\">\u00d6zet ve Sonraki Ad\u0131mlar<\/span><\/h2>\n<p>HSTS, CSP, X\u2011Frame\u2011Options ve Referrer\u2011Policy ba\u015fl\u0131klar\u0131, ka\u011f\u0131t \u00fczerinde birka\u00e7 sat\u0131rl\u0131k ayarlarm\u0131\u015f gibi g\u00f6r\u00fcnse de, asl\u0131nda taray\u0131c\u0131 taraf\u0131ndaki <strong>g\u00fcvenlik mimarinizin omurgas\u0131n\u0131<\/strong> olu\u015fturuyor. HSTS ile kullan\u0131c\u0131y\u0131 her zaman \u015fifreli kanala zorluyor, CSP ile hangi i\u00e7eri\u011fin hangi \u015fartlarda y\u00fcklenece\u011fini tan\u0131ml\u0131yor, X\u2011Frame\u2011Options ile clickjacking riskini azalt\u0131yor, Referrer-Policy ile de ziyaret\u00e7i verisinin nereye, ne kadar detayla gidece\u011fini kontrol alt\u0131na al\u0131yorsunuz.<\/p>\n<p>Do\u011fru yakla\u015f\u0131m; bu ba\u015fl\u0131klar\u0131 birer \u201cekstra puan\u201d de\u011fil, <strong>temel gereklilik<\/strong> olarak g\u00f6rmek. \u00d6nce sa\u011flam bir HTTPS ve SSL\/TLS temeli kurun, ard\u0131ndan staging ortam\u0131nda test ederek bu ba\u015fl\u0131klar\u0131 kademeli bi\u00e7imde devreye al\u0131n. \u0130htiya\u00e7 duydu\u011funuzda, DCHost \u00fczerindeki hosting, VPS veya dedicated altyap\u0131n\u0131zda bu ayarlar\u0131 birlikte g\u00f6zden ge\u00e7irebilir, hem g\u00fcvenlik hem performans a\u00e7\u0131s\u0131ndan dengeli bir profil olu\u015fturabiliriz.<\/p>\n<p>E\u011fer sitenizde hen\u00fcz bu ba\u015fl\u0131klar tan\u0131ml\u0131 de\u011filse, ilk ad\u0131m olarak mevcut yan\u0131tlar\u0131n\u0131z\u0131 inceleyin, ard\u0131ndan bu rehberdeki \u00f6rnekleri k\u00fc\u00e7\u00fck ad\u0131mlarla uygulamaya ba\u015flay\u0131n. Daha geni\u015f perspektifte, HTTP ba\u015fl\u0131klar\u0131, SSL\/TLS, DNSSEC, loglama ve yedekleme politikalar\u0131n\u0131z\u0131 bir arada ele almak i\u00e7in hem <a href=\"https:\/\/www.dchost.com\/blog\/http-guvenlik-basliklari-rehberi-hsts-csp-ve-digerlerini-ne-zaman-nasil-uygulamalisin\/\">HTTP g\u00fcvenlik ba\u015fl\u0131klar\u0131 genel rehberimize<\/a> hem de <a href=\"https:\/\/www.dchost.com\/blog\/3-2-1-yedekleme-stratejisi-neden-ise-yariyor-cpanel-plesk-ve-vpste-otomatik-yedekleri-nasil-kurarsin\/\">3\u20112\u20111 yedekleme stratejisi<\/a> yaz\u0131m\u0131za g\u00f6z atman\u0131z\u0131 \u00f6neririm. G\u00fcvenlik, tek bir ayarla de\u011fil; birbirini tamamlayan pek \u00e7ok katman\u0131n uyumuyla ger\u00e7ekten sa\u011flam hale geliyor.<\/p>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>G\u00fcvenlik denetimlerinde en s\u0131k g\u00f6rd\u00fc\u011f\u00fcm\u00fcz sorunlardan biri, sunucu taraf\u0131 yamalar\u0131n g\u00fcncel olmas\u0131na ra\u011fmen HTTP g\u00fcvenlik ba\u015fl\u0131klar\u0131n\u0131n ya hi\u00e7 tan\u0131mlanmam\u0131\u015f ya da eksik\/yanl\u0131\u015f ayarlanm\u0131\u015f olmas\u0131. Uygulama kodu taraf\u0131nda XSS, CSRF, SQL injection a\u00e7\u0131klar\u0131n\u0131 kapatmak elbette kritik; ancak taray\u0131c\u0131ya do\u011fru talimatlar\u0131 vermedi\u011finiz s\u00fcrece, g\u00fc\u00e7l\u00fc bir savunma hatt\u0131 kurmu\u015f say\u0131lmazs\u0131n\u0131z. \u00d6zellikle HSTS, CSP, X\u2011Frame\u2011Options ve Referrer\u2011Policy gibi ba\u015fl\u0131klar, [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":3165,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-3164","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-teknoloji"],"_links":{"self":[{"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/posts\/3164","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/comments?post=3164"}],"version-history":[{"count":0,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/posts\/3164\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/media\/3165"}],"wp:attachment":[{"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/media?parent=3164"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/categories?post=3164"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/tags?post=3164"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}