nginx安全配置文件最佳实践

nginx安全配置add_header最佳实践(securityheaders测试A+)

之前写过一篇nginx的安全配置:《Nginx安全配置最佳实践》

本文是专门针对其中的header安全部分,因为谷歌浏览器在不断的更新它的第三方cookie策略

nginx中最安全的add_header配置代码:

add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Permissions-Policy "interest-cohort=()" always;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options SAMEORIGIN;
add_header X-XSS-Protection "1; mode=block";
add_header Expect-CT "max-age=7776000, enforce";
add_header Referrer-Policy "strict-origin-when-cross-origin";
add_header Content-Security-Policy "upgrade-insecure-requests";

https://securityheaders.com 的测试结果:

nginx安全配置add_header最佳实践(securityheaders测试A+)
nginx安全配置add_header最佳实践(securityheaders测试A+)