Sovia' Blog
Nginx响应头安全策略
LiuSovia 化神
  2024-11-21 19:09:48   2023-04-20 05:04:27    961 字

Nginx响应头安全策略

1.add_header X-Content-Type-Options 应对漏洞:内容嗅探攻击,屏蔽内容嗅探攻击。
2.add_header X-XSS-Protection 应对漏洞:XSS攻击,开启浏览器XSS防护
3.add_header X-Frame-Options 应对漏洞:点击劫持;配置的三个参数:
deny 标识该页面不允许在frame中展示,即便在相同域名的页面中嵌套也不行。
sameorigin 可以在同域名的页面中frame中展示
allow-form url 指定的fream中展示。
4.add_header Strict-Transport-Security 告诉浏览器只能通过https访问当前资源,在接下来的16070400秒中,
浏览器只要向xxx或其子域名发送HTTP请求时,必须采用HTTPS来发起连接。
5.add_header Referrer-Policy 用于过滤 Referrer 报头内容,其可选的项有:
no-referrer no-referrer-when-downgrade origin origin-when-cross-origin same-origin strict-origin
6.add_header X-Permitted-Cross-Domain-Policies
7.add_header X-Download-Options用于控制浏览器下载文件是否支持直接打开,如果支持直接打开,可能会有安全隐患。
8.add_header Access-Control-Allow-相关配置 对应漏洞:Access-Control-Allow-Origin中不安全的通配符’*’响应【原理扫描】

nginx.conf示例

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
worker_processes  auto;
 
error_log  /var/log/nginx/error.log notice;
pid        /var/run/nginx.pid;
 
 
events {
    worker_connections  1024;
}
 
 
http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;
 
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
 
    access_log  /var/log/nginx/access.log  main;
 
    sendfile        on;
    #tcp_nopush     on;
 
    keepalive_timeout  65;
 
    #gzip  on;
        server {
            listen       80;
            server_name  localhost;
                    gzip on;
                    gzip_buffers 32 4K;
                    gzip_comp_level 6;
                    gzip_min_length 100;
                    gzip_types text/plain application/javascript application/x-javascript text/css application/xml text/javascript application/x-httpd-php image/jpeg image/gif image/png;
                    gzip_disable "MSIE [1-6]\."; #配置禁用gzip条件,支持正则。此处表示ie6及以下不启用gzip(因为ie低版本不支持)
                    gzip_vary on;
            access_log  /var/log/nginx/host.access.log  main;
            error_log  /var/log/nginx/error.log  error;
 
 
        location / {
            root    html;
            index  index.html index.htm;
             
            add_header X-Content-Type-Options "nosniff" always;
            add_header X-XSS-Protection "1; mode=block" always;
            add_header X-Frame-Options SAMEORIGIN;
            add_header Strict-Transport-Security "max-age=16070400; includeSubdomains; preload" always;
            add_header Referrer-Policy "strict-origin";
            add_header X-Permitted-Cross-Domain-Policies none;
            add_header X-Download-Options noopen;          
            add_header Access-Control-Allow-Origin *;
            add_header Access-Control-Allow-Methods 'GET, POST, OPTIONS';
            add_header Access-Control-Allow-Headers 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization';
            if ($request_method = 'OPTIONS') {
              return 204;
            }
        }
 
        location /api/ {
            # 426 Upgrade Required,使用 proxy_http_version 1.1
            proxy_http_version 1.1;
            # !!需要修改为后台服务地址
            proxy_pass  http://192.168.1.11:5002$request_uri; #API
            # proxy_redirect off;
            # 后端的Web服务器可以通过X-Forwarded-For获取用户真实IP
            proxy_set_header  Host  $host;
            proxy_set_header  X-Real-IP  $remote_addr; 
            proxy_set_header  X-Forwarded-For  $proxy_add_x_forwarded_for;
            #proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
             
            add_header X-Content-Type-Options "nosniff" always;
            add_header X-XSS-Protection "1; mode=block" always;
            add_header X-Frame-Options SAMEORIGIN;
            add_header Strict-Transport-Security "max-age=16070400; includeSubdomains; preload" always;
            add_header Referrer-Policy "strict-origin";
            add_header X-Permitted-Cross-Domain-Policies none;
            add_header X-Download-Options noopen;
            add_header Access-Control-Allow-Origin *;
            add_header Access-Control-Allow-Methods 'GET, POST, OPTIONS';
            add_header Access-Control-Allow-Headers 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization';
            if ($request_method = 'OPTIONS') {
              return 204;
            }
        }          
               
        location /ws {
            proxy_pass http://127.0.0.1:5052$request_uri;
            proxy_http_version 1.1;
            proxy_connect_timeout 4s;               
            proxy_read_timeout 60s;                 
            proxy_send_timeout 12s;                 
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "Upgrade";
             
            add_header X-Content-Type-Options "nosniff" always;
            add_header X-XSS-Protection "1; mode=block" always;
            add_header X-Frame-Options SAMEORIGIN;
            add_header Strict-Transport-Security "max-age=16070400; includeSubdomains; preload" always;
            add_header Referrer-Policy "strict-origin";
            add_header X-Permitted-Cross-Domain-Policies none;
            add_header X-Download-Options noopen;          
            add_header Access-Control-Allow-Origin *;
            add_header Access-Control-Allow-Methods 'GET, POST, OPTIONS';
            add_header Access-Control-Allow-Headers 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization';
            if ($request_method = 'OPTIONS') {
              return 204;
            }
        }
    
            #error_page  404              /404.html;
             
            # redirect server error pages to the static page /50x.html
            #
            error_page   500 502 503 504  /50x.html;
            location = /50x.html {
                root   /usr/share/nginx/html;
                add_header Cache-Control 'no-cache, must-revalidate, proxy-revalidate, max-age=0';
            }
        }
}

来自带码人
来自林老西
来自Developer

 评论
评论插件加载失败
正在加载评论插件
  1. Nginx响应头安全策略
  1. Nginx响应头安全策略