响应头设置
操作方法:apache 在httpd.conf 文件中,最下面的就可以,也可以争对每一种情况加固。
Header always append X-Frame-Options SAMEORIGIN
Header add Strict-Transport-Security "31536000"
Header add Content-Security-Policy "default-src'self';"
Header add Referer-Policy "no-referrer"
Header add X-Permitted-Cross-Domain-Policies "master-only"
Header add X-XSS-Protection "1;mode=block"
Header add X-Download-Options "noopen"
Header add X-Content-Type-Options "nosniff"
Nginx: 在web服务的对应的server()里设置:
#add_header Content-Security-Policy "default-src 'self'"; (这个可能导致页面样式出错,慎重)
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options: nosniff;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options: nosniff;