之前写过一篇nginx的安全配置:《Nginx安全配置最佳实践》
本文是专门针对其中的header安全部分,因为谷歌浏览器在不断的更新它的第三方cookie策略:
nginx中最安全的add_header配置代码:
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Permissions-Policy "interest-cohort=()" always;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options SAMEORIGIN;
add_header X-XSS-Protection "1; mode=block";
add_header Expect-CT "max-age=7776000, enforce";
add_header Referrer-Policy "strict-origin-when-cross-origin";
add_header Content-Security-Policy "upgrade-insecure-requests";https://securityheaders.com 的测试结果:
