{"id":4770,"date":"2026-02-08T16:10:48","date_gmt":"2026-02-08T13:10:48","guid":{"rendered":"https:\/\/www.dchost.com\/blog\/http-guvenlik-basliklari-rehberi-shared-hosting-ve-vpste-csp-hsts-x-frame-options-ve-digerleri-nasil-ayarlanir\/"},"modified":"2026-02-08T16:10:48","modified_gmt":"2026-02-08T13:10:48","slug":"http-guvenlik-basliklari-rehberi-shared-hosting-ve-vpste-csp-hsts-x-frame-options-ve-digerleri-nasil-ayarlanir","status":"publish","type":"post","link":"https:\/\/www.dchost.com\/blog\/http-guvenlik-basliklari-rehberi-shared-hosting-ve-vpste-csp-hsts-x-frame-options-ve-digerleri-nasil-ayarlanir\/","title":{"rendered":"HTTP G\u00fcvenlik Ba\u015fl\u0131klar\u0131 Rehberi: Shared Hosting ve VPS\u2019te CSP, HSTS, X\u2011Frame\u2011Options ve Di\u011ferleri Nas\u0131l Ayarlan\u0131r?"},"content":{"rendered":"<div class=\"dchost-blog-content-wrapper\"><div id=\"toc_container\" class=\"toc_transparent no_bullets\"><p class=\"toc_title\">\u0130&ccedil;indekiler<\/p><ul class=\"toc_list\"><li><a href=\"#HTTP_guvenlik_basliklari_neden_bu_kadar_kritik\"><span class=\"toc_number toc_depth_1\">1<\/span> HTTP g\u00fcvenlik ba\u015fl\u0131klar\u0131 neden bu kadar kritik?<\/a><\/li><li><a href=\"#Temel_HTTP_guvenlik_basliklarinin_kisa_ozeti\"><span class=\"toc_number toc_depth_1\">2<\/span> Temel HTTP g\u00fcvenlik ba\u015fl\u0131klar\u0131n\u0131n k\u0131sa \u00f6zeti<\/a><ul><li><a href=\"#Content-Security-Policy_CSP\"><span class=\"toc_number toc_depth_2\">2.1<\/span> Content-Security-Policy (CSP)<\/a><\/li><li><a href=\"#Strict-Transport-Security_HSTS\"><span class=\"toc_number toc_depth_2\">2.2<\/span> Strict-Transport-Security (HSTS)<\/a><\/li><li><a href=\"#X-Frame-Options_ve_frame-ancestors\"><span class=\"toc_number toc_depth_2\">2.3<\/span> X-Frame-Options ve frame-ancestors<\/a><\/li><li><a href=\"#X-Content-Type-Options_Referrer-Policy_Permissions-Policy\"><span class=\"toc_number toc_depth_2\">2.4<\/span> X-Content-Type-Options, Referrer-Policy, Permissions-Policy<\/a><\/li><li><a href=\"#Diger_basliklar_ve_cerez_tarafi\"><span class=\"toc_number toc_depth_2\">2.5<\/span> Di\u011fer ba\u015fl\u0131klar ve \u00e7erez taraf\u0131<\/a><\/li><\/ul><\/li><li><a href=\"#Paylasimli_hosting_htaccess_uzerinde_HTTP_guvenlik_basliklari\"><span class=\"toc_number toc_depth_1\">3<\/span> Payla\u015f\u0131ml\u0131 hosting (.htaccess) \u00fczerinde HTTP g\u00fcvenlik ba\u015fl\u0131klar\u0131<\/a><ul><li><a href=\"#htaccess_icinde_temel_guvenlik_basliklari_ornegi\"><span class=\"toc_number toc_depth_2\">3.1<\/span> .htaccess i\u00e7inde temel g\u00fcvenlik ba\u015fl\u0131klar\u0131 \u00f6rne\u011fi<\/a><\/li><li><a href=\"#Paylasimli_hostingte_htaccess_ile_calisirken_dikkat_edilmesi_gerekenler\"><span class=\"toc_number toc_depth_2\">3.2<\/span> Payla\u015f\u0131ml\u0131 hostingte .htaccess ile \u00e7al\u0131\u015f\u0131rken dikkat edilmesi gerekenler<\/a><\/li><\/ul><\/li><li><a href=\"#VPS_uzerinde_Nginx_ve_Apache_icin_HTTP_guvenlik_basliklari\"><span class=\"toc_number toc_depth_1\">4<\/span> VPS \u00fczerinde Nginx ve Apache i\u00e7in HTTP g\u00fcvenlik ba\u015fl\u0131klar\u0131<\/a><ul><li><a href=\"#Nginx_icin_ornek_guvenlik_basliklari_server_blogu\"><span class=\"toc_number toc_depth_2\">4.1<\/span> Nginx i\u00e7in \u00f6rnek g\u00fcvenlik ba\u015fl\u0131klar\u0131 (server blo\u011fu)<\/a><\/li><li><a href=\"#Apache_vhost_icinde_guvenlik_basliklari\"><span class=\"toc_number toc_depth_2\">4.2<\/span> Apache vhost i\u00e7inde g\u00fcvenlik ba\u015fl\u0131klar\u0131<\/a><\/li><\/ul><\/li><li><a href=\"#CSP8217yi_shared_hosting_ve_VPS8217te_guvenli_sekilde_devreye_almak\"><span class=\"toc_number toc_depth_1\">5<\/span> CSP&#8217;yi shared hosting ve VPS&#8217;te g\u00fcvenli \u015fekilde devreye almak<\/a><ul><li><a href=\"#1_Content-Security-Policy-Report-Only_ile_baslamak\"><span class=\"toc_number toc_depth_2\">5.1<\/span> 1. Content-Security-Policy-Report-Only ile ba\u015flamak<\/a><\/li><li><a href=\"#2_Uretim_moduna_gecis_Content-Security-Policy\"><span class=\"toc_number toc_depth_2\">5.2<\/span> 2. \u00dcretim moduna ge\u00e7i\u015f: Content-Security-Policy<\/a><\/li><\/ul><\/li><li><a href=\"#HSTS8217i_ne_zaman_ve_nasil_acmalisiniz\"><span class=\"toc_number toc_depth_1\">6<\/span> HSTS&#8217;i ne zaman ve nas\u0131l a\u00e7mal\u0131s\u0131n\u0131z?<\/a><ul><li><a href=\"#1_Adim_Tum_trafigi_HTTPS8217e_zorla_yonlendirin\"><span class=\"toc_number toc_depth_2\">6.1<\/span> 1. Ad\u0131m: T\u00fcm trafi\u011fi HTTPS&#8217;e zorla y\u00f6nlendirin<\/a><\/li><li><a href=\"#2_Adim_Bir_sure_izleyin_mixed_content_hatalarini_temizleyin\"><span class=\"toc_number toc_depth_2\">6.2<\/span> 2. Ad\u0131m: Bir s\u00fcre izleyin, mixed content hatalar\u0131n\u0131 temizleyin<\/a><\/li><li><a href=\"#3_Adim_HSTS8217i_kisa_bir_max-age_ile_acin\"><span class=\"toc_number toc_depth_2\">6.3<\/span> 3. Ad\u0131m: HSTS&#8217;i k\u0131sa bir max-age ile a\u00e7\u0131n<\/a><\/li><\/ul><\/li><li><a href=\"#X-Frame-Options_Referrer-Policy_ve_diger_basliklar_icin_onerilen_degerler\"><span class=\"toc_number toc_depth_1\">7<\/span> X-Frame-Options, Referrer-Policy ve di\u011fer ba\u015fl\u0131klar i\u00e7in \u00f6nerilen de\u011ferler<\/a><\/li><li><a href=\"#Shared_hosting_ve_VPS_icin_pratik_kontrol_listesi\"><span class=\"toc_number toc_depth_1\">8<\/span> Shared hosting ve VPS i\u00e7in pratik kontrol listesi<\/a><ul><li><a href=\"#1_En_az_su_basliklar_mutlaka_olmali\"><span class=\"toc_number toc_depth_2\">8.1<\/span> 1. En az \u015fu ba\u015fl\u0131klar mutlaka olmal\u0131<\/a><\/li><li><a href=\"#2_Shared_hosting_icin_uygulanabilir_adimlar\"><span class=\"toc_number toc_depth_2\">8.2<\/span> 2. Shared hosting i\u00e7in uygulanabilir ad\u0131mlar<\/a><\/li><li><a href=\"#3_VPS_icin_uygulanabilir_adimlar\"><span class=\"toc_number toc_depth_2\">8.3<\/span> 3. VPS i\u00e7in uygulanabilir ad\u0131mlar<\/a><\/li><\/ul><\/li><li><a href=\"#Sonuc_Guvenlik_basliklari_olmadan_HTTPS_tam_sayilmaz\"><span class=\"toc_number toc_depth_1\">9<\/span> Sonu\u00e7: G\u00fcvenlik ba\u015fl\u0131klar\u0131 olmadan HTTPS tam say\u0131lmaz<\/a><\/li><\/ul><\/div>\n<h2><span id=\"HTTP_guvenlik_basliklari_neden_bu_kadar_kritik\">HTTP g\u00fcvenlik ba\u015fl\u0131klar\u0131 neden bu kadar kritik?<\/span><\/h2>\n<p>SSL sertifikan\u0131z\u0131 kurup sitenizi HTTPS&#8217;e ta\u015f\u0131d\u0131\u011f\u0131n\u0131zda \u00f6nemli bir e\u015fi\u011fi ge\u00e7mi\u015f oluyorsunuz; ancak taray\u0131c\u0131 taraf\u0131ndaki g\u00fcvenlik kontrolleri bununla bitmiyor. Modern taray\u0131c\u0131lar, <strong>HTTP g\u00fcvenlik ba\u015fl\u0131klar\u0131<\/strong> sayesinde sitenizi XSS, clickjacking, kar\u0131\u015f\u0131k i\u00e7erik ve istemci tarafl\u0131 veri s\u0131z\u0131nt\u0131lar\u0131 gibi bir dizi riske kar\u015f\u0131 daha etkili \u015fekilde koruyabiliyor. DCHost taraf\u0131nda yapt\u0131\u011f\u0131m\u0131z g\u00fcvenlik denetimlerinde g\u00f6rd\u00fc\u011f\u00fcm\u00fcz tablo genellikle ayn\u0131: G\u00fczel bir HTTPS kurulumu, d\u00fczg\u00fcn \u00e7al\u0131\u015fan bir uygulama\u2026 ama HSTS kapal\u0131, CSP yok, X-Frame-Options tan\u0131ms\u0131z ve Referrer-Policy tamamen taray\u0131c\u0131n\u0131n varsay\u0131lan\u0131na b\u0131rak\u0131lm\u0131\u015f.<\/p>\n<p>Bu yaz\u0131da, \u00f6zellikle <strong>payla\u015f\u0131ml\u0131 hosting (shared)<\/strong> ve <strong>VPS<\/strong> ortamlar\u0131nda en \u00e7ok ihtiya\u00e7 duyulan ba\u015fl\u0131klar\u0131 ad\u0131m ad\u0131m ele alaca\u011f\u0131z: <strong>CSP (Content-Security-Policy)<\/strong>, <strong>HSTS (Strict-Transport-Security)<\/strong>, <strong>X-Frame-Options<\/strong>, <strong>X-Content-Type-Options<\/strong>, <strong>Referrer-Policy<\/strong>, <strong>Permissions-Policy<\/strong> ve yeni nesil baz\u0131 ba\u015fl\u0131klar. Hem .htaccess \u00fczerinden \u00e7al\u0131\u015fan klasik Apache\/LiteSpeed <a href=\"https:\/\/www.dchost.com\/tr\/web-hosting\">payla\u015f\u0131ml\u0131 hosting<\/a> senaryosunu, hem de Nginx \/ Apache \u00e7al\u0131\u015fan <a href=\"https:\/\/www.dchost.com\/tr\/vps\">VPS<\/a> senaryosunu ayr\u0131 ayr\u0131 g\u00f6sterece\u011fiz. E\u011fer konuya daha konsept d\u00fczeyinde bir giri\u015f yapmak isterseniz, \u00f6ncesinde <a href='https:\/\/www.dchost.com\/blog\/http-guvenlik-basliklari-rehberi-hsts-csp-ve-digerlerini-ne-zaman-nasil-uygulamalisin\/'>HTTP g\u00fcvenlik ba\u015fl\u0131klar\u0131n\u0131 ne zaman ve nas\u0131l uygulaman\u0131z gerekti\u011fini anlatt\u0131\u011f\u0131m\u0131z rehbere<\/a> de g\u00f6z atabilirsiniz.<\/p>\n<h2><span id=\"Temel_HTTP_guvenlik_basliklarinin_kisa_ozeti\">Temel HTTP g\u00fcvenlik ba\u015fl\u0131klar\u0131n\u0131n k\u0131sa \u00f6zeti<\/span><\/h2>\n<p>Detayl\u0131 yap\u0131land\u0131rmaya girmeden \u00f6nce, en kritik ba\u015fl\u0131klar\u0131n ne i\u015fe yarad\u0131\u011f\u0131n\u0131 netle\u015ftirelim.<\/p>\n<h3><span id=\"Content-Security-Policy_CSP\">Content-Security-Policy (CSP)<\/span><\/h3>\n<p><strong>Content-Security-Policy<\/strong>, taray\u0131c\u0131ya \u015fu sorunun cevab\u0131n\u0131 verir: &quot;Bu sayfada hangi kaynaktan hangi tip i\u00e7erikler (script, stil, resim, iframe vb.) y\u00fcklenebilir?&quot; Do\u011fru kurgulanm\u0131\u015f bir CSP;<\/p>\n<ul>\n<li>XSS sald\u0131r\u0131lar\u0131n\u0131n etkisini b\u00fcy\u00fck \u00f6l\u00e7\u00fcde azalt\u0131r,<\/li>\n<li>Beklenmeyen 3. parti script ve iframe g\u00f6m\u00fclmesini engeller,<\/li>\n<li>Mixed content ve yanl\u0131\u015f yap\u0131land\u0131rmalar\u0131n raporlanmas\u0131n\u0131 sa\u011flar.<\/li>\n<\/ul>\n<p>\u00d6rnek bir temel CSP:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">Content-Security-Policy: default-src 'self'; img-src 'self' data:; \n  script-src 'self'; style-src 'self' 'unsafe-inline'; frame-ancestors 'self';<\/code><\/pre>\n<p>CSP olduk\u00e7a derin bir konu, bu nedenle detayl\u0131 senaryolar (nonce, hash, report-to vb.) i\u00e7in ayr\u0131ca <a href='https:\/\/www.dchost.com\/blog\/cspyi-dogru-kurmak-wordpress-laravelde-nonce-hash-report-to-ve-inline-scriptleri-tatli-tatli-ehlilestirmek\/'>WordPress ve Laravel \u00fczerinde CSP&#8217;yi do\u011fru kurmay\u0131 anlatt\u0131\u011f\u0131m\u0131z rehbere<\/a> de mutlaka bakman\u0131z\u0131 \u00f6neririz.<\/p>\n<h3><span id=\"Strict-Transport-Security_HSTS\">Strict-Transport-Security (HSTS)<\/span><\/h3>\n<p><strong>Strict-Transport-Security<\/strong> (HSTS), taray\u0131c\u0131ya &quot;Bu siteye daima HTTPS \u00fczerinden ba\u011flan&quot; talimat\u0131 verir. B\u00f6ylece;<\/p>\n<ul>\n<li>Kullan\u0131c\u0131 http:\/\/ yazsa bile taray\u0131c\u0131 otomatik olarak https:\/\/ s\u00fcr\u00fcme ge\u00e7er,<\/li>\n<li>Pasif baz\u0131 downgrade ve MITM senaryolar\u0131n\u0131n etkisi azal\u0131r,<\/li>\n<li>HTTPS&#8217;e tam ge\u00e7i\u015f yapt\u0131ktan sonra kararl\u0131l\u0131\u011f\u0131 art\u0131r\u0131r.<\/li>\n<\/ul>\n<p>Tipik bir HSTS ba\u015fl\u0131\u011f\u0131:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">Strict-Transport-Security: max-age=31536000; includeSubDomains<\/code><\/pre>\n<p>HSTS i\u00e7in \u00f6zellikle ilk ge\u00e7i\u015fte dikkat edilmesi gereken noktalar var; HTTP &rarr; HTTPS s\u00fcrecini planlarken <a href='https:\/\/www.dchost.com\/blog\/httpden-httpsye-gecis-rehberi-seo-kayipsiz-ssl-migrasyonu-hsts-ve-canonical-ayarlari\/'>SEO kayb\u0131 ya\u015famadan HTTPS&#8217;e ge\u00e7i\u015f, HSTS ve canonical ayarlar\u0131n\u0131 anlatt\u0131\u011f\u0131m\u0131z rehber<\/a> i\u015finize yarayacakt\u0131r.<\/p>\n<h3><span id=\"X-Frame-Options_ve_frame-ancestors\">X-Frame-Options ve frame-ancestors<\/span><\/h3>\n<p><strong>X-Frame-Options<\/strong>, sayfan\u0131z\u0131n ba\u015fka siteler taraf\u0131ndan iframe i\u00e7inde g\u00f6r\u00fcnt\u00fclenip g\u00f6r\u00fcnt\u00fclenemeyece\u011fini kontrol eder. Clickjacking sald\u0131r\u0131lar\u0131n\u0131 azaltmak i\u00e7in \u00f6nemlidir.<\/p>\n<ul>\n<li><code>X-Frame-Options: DENY<\/code> &rarr; Hi\u00e7bir yerde iframe i\u00e7inde g\u00f6sterilemez.<\/li>\n<li><code>X-Frame-Options: SAMEORIGIN<\/code> &rarr; Sadece ayn\u0131 origin (alan ad\u0131 + port) i\u00e7inde iframe olarak kullan\u0131labilir.<\/li>\n<\/ul>\n<p>Yeni nesil CSP ile birlikte <code>frame-ancestors<\/code> y\u00f6nergesi de benzer i\u015fi yapar. \u00d6rne\u011fin:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">Content-Security-Policy: frame-ancestors 'self';<\/code><\/pre>\n<p>G\u00fcncel yakla\u015f\u0131m, m\u00fcmk\u00fcnse hem X-Frame-Options hem de CSP i\u00e7indeki frame-ancestors&#8217;u ayn\u0131 mant\u0131kla kullanmakt\u0131r.<\/p>\n<h3><span id=\"X-Content-Type-Options_Referrer-Policy_Permissions-Policy\">X-Content-Type-Options, Referrer-Policy, Permissions-Policy<\/span><\/h3>\n<ul>\n<li><strong>X-Content-Type-Options: nosniff<\/strong><br \/>Taray\u0131c\u0131n\u0131n i\u00e7erik tipini &quot;tahmin etmeye&quot; \u00e7al\u0131\u015fmas\u0131n\u0131 engeller, \u00f6zellikle dosya indirme \/ script y\u00fckleme senaryolar\u0131nda \u00f6nemlidir.<\/li>\n<li><strong>Referrer-Policy<\/strong><br \/>Taray\u0131c\u0131n\u0131n istekle birlikte ne kadar referrer (nereden geldi\u011fi) bilgisi g\u00f6nderece\u011fini belirler. \u00d6nerilen g\u00fcvenli ve pratik de\u011fer: <code>strict-origin-when-cross-origin<\/code>.<\/li>\n<li><strong>Permissions-Policy<\/strong> (eski Feature-Policy)<br \/>Kamera, mikrofon, konum, fullscreen, payment gibi API&#8217;lerin nerede ve nas\u0131l \u00e7al\u0131\u015fabilece\u011fini k\u0131s\u0131tlamaya yarar.<\/li>\n<\/ul>\n<h3><span id=\"Diger_basliklar_ve_cerez_tarafi\">Di\u011fer ba\u015fl\u0131klar ve \u00e7erez taraf\u0131<\/span><\/h3>\n<p>Bunlara ek olarak <strong>Cross-Origin-Opener-Policy (COOP)<\/strong>, <strong>Cross-Origin-Embedder-Policy (COEP)<\/strong>, <strong>Cross-Origin-Resource-Policy (CORP)<\/strong> gibi yeni nesil ba\u015fl\u0131klar; \u00f6zellikle SPA, PWA ve karma\u015f\u0131k frontend mimarilerinde \u00f6nem kazan\u0131yor. Ayr\u0131ca g\u00fcvenlik ba\u015fl\u0131klar\u0131n\u0131z\u0131 tamamlarken <strong>Set-Cookie<\/strong> \u00fcst\u00fcnden <code>Secure<\/code>, <code>HttpOnly<\/code> ve <code>SameSite<\/code> parametrelerini de do\u011fru kurman\u0131z gerekiyor; bunun i\u00e7in <a href='https:\/\/www.dchost.com\/blog\/samesitelax-mi-strict-mi-secure-ve-httponly-ile-nginx-apachede-cerezleri-tertemiz-nasil-kurarsin\/'>SameSite, Secure ve HttpOnly \u00e7erez ayarlar\u0131n\u0131 ad\u0131m ad\u0131m anlatt\u0131\u011f\u0131m\u0131z rehbere<\/a> g\u00f6z atabilirsiniz.<\/p>\n<h2><span id=\"Paylasimli_hosting_htaccess_uzerinde_HTTP_guvenlik_basliklari\">Payla\u015f\u0131ml\u0131 hosting (.htaccess) \u00fczerinde HTTP g\u00fcvenlik ba\u015fl\u0131klar\u0131<\/span><\/h2>\n<p>Payla\u015f\u0131ml\u0131 hosting kullananlar\u0131n b\u00fcy\u00fck \u00e7o\u011funlu\u011fu, <strong>Apache<\/strong> veya <strong>LiteSpeed<\/strong> tabanl\u0131 bir platform \u00fczerinde <strong>.htaccess<\/strong> dosyas\u0131yla yap\u0131land\u0131rma yapar. DCHost payla\u015f\u0131ml\u0131 hosting platformlar\u0131nda da en pratik yol budur. Genel mant\u0131k \u015fu:<\/p>\n<ul>\n<li>Alan ad\u0131n\u0131z\u0131n <strong>public_html<\/strong> veya k\u00f6k dizininde bir .htaccess dosyas\u0131 bulunur.<\/li>\n<li>mod_headers etkinse, <code>Header set<\/code> veya <code>Header always set<\/code> direktiflerini kullanarak ba\u015fl\u0131k ekleyebilirsiniz.<\/li>\n<li>Ayn\u0131 sitede \u00e7al\u0131\u015fan CMS (WordPress vb.) kendi kural bloklar\u0131n\u0131 ekleyebilir; g\u00fcvenlik ba\u015fl\u0131klar\u0131n\u0131 bu bloklar\u0131n <strong>\u00fcst\u00fcnde<\/strong> veya <strong>alt\u0131nda<\/strong> tutmak genelde sorun yaratmaz, ancak tekrar eden ba\u015fl\u0131klar\u0131 engellemek i\u00e7in tek bir yerde tan\u0131mlamaya dikkat edin.<\/li>\n<\/ul>\n<h3><span id=\"htaccess_icinde_temel_guvenlik_basliklari_ornegi\">.htaccess i\u00e7inde temel g\u00fcvenlik ba\u015fl\u0131klar\u0131 \u00f6rne\u011fi<\/span><\/h3>\n<p>A\u015fa\u011f\u0131daki \u00f6rnek, \u00e7o\u011fu kurumsal site, blog veya temel e-ticaret sitesi i\u00e7in g\u00fcvenli bir ba\u015flang\u0131\u00e7 noktas\u0131n\u0131 temsil eder. Canl\u0131ya almadan \u00f6nce staging ortam\u0131nda test etmenizi \u00f6neririz.<\/p>\n<pre class=\"language-nginx line-numbers\"><code class=\"language-nginx\">&lt;IfModule mod_headers.c&gt;\n  # HTTPS'i zorunlu k\u0131l (HSTS) - sadece siteniz tamamen HTTPS ise\n  Header always set Strict-Transport-Security &quot;max-age=31536000; includeSubDomains&quot;\n\n  # Clickjacking korumas\u0131\n  Header always set X-Frame-Options &quot;SAMEORIGIN&quot;\n\n  # \u0130\u00e7erik tipi tahminini kapat\n  Header set X-Content-Type-Options &quot;nosniff&quot;\n\n  # Referrer bilgisi i\u00e7in dengeli ayar\n  Header set Referrer-Policy &quot;strict-origin-when-cross-origin&quot;\n\n  # Kamera, mikrofon vb. izinleri varsay\u0131lan olarak kapat\n  Header set Permissions-Policy &quot;geolocation=(), microphone=(), camera=()&quot;\n\n  # Basit ve temkinli bir CSP \u00f6rne\u011fi\n  Header set Content-Security-Policy &quot;default-src 'self'; img-src 'self' data:; \n    script-src 'self'; style-src 'self' 'unsafe-inline'; frame-ancestors 'self';&quot;\n&lt;\/IfModule&gt;<\/code><\/pre>\n<p>Buradaki CSP \u00f6rne\u011fi \u00f6zellikle WordPress gibi inline stil kullanan sistemlerin bozulmamas\u0131 i\u00e7in <code>'unsafe-inline'<\/code> i\u00e7eriyor. Bu, XSS a\u00e7\u0131s\u0131ndan ideal de\u011fil ama CSP&#8217;siz bir d\u00fcnyaya g\u00f6re yine de ciddi bir iyile\u015fme. Zaman i\u00e7inde <a href='https:\/\/www.dchost.com\/blog\/cspyi-dogru-kurmak-wordpress-laravelde-nonce-hash-report-to-ve-inline-scriptleri-tatli-tatli-ehlilestirmek\/'>nonce ve hash tabanl\u0131 CSP<\/a>&#8216;ye ge\u00e7erek bu k\u0131sm\u0131 da s\u0131k\u0131la\u015ft\u0131rabilirsiniz.<\/p>\n<h3><span id=\"Paylasimli_hostingte_htaccess_ile_calisirken_dikkat_edilmesi_gerekenler\">Payla\u015f\u0131ml\u0131 hostingte .htaccess ile \u00e7al\u0131\u015f\u0131rken dikkat edilmesi gerekenler<\/span><\/h3>\n<ul>\n<li><strong>Cache \/ CDN etkisi:<\/strong> \u00d6nbelle\u011fe al\u0131nm\u0131\u015f cevaplarda eski ba\u015fl\u0131klar kalabilir. De\u011fi\u015fiklik sonras\u0131 taray\u0131c\u0131 \u00f6nbelle\u011fini ve CDN \u00f6nbelle\u011fini temizleyin.<\/li>\n<li><strong>\u00c7ift ba\u015fl\u0131k sorunu:<\/strong> Baz\u0131 g\u00fcvenlik eklentileri kendi ba\u015fl\u0131klar\u0131n\u0131 g\u00f6nderir. Ayn\u0131 ba\u015fl\u0131\u011f\u0131n birden fazla kez set edilmesi uyar\u0131lara yol a\u00e7abilir; eklenti ayarlar\u0131n\u0131 g\u00f6zden ge\u00e7irin.<\/li>\n<li><strong>WordPress g\u00fcvenlik eklentileri:<\/strong> Bir\u00e7ok eklenti HSTS, X-Frame-Options vb. ba\u015fl\u0131klar\u0131 kurabiliyor. \u00d6nce eklentideki ilgili ayarlar\u0131 devre d\u0131\u015f\u0131 b\u0131rak\u0131p hepsini .htaccess taraf\u0131nda merkezile\u015ftirmek daha kontroll\u00fc bir mimari sa\u011flar.<\/li>\n<\/ul>\n<h2><span id=\"VPS_uzerinde_Nginx_ve_Apache_icin_HTTP_guvenlik_basliklari\">VPS \u00fczerinde Nginx ve Apache i\u00e7in HTTP g\u00fcvenlik ba\u015fl\u0131klar\u0131<\/span><\/h2>\n<p>VPS \u00fczerinde k\u00f6k eri\u015fiminiz oldu\u011funda, ba\u015fl\u0131klar\u0131 .htaccess yerine do\u011frudan <strong>sunucu yap\u0131land\u0131rma dosyalar\u0131na<\/strong> eklemeniz \u00e7ok daha performansl\u0131 ve temiz olur. DCHost VPS platformlar\u0131nda da \u00f6nerdi\u011fimiz yakla\u015f\u0131m bu: Nginx veya Apache sanal host (vhost) tan\u0131mlar\u0131n\u0131zda g\u00fcvenlik ba\u015fl\u0131klar\u0131n\u0131 merkezi olarak y\u00f6netmek.<\/p>\n<h3><span id=\"Nginx_icin_ornek_guvenlik_basliklari_server_blogu\">Nginx i\u00e7in \u00f6rnek g\u00fcvenlik ba\u015fl\u0131klar\u0131 (server blo\u011fu)<\/span><\/h3>\n<p>Tipik bir Nginx site tan\u0131m\u0131nda kullan\u0131labilecek \u00f6rnek blok:<\/p>\n<pre class=\"language-nginx line-numbers\"><code class=\"language-nginx\">server {\n    listen 443 ssl http2;\n    server_name ornekalanadi.com www.ornekalanadi.com;\n\n    # ... SSL ve di\u011fer ayarlar ...\n\n    # HSTS (site tamamen HTTPS'e ge\u00e7tiyse)\n    add_header Strict-Transport-Security &quot;max-age=31536000; includeSubDomains&quot; always;\n\n    # X-Frame-Options\n    add_header X-Frame-Options &quot;SAMEORIGIN&quot; always;\n\n    # \u0130\u00e7erik tipi tahminini kapat\n    add_header X-Content-Type-Options &quot;nosniff&quot; always;\n\n    # Referrer-Policy\n    add_header Referrer-Policy &quot;strict-origin-when-cross-origin&quot; always;\n\n    # Permissions-Policy (ihtiyaca g\u00f6re geni\u015fletilebilir)\n    add_header Permissions-Policy &quot;geolocation=(), microphone=(), camera=()&quot; always;\n\n    # Basit CSP \u00f6rne\u011fi\n    add_header Content-Security-Policy &quot;default-src 'self'; img-src 'self' data:; \n      script-src 'self'; style-src 'self' 'unsafe-inline'; frame-ancestors 'self';&quot; always;\n\n    # ... root, index, proxy_pass vb. ayarlar ...\n}<\/code><\/pre>\n<p>Nginx taraf\u0131nda <code>always<\/code> parametresi, 4xx ve 5xx cevaplar da dahil t\u00fcm yan\u0131tlarda ba\u015fl\u0131klar\u0131n g\u00f6nderilmesini sa\u011flar. Bu, hata sayfalar\u0131n\u0131z\u0131n da ayn\u0131 g\u00fcvenlik politikas\u0131na tabi olmas\u0131n\u0131 sa\u011flar.<\/p>\n<h3><span id=\"Apache_vhost_icinde_guvenlik_basliklari\">Apache vhost i\u00e7inde g\u00fcvenlik ba\u015fl\u0131klar\u0131<\/span><\/h3>\n<p>Apache tabanl\u0131 bir VPS&#8217;te, ilgili sanal host tan\u0131m\u0131 i\u00e7ine a\u015fa\u011f\u0131daki gibi bir blok ekleyebilirsiniz:<\/p>\n<pre class=\"language-nginx line-numbers\"><code class=\"language-nginx\">&lt;VirtualHost *:443&gt;\n    ServerName ornekalanadi.com\n    ServerAlias www.ornekalanadi.com\n    DocumentRoot \/var\/www\/ornekalanadi.com\/public\n\n    # ... SSL sertifika ayarlar\u0131 ...\n\n    &lt;IfModule mod_headers.c&gt;\n        Header always set Strict-Transport-Security &quot;max-age=31536000; includeSubDomains&quot;\n        Header always set X-Frame-Options &quot;SAMEORIGIN&quot;\n        Header set X-Content-Type-Options &quot;nosniff&quot;\n        Header set Referrer-Policy &quot;strict-origin-when-cross-origin&quot;\n        Header set Permissions-Policy &quot;geolocation=(), microphone=(), camera=()&quot;\n        Header set Content-Security-Policy &quot;default-src 'self'; img-src 'self' data:; \n          script-src 'self'; style-src 'self' 'unsafe-inline'; frame-ancestors 'self';&quot;\n    &lt;\/IfModule&gt;\n\n    # ... Log ve di\u011fer ayarlar ...\n&lt;\/VirtualHost&gt;<\/code><\/pre>\n<p>De\u011fi\u015fiklikten sonra konfig\u00fcrasyonun hatas\u0131z oldu\u011fundan emin olmak i\u00e7in:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">apachectl configtest\nsystemctl reload apache2   # veya httpd<\/code><\/pre>\n<p>komutlar\u0131n\u0131 kullanmay\u0131 unutmay\u0131n.<\/p>\n<h2><span id=\"CSP8217yi_shared_hosting_ve_VPS8217te_guvenli_sekilde_devreye_almak\">CSP&#8217;yi shared hosting ve VPS&#8217;te g\u00fcvenli \u015fekilde devreye almak<\/span><\/h2>\n<p>CSP, bir ba\u015fl\u0131kla &quot;ekledim bitti&quot; diyebilece\u011finiz basitlikte de\u011fil; iyi yap\u0131land\u0131r\u0131lmad\u0131\u011f\u0131nda sitenizi bozabilir. \u00d6zellikle WordPress, Laravel, SPA framework&#8217;leri (React, Vue, Angular) ve 3. parti script&#8217;lerin yo\u011fun kullan\u0131ld\u0131\u011f\u0131 projelerde, ad\u0131m ad\u0131m ilerlemek \u015fart.<\/p>\n<h3><span id=\"1_Content-Security-Policy-Report-Only_ile_baslamak\">1. Content-Security-Policy-Report-Only ile ba\u015flamak<\/span><\/h3>\n<p>Hem payla\u015f\u0131ml\u0131 hosting, hem de VPS ortam\u0131nda ilk ad\u0131m olarak <strong>rapor modunu<\/strong> \u00f6neriyoruz. \u00d6rne\u011fin Nginx i\u00e7in:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">add_header Content-Security-Policy-Report-Only \n  &quot;default-src 'self'; img-src 'self' data:; script-src 'self'; \n   style-src 'self' 'unsafe-inline'; frame-ancestors 'self';&quot; always;<\/code><\/pre>\n<p>Bu ba\u015fl\u0131k aktifken taray\u0131c\u0131 k\u0131s\u0131tlama uygulamaz, sadece ihlalleri raporlar. Raporlar\u0131 takip etmek i\u00e7in <code>report-uri<\/code> veya <code>report-to<\/code> y\u00f6nergelerini kullanabilir, ileride bu raporlar\u0131 merkezi log sisteminize ta\u015f\u0131may\u0131 d\u00fc\u015f\u00fcn\u00fcyorsan\u0131z <a href='https:\/\/www.dchost.com\/blog\/vps-log-yonetimi-nasil-rayina-oturur-grafana-loki-promtail-ile-merkezi-loglama-tutma-sureleri-ve-alarm-kurallari\/'>VPS log y\u00f6netimi ve merkezi loglama rehberimize<\/a> de g\u00f6z atabilirsiniz.<\/p>\n<h3><span id=\"2_Uretim_moduna_gecis_Content-Security-Policy\">2. \u00dcretim moduna ge\u00e7i\u015f: Content-Security-Policy<\/span><\/h3>\n<p>Raporlar\u0131 birka\u00e7 g\u00fcn izledikten sonra beklenmedik bloklamalar g\u00f6rm\u00fcyorsan\u0131z, <code>Content-Security-Policy-Report-Only<\/code> yerine ger\u00e7ek <code>Content-Security-Policy<\/code> ba\u015fl\u0131\u011f\u0131n\u0131 g\u00f6ndermeye ba\u015flayabilirsiniz. Dikkat etmeniz gerekenler:<\/p>\n<ul>\n<li><strong>3. parti script ve CDN&#8217;ler:<\/strong> analytics, tag manager, canl\u0131 destek, harita vb. servisleri <code>script-src<\/code>, <code>img-src<\/code> ve <code>connect-src<\/code> y\u00f6nergelerine eklemeyi unutmay\u0131n.<\/li>\n<li><strong>inline script ve stil:<\/strong> M\u00fcmk\u00fcn oldu\u011funca inline kullan\u0131m\u0131 azalt\u0131n; kalan k\u0131s\u0131m i\u00e7in nonce veya hash tabanl\u0131 yakla\u015f\u0131m\u0131 de\u011ferlendirin.<\/li>\n<li><strong>iframes:<\/strong> iframe ile g\u00f6m\u00fclen video \/ \u00f6deme \/ harita servislerinin alan adlar\u0131n\u0131 <code>frame-src<\/code> veya <code>child-src<\/code> y\u00f6nergelerine ekleyin.<\/li>\n<\/ul>\n<p>Geli\u015fmi\u015f CSP kurgular\u0131 i\u00e7in, nonce ve hash kullan\u0131m\u0131 ile ilgili \u00f6rnekleri detayl\u0131 \u015fekilde <a href='https:\/\/www.dchost.com\/blog\/cspyi-dogru-kurmak-wordpress-laravelde-nonce-hash-report-to-ve-inline-scriptleri-tatli-tatli-ehlilestirmek\/'>CSP&#8217;yi do\u011fru kurma rehberimizde<\/a> bulabilirsiniz.<\/p>\n<h2><span id=\"HSTS8217i_ne_zaman_ve_nasil_acmalisiniz\">HSTS&#8217;i ne zaman ve nas\u0131l a\u00e7mal\u0131s\u0131n\u0131z?<\/span><\/h2>\n<p>HSTS yanl\u0131\u015f zamanda a\u00e7\u0131ld\u0131\u011f\u0131nda, \u00f6zellikle karma bir HTTPS ge\u00e7i\u015f s\u00fcrecindeyseniz, beklenmedik y\u00f6nlendirme d\u00f6ng\u00fcleri ve alt alan ad\u0131 problemleri yaratabilir. DCHost taraf\u0131nda m\u00fc\u015fterilerimizle \u00e7al\u0131\u015f\u0131rken genelde \u015fu yol haritas\u0131n\u0131 \u00f6neriyoruz:<\/p>\n<h3><span id=\"1_Adim_Tum_trafigi_HTTPS8217e_zorla_yonlendirin\">1. Ad\u0131m: T\u00fcm trafi\u011fi HTTPS&#8217;e zorla y\u00f6nlendirin<\/span><\/h3>\n<p>\u00d6nce HTTP isteklerini g\u00fcvenli \u015fekilde HTTPS&#8217;e y\u00f6nlendirdi\u011finizden emin olun (.htaccess veya Nginx\/Apache kural\u0131 ile). Bu a\u015famada HSTS hen\u00fcz kapal\u0131 olabilir.<\/p>\n<h3><span id=\"2_Adim_Bir_sure_izleyin_mixed_content_hatalarini_temizleyin\">2. Ad\u0131m: Bir s\u00fcre izleyin, mixed content hatalar\u0131n\u0131 temizleyin<\/span><\/h3>\n<p>Taray\u0131c\u0131 konsolunda ve <a href='https:\/\/www.dchost.com\/blog\/ssl-sonrasi-mixed-content-ve-guvensiz-icerik-hatalarini-duzeltmek\/'>mixed content ve g\u00fcvensiz i\u00e7erik hatalar\u0131n\u0131 d\u00fczeltme rehberimizde<\/a> anlatt\u0131\u011f\u0131m\u0131z kontrollerle, sitenizde kalan t\u00fcm http:\/\/ i\u00e7erik \u00e7a\u011fr\u0131lar\u0131n\u0131 temizleyin.<\/p>\n<h3><span id=\"3_Adim_HSTS8217i_kisa_bir_max-age_ile_acin\">3. Ad\u0131m: HSTS&#8217;i k\u0131sa bir max-age ile a\u00e7\u0131n<\/span><\/h3>\n<p>\u0130lk etapta \u00f6rne\u011fin 1 g\u00fcn veya 1 hafta gibi k\u0131sa bir <code>max-age<\/code> kullanabilirsiniz:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">Strict-Transport-Security: max-age=604800; includeSubDomains<\/code><\/pre>\n<p>Herhangi bir problem ya\u015famad\u0131\u011f\u0131n\u0131zdan emin olduktan sonra s\u00fcreyi 6 ay veya 1 y\u0131la uzatabilirsiniz. <strong>HSTS preload<\/strong> (taray\u0131c\u0131 listelerine girmek) ise son a\u015famad\u0131r; t\u00fcm alt alan adlar\u0131n\u0131z\u0131n HTTPS&#8217;e %100 haz\u0131r oldu\u011fundan emin olmadan bu ad\u0131ma ge\u00e7meyin.<\/p>\n<h2><span id=\"X-Frame-Options_Referrer-Policy_ve_diger_basliklar_icin_onerilen_degerler\">X-Frame-Options, Referrer-Policy ve di\u011fer ba\u015fl\u0131klar i\u00e7in \u00f6nerilen de\u011ferler<\/span><\/h2>\n<p>Shared hosting ve VPS ortamlar\u0131 i\u00e7in genelde \u015fu kombinasyonlar\u0131 \u00f6neriyoruz:<\/p>\n<ul>\n<li><strong>X-Frame-Options:<\/strong> \u00c7o\u011fu site i\u00e7in <code>SAMEORIGIN<\/code> g\u00fcvenli ve yeterlidir. Hi\u00e7bir yerde iframe olarak g\u00f6sterilmesini istemiyorsan\u0131z <code>DENY<\/code> kullanabilirsiniz. \u00d6deme sayfalar\u0131 ve kritik formlar i\u00e7in daha kat\u0131 ayarlar tercih edilebilir.<\/li>\n<li><strong>Referrer-Policy:<\/strong> <code>strict-origin-when-cross-origin<\/code> hem analitik veriyi \u00e7ok bozmaz, hem de gereksiz tam URL s\u0131z\u0131nt\u0131lar\u0131n\u0131 engeller. Daha agresif gizlilik istiyorsan\u0131z <code>same-origin<\/code> veya <code>no-referrer<\/code> d\u00fc\u015f\u00fcnebilirsiniz.<\/li>\n<li><strong>X-Content-Type-Options:<\/strong> Her zaman <code>nosniff<\/code>.<\/li>\n<li><strong>Permissions-Policy:<\/strong> \u0130htiya\u00e7 duymad\u0131\u011f\u0131n\u0131z API&#8217;leri komple kapat\u0131n. \u00d6rne\u011fin tipik bir kurumsal site i\u00e7in: <code>geolocation=(), microphone=(), camera=(), payment=()<\/code>.<\/li>\n<\/ul>\n<p>Bu ba\u015fl\u0131klar\u0131 daha genel bir perspektiften incelemek isterseniz, <a href='https:\/\/www.dchost.com\/blog\/http-guvenlik-basliklari-rehberi-hsts-csp-x-frame-options-ve-referrer-policy-dogru-nasil-kurulur\/'>HSTS, CSP, X-Frame-Options ve Referrer-Policy&#8217;yi do\u011fru kurma rehberimiz<\/a> de i\u015fin teorik k\u0131sm\u0131n\u0131 peki\u015ftirmenize yard\u0131mc\u0131 olacakt\u0131r.<\/p>\n<h2><span id=\"Shared_hosting_ve_VPS_icin_pratik_kontrol_listesi\">Shared hosting ve VPS i\u00e7in pratik kontrol listesi<\/span><\/h2>\n<p>Makalenin bu noktas\u0131na kadar olan k\u0131sm\u0131, ger\u00e7ek hayatta s\u0131k\u00e7a kulland\u0131\u011f\u0131m\u0131z bir kontrol listesine d\u00f6n\u00fc\u015ft\u00fcrebiliriz. Payla\u015f\u0131ml\u0131 hosting veya VPS kullan\u0131yor olman\u0131z fark etmiyor; mant\u0131k ayn\u0131, sadece uygulama yeri de\u011fi\u015fiyor.<\/p>\n<h3><span id=\"1_En_az_su_basliklar_mutlaka_olmali\">1. En az \u015fu ba\u015fl\u0131klar mutlaka olmal\u0131<\/span><\/h3>\n<ul>\n<li>Strict-Transport-Security (HSTS) \u2013 HTTPS ge\u00e7i\u015fi tamamland\u0131ysa<\/li>\n<li>X-Frame-Options veya CSP i\u00e7indeki frame-ancestors<\/li>\n<li>X-Content-Type-Options<\/li>\n<li>Referrer-Policy<\/li>\n<li>Permissions-Policy (temel k\u0131s\u0131tlamalar)<\/li>\n<li>Content-Security-Policy (en az\u0131ndan basit bir &quot;default-src &#8216;self&#8217;&quot; seviyesi)<\/li>\n<\/ul>\n<h3><span id=\"2_Shared_hosting_icin_uygulanabilir_adimlar\">2. Shared hosting i\u00e7in uygulanabilir ad\u0131mlar<\/span><\/h3>\n<ol>\n<li>cPanel veya benzeri panelden dosya y\u00f6neticisine girin, sitenizin k\u00f6k dizinindeki .htaccess dosyas\u0131n\u0131 bulun.<\/li>\n<li>\u00d6nce mevcut i\u00e7eri\u011fin yede\u011fini al\u0131n.<\/li>\n<li>Yukar\u0131da verdi\u011fimiz \u00f6rnek Header direktiflerini, <code>&lt;IfModule mod_headers.c&gt; ... &lt;\/IfModule&gt;<\/code> blo\u011fu i\u00e7inde ekleyin.<\/li>\n<li>Kaydedin, sitenizi yeni bir taray\u0131c\u0131 sekmesinde a\u00e7\u0131p <strong>Geli\u015ftirici Ara\u00e7lar\u0131 &gt; Network<\/strong> sekmesinden cevap ba\u015fl\u0131klar\u0131n\u0131 kontrol edin.<\/li>\n<li>Taray\u0131c\u0131 konsolunda (Console) CSP ile ilgili hata mesajlar\u0131n\u0131 takip ederek gerekirse alan ad\u0131 eklemeleri yap\u0131n.<\/li>\n<\/ol>\n<h3><span id=\"3_VPS_icin_uygulanabilir_adimlar\">3. VPS i\u00e7in uygulanabilir ad\u0131mlar<\/span><\/h3>\n<ol>\n<li>Sunucunuzun \u00fczerinde Nginx mi, Apache mi (veya ikisi birden) \u00e7al\u0131\u015ft\u0131\u011f\u0131n\u0131 netle\u015ftirin.<\/li>\n<li>\u0130lgili siteye ait konfig\u00fcrasyon dosyas\u0131n\u0131 bulun (Nginx i\u00e7in genelde <code>\/etc\/nginx\/sites-available\/alanadi.conf<\/code>, Apache i\u00e7in <code>\/etc\/apache2\/sites-available\/alanadi.conf<\/code> veya benzeri).<\/li>\n<li>Yukar\u0131daki server\/vhost \u00f6rneklerindeki <code>add_header<\/code> veya <code>Header set<\/code> bloklar\u0131n\u0131 uygun yere ekleyin.<\/li>\n<li>Konfig\u00fcrasyon testi yap\u0131n ve servisi yeniden y\u00fckleyin (reload).<\/li>\n<li>Gerekirse staging ortam\u0131nda A\/B test yaparak, ba\u015fl\u0131klar\u0131n uygulamay\u0131 bozmad\u0131\u011f\u0131ndan emin olun.<\/li>\n<\/ol>\n<h2><span id=\"Sonuc_Guvenlik_basliklari_olmadan_HTTPS_tam_sayilmaz\">Sonu\u00e7: G\u00fcvenlik ba\u015fl\u0131klar\u0131 olmadan HTTPS tam say\u0131lmaz<\/span><\/h2>\n<p>HTTPS&#8217;e ge\u00e7mi\u015f olmak, g\u00fcvenli\u011fin temel ad\u0131m\u0131 ama sonu de\u011fil. <strong>HTTP g\u00fcvenlik ba\u015fl\u0131klar\u0131<\/strong> olmadan; taray\u0131c\u0131 sizin yerinize bir dizi varsay\u0131m yap\u0131yor ve bu varsay\u0131mlar her zaman g\u00fcvenlikten yana de\u011fil. \u00d6zellikle XSS, clickjacking, mixed content ve istemci tarafl\u0131 veri s\u0131z\u0131nt\u0131lar\u0131 gibi sorunlar, do\u011fru ba\u015fl\u0131klarla \u00e7ok daha kontrol edilebilir hale geliyor. Shared hosting kullan\u0131yorsan\u0131z .htaccess \u00fczerinden, VPS kullan\u0131yorsan\u0131z do\u011frudan Nginx\/Apache yap\u0131land\u0131rmas\u0131yla bu korumalar\u0131 devreye almak m\u00fcmk\u00fcn.<\/p>\n<p>DCHost olarak, ister payla\u015f\u0131ml\u0131 hosting ister VPS veya dedicated altyap\u0131 kullan\u0131n, yeni a\u00e7\u0131lan her projede <strong>HTTP g\u00fcvenlik ba\u015fl\u0131klar\u0131 kontrol listesini<\/strong> zorunlu bir ad\u0131m gibi d\u00fc\u015f\u00fcnmenizi \u00f6neriyoruz. Mevcut sitenizde bu ba\u015fl\u0131klar\u0131n durumundan emin de\u011filseniz, bar\u0131nd\u0131rma ortam\u0131n\u0131z DCHost \u00fczerindeyse destek ekibimize ticket a\u00e7arak birlikte g\u00f6zden ge\u00e7irebiliriz; ya da bu yaz\u0131daki \u00f6rnekleri ad\u0131m ad\u0131m uygulay\u0131p taray\u0131c\u0131 geli\u015ftirici ara\u00e7lar\u0131yla sonucu hemen test edebilirsiniz. G\u00fcvenlik taraf\u0131n\u0131 bir kerelik bir i\u015f de\u011fil, <strong>s\u00fcrekli bak\u0131m yapman\u0131z gereken bir s\u00fcre\u00e7<\/strong> olarak ele ald\u0131\u011f\u0131n\u0131zda; loglama, sertifika g\u00fcncellemeleri, \u00e7erez politikalar\u0131 ve HTTP g\u00fcvenlik ba\u015fl\u0131klar\u0131 bir b\u00fct\u00fcn olarak \u00e7ok daha iyi \u00e7al\u0131\u015facakt\u0131r.<\/p>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>\u0130&ccedil;indekiler1 HTTP g\u00fcvenlik ba\u015fl\u0131klar\u0131 neden bu kadar kritik?2 Temel HTTP g\u00fcvenlik ba\u015fl\u0131klar\u0131n\u0131n k\u0131sa \u00f6zeti2.1 Content-Security-Policy (CSP)2.2 Strict-Transport-Security (HSTS)2.3 X-Frame-Options ve frame-ancestors2.4 X-Content-Type-Options, Referrer-Policy, Permissions-Policy2.5 Di\u011fer ba\u015fl\u0131klar ve \u00e7erez taraf\u01313 Payla\u015f\u0131ml\u0131 hosting (.htaccess) \u00fczerinde HTTP g\u00fcvenlik ba\u015fl\u0131klar\u01313.1 .htaccess i\u00e7inde temel g\u00fcvenlik ba\u015fl\u0131klar\u0131 \u00f6rne\u011fi3.2 Payla\u015f\u0131ml\u0131 hostingte .htaccess ile \u00e7al\u0131\u015f\u0131rken dikkat edilmesi gerekenler4 VPS \u00fczerinde Nginx ve Apache [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":4771,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-4770","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-teknoloji"],"_links":{"self":[{"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/posts\/4770","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/comments?post=4770"}],"version-history":[{"count":0,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/posts\/4770\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/media\/4771"}],"wp:attachment":[{"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/media?parent=4770"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/categories?post=4770"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/tags?post=4770"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}