nginx配置头 防止xss攻击

server {
listen 80 ssl;
server_name xxx.com;

ssl_certificate cert/xxx_bundle.pem;
ssl_certificate_key certxxx.key;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
ssl_ciphers 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:!NULL:!aNULL:!MD5:!3DES:!ADH:!RC4:!DH:!DHE';
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;

add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Permitted-Cross-Domain-Policies value;
add_header Referrer-Policy "no-referrer-when-downgrade";
add_header X-Download-Options "noopen" always;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" always;
add_header Cache-Control no-store;
add_header Permissions-Policy "geolocation=(),midi=(),microphone=(),camera=(),fullscreen=(self)";
add_header Content-Security-Policy "default-src 'self'  *.zj.gov.cn;img-src * data: blob:;style-src 'self' 'unsafe-inline';script-src 'self' 'unsafe-inline' 'unsafe-eval';font-src 'self' data:;worker-src * blob:;";

location ^~/file/ {
proxy_pass https://xxx.com/;
}

location ^~/api/ {
proxy_connect_timeout 600s;
proxy_send_timeout 600s;
proxy_read_timeout 600s;
proxy_pass http://xxx:xxx/;
proxy_set_header x-forwarded-for $remote_addr;
}

location ^~/upfile/ {
proxy_connect_timeout 600s;
proxy_send_timeout 600s;
proxy_read_timeout 600s;
proxy_pass http://xxx:xxx/;
proxy_set_header x-forwarded-for $remote_addr;
}

location / {
root /gds/xxx/dist/;
try_files $uri $uri/ @router;
index index.html index.htm;
}


location @router {
rewrite ^.*$ /index.html last;
}
}