lighttp建议网站初始响应头

功能说明

为了网站页面的安全,光网烈火建议用户使用初始响应头来保护站点。以防各种跨站攻击。

nginx

在站点conf中加入以下值

add_header cache-control "max-age=0, must-revalidate";
add_header Referrer-Policy "strict-origin-when-cross-origin";
add_header content-security-policy "default-src 'self' *.inetpub.cn *.liehuojun.com *.xpccdn.com data: blob: 'unsafe-inline' 'unsafe-eval'; frame-ancestors 'self';";
add_header X-Content-Type-Options "nosniff";
add_header X-XSS-Protection "1; mode=block";
add_header Permissions-Policy "accelerometer=(self), autoplay=(self), camera=(self), cross-origin-isolated=(self), display-capture=(self), document-domain=(self), encrypted-media=(self), fullscreen=(self), geolocation=(self), gyroscope=(self), magnetometer=(self), microphone=(self), midi=(self), payment=(self), picture-in-picture=(self), publickey-credentials-get=(self), screen-wake-lock=(self), sync-xhr=(self), usb=(self), web-share=(self), xr-spatial-tracking=(self), clipboard-read=(self), clipboard-write=(self), hid=(self), idle-detection=(self), serial=(self)";
add_header strict-transport-security "max-age=31536000; includeSubDomains; preload";

如果配置文件中包含如下数据,则应该删除第一行 cache-control 的设定值。其中 *.inetpub.cn *.liehuojun.com *.xpccdn.com 域名可替换成所需第三方资源库域,如静态图片、视频的引用。

location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
    {
    expires 30d;
    ...

HSTS (HTTPS 预加载提交网站 https://hstspreload.org

HTTPS Header 评分网站 https://securityheaders.com

News

2022

2021

Update: 2022-2-20 15:29