{"id":14,"date":"2026-06-01T12:21:39","date_gmt":"2026-06-01T09:21:39","guid":{"rendered":"https:\/\/secradar.net\/blog\/http-guvenlik-basliklari-rehberi\/"},"modified":"2026-06-04T22:45:37","modified_gmt":"2026-06-04T19:45:37","slug":"http-guvenlik-basliklari-rehberi","status":"publish","type":"post","link":"https:\/\/secradar.net\/blog\/http-guvenlik-basliklari-rehberi\/","title":{"rendered":"HTTP G\u00fcvenlik Ba\u015fl\u0131klar\u0131 (HSTS, CSP) Rehberi ve A+ Almak"},"content":{"rendered":"<p>HTTP g\u00fcvenlik ba\u015fl\u0131klar\u0131, taray\u0131c\u0131ya sitenizi nas\u0131l koruyaca\u011f\u0131n\u0131 s\u00f6yleyen yan\u0131t ba\u015fl\u0131klar\u0131d\u0131r. Do\u011fru yap\u0131land\u0131r\u0131ld\u0131\u011f\u0131nda XSS, clickjacking ve protokol d\u00fc\u015f\u00fcrme gibi yayg\u0131n sald\u0131r\u0131lar\u0131 b\u00fcy\u00fck \u00f6l\u00e7\u00fcde engeller.<\/p>\n<h2>En \u00d6nemli G\u00fcvenlik Ba\u015fl\u0131klar\u0131<\/h2>\n<h3>HSTS (Strict-Transport-Security)<\/h3>\n<p>Taray\u0131c\u0131y\u0131 siteye yaln\u0131zca HTTPS ile ba\u011flanmaya zorlar, SSL stripping sald\u0131r\u0131lar\u0131n\u0131 \u00f6nler. \u00d6rnek: <code>Strict-Transport-Security: max-age=63072000; includeSubDomains<\/code><\/p>\n<h3>CSP (Content-Security-Policy)<\/h3>\n<p>Sayfada hangi kaynaklar\u0131n (script, stil, g\u00f6rsel) y\u00fcklenece\u011fini s\u0131n\u0131rlar; XSS&#8217;in etkisini b\u00fcy\u00fck \u00f6l\u00e7\u00fcde azalt\u0131r. \u00d6nce <code>Content-Security-Policy-Report-Only<\/code> ile test edin.<\/p>\n<h3>X-Frame-Options<\/h3>\n<p>Sitenizin ba\u015fka sayfalarda iframe i\u00e7ine g\u00f6m\u00fclmesini engelleyerek clickjacking&#8217;i \u00f6nler: <code>X-Frame-Options: SAMEORIGIN<\/code><\/p>\n<h3>X-Content-Type-Options<\/h3>\n<p><code>nosniff<\/code> de\u011feriyle taray\u0131c\u0131n\u0131n MIME t\u00fcr\u00fc tahminini kapat\u0131r.<\/p>\n<h2>Nginx&#8217;te Nas\u0131l Eklenir?<\/h2>\n<p><code>add_header Strict-Transport-Security \"max-age=63072000; includeSubDomains\" always;<\/code><br \/>\n<code>add_header X-Frame-Options SAMEORIGIN always;<\/code><br \/>\n<code>add_header X-Content-Type-Options nosniff always;<\/code><\/p>\n<h2>A+ Almak \u0130\u00e7in<\/h2>\n<p>T\u00fcm \u00f6nerilen ba\u015fl\u0131klar\u0131 ekleyin, CSP&#8217;yi sitenize g\u00f6re dikkatlice tan\u0131mlay\u0131n ve <a href=\"https:\/\/secradar.net\/headers-check\">HTTP g\u00fcvenlik ba\u015fl\u0131klar\u0131 test arac\u0131m\u0131zla<\/a> eksikleri tek tek kapat\u0131n. Ara\u00e7, mevcut ve eksik ba\u015fl\u0131klar\u0131 yan yana g\u00f6sterir ve A\u2013F notu verir.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>HTTP g\u00fcvenlik ba\u015fl\u0131klar\u0131, taray\u0131c\u0131ya sitenizi nas\u0131l koruyaca\u011f\u0131n\u0131 s\u00f6yleyen yan\u0131t ba\u015fl\u0131klar\u0131d\u0131r. Do\u011fru yap\u0131land\u0131r\u0131ld\u0131\u011f\u0131nda XSS, clickjacking ve protokol d\u00fc\u015f\u00fcrme gibi yayg\u0131n sald\u0131r\u0131lar\u0131 b\u00fcy\u00fck \u00f6l\u00e7\u00fcde engeller. En \u00d6nemli G\u00fcvenlik Ba\u015fl\u0131klar\u0131 HSTS (Strict-Transport-Security) Taray\u0131c\u0131y\u0131 siteye yaln\u0131zca HTTPS ile ba\u011flanmaya zorlar, SSL stripping sald\u0131r\u0131lar\u0131n\u0131 \u00f6nler. \u00d6rnek: Strict-Transport-Security: max-age=63072000; includeSubDomains CSP (Content-Security-Policy) Sayfada hangi kaynaklar\u0131n (script, stil, g\u00f6rsel) y\u00fcklenece\u011fini s\u0131n\u0131rlar; XSS&#8217;in &#8230; <a title=\"HTTP G\u00fcvenlik Ba\u015fl\u0131klar\u0131 (HSTS, CSP) Rehberi ve A+ Almak\" class=\"read-more\" href=\"https:\/\/secradar.net\/blog\/http-guvenlik-basliklari-rehberi\/\" aria-label=\"Read more about HTTP G\u00fcvenlik Ba\u015fl\u0131klar\u0131 (HSTS, CSP) Rehberi ve A+ Almak\">Devam\u0131n\u0131 oku<\/a><\/p>\n","protected":false},"author":1,"featured_media":13,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[],"class_list":["post-14","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-guvenlik"],"_links":{"self":[{"href":"https:\/\/secradar.net\/blog\/wp-json\/wp\/v2\/posts\/14","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/secradar.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/secradar.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/secradar.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/secradar.net\/blog\/wp-json\/wp\/v2\/comments?post=14"}],"version-history":[{"count":1,"href":"https:\/\/secradar.net\/blog\/wp-json\/wp\/v2\/posts\/14\/revisions"}],"predecessor-version":[{"id":48,"href":"https:\/\/secradar.net\/blog\/wp-json\/wp\/v2\/posts\/14\/revisions\/48"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/secradar.net\/blog\/wp-json\/wp\/v2\/media\/13"}],"wp:attachment":[{"href":"https:\/\/secradar.net\/blog\/wp-json\/wp\/v2\/media?parent=14"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/secradar.net\/blog\/wp-json\/wp\/v2\/categories?post=14"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/secradar.net\/blog\/wp-json\/wp\/v2\/tags?post=14"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}