给NGINX添加几个常用的安全选项

add_header X-XSS-Protection 1;
add_header X-Frame-Options SAMEORIGIN always;
add_header X-Content-Type-Options 'nosniff';
add_header Referrer-Policy  "no-referrer-when-downgrade";
add_header Content-Security-Policy "default-src 'self'"；
add_header X-Permitted-Cross-Domain-Policies all；
add_header X-Download-Options value ;

在nginx里添加add_header要注意先后顺序http\server\location，并不是并集

参考文章：

http://www.qb5200.com/article/341463.html

https://blog.csdn.net/qq_26312651/article/details/88356345

https://blog.csdn.net/jie1134514406/article/details/124668625

https://blog.csdn.net/weixin_42991716/article/details/117465595

 

转另一篇参考文章：

https://blog.csdn.net/fanggeyan/article/details/125865158

使用nginx处理的一些安全漏洞

1、响应头缺失

HTTP X-Permitted-Cross-Domain-Policies 响应头缺失

Nginx的nginx.conf中location下配置:

add_header X-Permitted-Cross-Domain-Policies value;

HTTP Referrer-Policy 响应头缺失

Nginx的nginx.conf中location下配置:

add_header 'Referrer-Policy' 'origin';

HTTP X-Content-Type-Options 响应头缺失

Nginx的nginx.conf中location下配置:

add_header X-Content-Type-Options nosniff;

HTTP X-Download-Options 响应头缺失

Nginx的nginx.conf中location下配置:

add_header X-Download-Options "noopen" always;

HTTP Content-Security-Policy 响应头缺失

Nginx的nginx.conf中location下配置:

add_header Content-Security-Policy "default-src 'self' * 'unsafe-inline' 'unsafe-eval' blob: data: ;";

点击劫持：缺少 X-Frame-Options 头

Nginx的nginx.conf中location下配置:

add_header X-Frame-Options SAMEORIGIN;

HTTP X-XSS-Protection 响应头缺失

Nginx的nginx.conf中location下配置:

add_header X-XSS-Protection 1;

2、set-cookies 属性缺失

set-Cookie 没有设置 secure 、HttpOnly属性

nginx.conf location 根据项目路径配置（实际就是把/替换为/; Secure; HttpOnly）

proxy_cookie_path / "/; Secure; HttpOnly";

负载也会产生一条set-cookies信息，upstream route后加上Secure HttpOnly

        upstream portal{
              sticky path=/hh name=hh_route Secure HttpOnly;

3、CSRF跨站域请求伪造攻击

控制referer来源，例如非192.168.41网段地址返回403错误

nginx.conf server 下配置

        valid_referers none server_names 192.168.41.*;
     
            if ($invalid_referer) {
                return 403;
            }

4、不安全的http请求方式漏洞

例如只允许get post请求，其他返回403

nginx.conf location 添加

            if ($request_method !~* GET|POST) {
            return 403;
            }

 5、版本号信息隐藏

nginx版本号信息隐藏

nginx.conf http 添加

server_tokens off;

应用服务版本号信息隐藏

 

nginx.conf location 设置

proxy_hide_header aas-version;

 6、请求头控制web访问

例如只允许手机访问，则请求头Windows、Macintosh，直接返回404

nginx location 配置

            set $flag 0;
            if ($http_user_agent ~* "Windows" ) {
                set $flag "1";
            }
            if ($http_user_agent ~* "Macintosh" ) {
                set $flag "1";
            }
            if ($flag = "1"){
                return 404;
　　　}
————————————————
版权声明：本文为CSDN博主「方格眼」的原创文章，遵循CC 4.0 BY-SA版权协议，转载请附上原文出处链接及本声明。
原文链接：https://blog.csdn.net/fanggeyan/article/details/125865158