Nginx响应头安全策略

1.add_header X-Content-Type-Options 应对漏洞：内容嗅探攻击,屏蔽内容嗅探攻击。
2.add_header X-XSS-Protection 应对漏洞：XSS攻击,开启浏览器XSS防护
3.add_header X-Frame-Options 应对漏洞：点击劫持;配置的三个参数：
deny 标识该页面不允许在frame中展示，即便在相同域名的页面中嵌套也不行。
sameorigin 可以在同域名的页面中frame中展示
allow-form url 指定的fream中展示。
4.add_header Strict-Transport-Security 告诉浏览器只能通过https访问当前资源,在接下来的16070400秒中，
浏览器只要向xxx或其子域名发送HTTP请求时，必须采用HTTPS来发起连接。
5.add_header Referrer-Policy 用于过滤 Referrer 报头内容，其可选的项有：
no-referrer no-referrer-when-downgrade origin origin-when-cross-origin same-origin strict-origin
6.add_header X-Permitted-Cross-Domain-Policies
7.add_header X-Download-Options用于控制浏览器下载文件是否支持直接打开，如果支持直接打开，可能会有安全隐患。
8.add_header Access-Control-Allow-相关配置 对应漏洞：Access-Control-Allow-Origin中不安全的通配符’*’响应【原理扫描】

nginx.conf示例

worker_processes  auto;
 
error_log  /var/log/nginx/error.log notice;
pid        /var/run/nginx.pid;
 
 
events {
    worker_connections  1024;
}
 
 
http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;
 
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
 
    access_log  /var/log/nginx/access.log  main;
 
    sendfile        on;
    #tcp_nopush     on;
 
    keepalive_timeout  65;
 
    #gzip  on;
        server {
            listen       80;
            server_name  localhost;
                    gzip on;
                    gzip_buffers 32 4K;
                    gzip_comp_level 6;
                    gzip_min_length 100;
                    gzip_types text/plain application/javascript application/x-javascript text/css application/xml text/javascript application/x-httpd-php image/jpeg image/gif image/png;
                    gzip_disable "MSIE [1-6]\."; #配置禁用gzip条件，支持正则。此处表示ie6及以下不启用gzip（因为ie低版本不支持）
                    gzip_vary on;
            access_log  /var/log/nginx/host.access.log  main;
            error_log  /var/log/nginx/error.log  error;
 
 
        location / {
            root    html;
            index  index.html index.htm;
             
            add_header X-Content-Type-Options "nosniff" always;
            add_header X-XSS-Protection "1; mode=block" always;
            add_header X-Frame-Options SAMEORIGIN;
            add_header Strict-Transport-Security "max-age=16070400; includeSubdomains; preload" always;
            add_header Referrer-Policy "strict-origin";
            add_header X-Permitted-Cross-Domain-Policies none;
            add_header X-Download-Options noopen;          
            add_header Access-Control-Allow-Origin *;
            add_header Access-Control-Allow-Methods 'GET, POST, OPTIONS';
            add_header Access-Control-Allow-Headers 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization';
            if ($request_method = 'OPTIONS') {
              return 204;
            }
        }
 
        location /api/ {
            # 426 Upgrade Required，使用 proxy_http_version 1.1
            proxy_http_version 1.1;
            # !!需要修改为后台服务地址
            proxy_pass  http://192.168.1.11:5002$request_uri; #API
            # proxy_redirect off;
            # 后端的Web服务器可以通过X-Forwarded-For获取用户真实IP
            proxy_set_header  Host  $host;
            proxy_set_header  X-Real-IP  $remote_addr; 
            proxy_set_header  X-Forwarded-For  $proxy_add_x_forwarded_for;
            #proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
             
            add_header X-Content-Type-Options "nosniff" always;
            add_header X-XSS-Protection "1; mode=block" always;
            add_header X-Frame-Options SAMEORIGIN;
            add_header Strict-Transport-Security "max-age=16070400; includeSubdomains; preload" always;
            add_header Referrer-Policy "strict-origin";
            add_header X-Permitted-Cross-Domain-Policies none;
            add_header X-Download-Options noopen;
            add_header Access-Control-Allow-Origin *;
            add_header Access-Control-Allow-Methods 'GET, POST, OPTIONS';
            add_header Access-Control-Allow-Headers 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization';
            if ($request_method = 'OPTIONS') {
              return 204;
            }
        }          
               
        location /ws {
            proxy_pass http://127.0.0.1:5052$request_uri;
            proxy_http_version 1.1;
            proxy_connect_timeout 4s;               
            proxy_read_timeout 60s;                 
            proxy_send_timeout 12s;                 
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "Upgrade";
             
            add_header X-Content-Type-Options "nosniff" always;
            add_header X-XSS-Protection "1; mode=block" always;
            add_header X-Frame-Options SAMEORIGIN;
            add_header Strict-Transport-Security "max-age=16070400; includeSubdomains; preload" always;
            add_header Referrer-Policy "strict-origin";
            add_header X-Permitted-Cross-Domain-Policies none;
            add_header X-Download-Options noopen;          
            add_header Access-Control-Allow-Origin *;
            add_header Access-Control-Allow-Methods 'GET, POST, OPTIONS';
            add_header Access-Control-Allow-Headers 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization';
            if ($request_method = 'OPTIONS') {
              return 204;
            }
        }
    
            #error_page  404              /404.html;
             
            # redirect server error pages to the static page /50x.html
            #
            error_page   500 502 503 504  /50x.html;
            location = /50x.html {
                root   /usr/share/nginx/html;
                add_header Cache-Control 'no-cache, must-revalidate, proxy-revalidate, max-age=0';
            }
        }
}

来自带码人
来自林老西
来自Developer