Appearance
安全头配置
配置安全头可以提高网站安全性,防止各种攻击。
基本安全头
X-Frame-Options
nginx
add_header X-Frame-Options "SAMEORIGIN" always;说明:
- 防止点击劫持
SAMEORIGIN:仅允许同源嵌入DENY:禁止任何嵌入
X-Content-Type-Options
nginx
add_header X-Content-Type-Options "nosniff" always;说明:
- 防止MIME类型嗅探
nosniff:禁止浏览器嗅探MIME类型
X-XSS-Protection
nginx
add_header X-XSS-Protection "1; mode=block" always;说明:
- 启用XSS过滤器
1; mode=block:检测到XSS时阻止页面
高级安全头
Content-Security-Policy
nginx
add_header Content-Security-Policy "default-src 'self'" always;说明:
- 内容安全策略
- 限制资源加载来源
Strict-Transport-Security
nginx
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;说明:
- 强制使用HTTPS
max-age:HSTS有效期includeSubDomains:包含子域名
Referrer-Policy
nginx
add_header Referrer-Policy "strict-origin-when-cross-origin" always;说明:
- 控制Referrer信息
strict-origin-when-cross-origin:仅发送源信息
完整配置
生产环境配置
nginx
server {
listen 443 ssl http2;
server_name www.example.com;
ssl_certificate /etc/nginx/ssl/example.com.crt;
ssl_certificate_key /etc/nginx/ssl/example.com.key;
# 安全头
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self'; frame-src 'self';" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
root /var/www/html;
index index.html;
}CSP策略
基本CSP
nginx
add_header Content-Security-Policy "default-src 'self'" always;允许内联脚本
nginx
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'" always;允许外部资源
nginx
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' https://cdn.example.com; img-src 'self' data: https:; font-src 'self' data: https://fonts.googleapis.com;" always;HSTS配置
基本HSTS
nginx
add_header Strict-Transport-Security "max-age=31536000" always;包含子域名
nginx
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;预加载
nginx
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;完整示例
生产环境配置
nginx
server {
listen 80;
server_name www.example.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
server_name www.example.com;
ssl_certificate /etc/nginx/ssl/example.com.crt;
ssl_certificate_key /etc/nginx/ssl/example.com.key;
# SSL协议和加密套件
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers off;
# 安全头
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self'; frame-src 'self';" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
root /var/www/html;
index index.html;
access_log /var/log/nginx/security.access.log;
error_log /var/log/nginx/security.error.log;
}测试安全头
使用curl测试
bash
curl -I https://www.example.com在线测试
访问 https://securityheaders.com/ 进行安全头测试
常见问题
资源加载失败
原因: CSP策略过于严格
解决: 调整CSP策略
nginx
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'" always;嵌入被阻止
原因: X-Frame-Options设置错误
解决: 调整X-Frame-Options
nginx
add_header X-Frame-Options "ALLOW-FROM https://example.com" always;总结
安全头配置的关键点:
- X-Frame-Options:防止点击劫持
- X-Content-Type-Options:防止MIME类型嗅探
- X-XSS-Protection:启用XSS过滤器
- CSP:内容安全策略
- HSTS:强制使用HTTPS
- Referrer-Policy:控制Referrer信息
合理配置安全头,提高网站安全性。