nginx
SangBigYe
这个作者很懒,什么都没留下…
展开
-
漏洞修复:在应用程序中发现不必要的 Http 响应头
nginx server tokens 参数描述:http://nginx.org/en/docs/http/ngx_http_core_module.html#server_tokens。插件地址:https://github.com/openresty/headers-more-nginx-module。记得修改/path/to/headers-more-nginx-module为你下载的插件路径。编译完成后,在nginx.conf参数中增加,以移除Server键值对。原创 2023-08-30 17:28:10 · 3045 阅读 · 0 评论 -
漏洞修复:Clickjacking: CSP frame-ancestors missing
在server中添加以下信息原创 2022-11-29 11:43:03 · 2524 阅读 · 0 评论 -
漏洞修复:HTML5: Overly Permissive CORS Policy
add_header Access-Control-Allow-Origin 允许访问的ip或者域名,允许访问的ip或者域名;判断$http_origin。如果不在白名单,直接403。实际情况中,还是扫到了。在server中添加。原创 2022-11-16 16:22:39 · 796 阅读 · 0 评论 -
漏洞修复:Content-Security-Policy header missing
在http、server、location下添加 add_header Content-Security-Policy。原创 2022-11-16 15:06:21 · 2484 阅读 · 0 评论 -
以非root权限启动nginx
ps:因为非root不能启动1024以下端口,正常要使用80和443 端口,如果端口大于1024可以跳过此步骤。注释第一行 #user nobody;原创 2022-08-02 18:12:20 · 3043 阅读 · 0 评论 -
漏洞修复:Cookie Security: Overly Permissive SameSite Attribute
描述The SameSite attribute protects cookies from attacks such as Cross-Site Request Forgery (CSRF). Session cookies represent a user to the site to allow user to perform authorized actions. However, the browser automatically sends the cookies and therefore原创 2022-02-07 09:49:23 · 3800 阅读 · 0 评论 -
漏洞修复:HTML5: Cross-Site Scripting Protection
描述X-XSS-Protection HTTP response header enables developers and security architects to manage browser protection against reflected cross-site scripting. The mechanism is also known as the XSS Auditor in Chrome and the XSS filter in Internet Explorer. In mo原创 2022-01-28 15:34:24 · 2285 阅读 · 0 评论 -
漏洞修复:Insecure Transport: HSTS not Set
描述Http Strict Transport Security (HSTS) policy enables web applications to enforce web browsers to restrict communication with the server over an encrypted SSL/TLS connection for a set period. Policy is declared via special Strict Transport Security respo原创 2022-01-28 15:27:52 · 1881 阅读 · 0 评论 -
漏洞修复:Cache Management: Insecure Policy
描述WebInspect has detected a potentially unsafe cache control policy for secure content. While content transmitted over an SSL/TLS channel is expected to guarantee confidentiality, administrators must ensure that caching of sensitive content is disabled un原创 2022-01-28 15:00:48 · 1342 阅读 · 0 评论 -
漏洞修复:HTML5: CORS Prolonged Caching of Preflight Response
描述WebInspect has discovered a preflight response that is configured to be cached for a prolonged amount of time. The time a response is allowed to be cached is conveyed using an Access-Control-Max-Age response header and a value more than 30 minutes is co原创 2022-01-28 14:45:27 · 1004 阅读 · 0 评论 -
漏洞修复:Cookie Security: HTTPOnly not Set on Application Cookie
描述The web application does not utilize HTTP only cookies. This is a new security feature introduced by Microsoft in IE 6 SP1 to mitigate the possibility of a successful Cross-Site scripting attack by not allowing cookies with the HTTP only attribute to be原创 2022-01-28 14:32:32 · 3980 阅读 · 0 评论 -
漏洞修复:Often Misused: Weak SSL Certificate
描述WebInspect has identified a self-signed certificate served from the target server. Server certificates declare the public key of the server for use in transport layer security. Trusted third-party vendors known as Certificate Authority (CA) sign and iss原创 2022-01-28 13:56:56 · 3090 阅读 · 0 评论 -
漏洞修复:Web Server Misconfiguration: SSL Certificate Hostname Discrepancy
描述This policy states that any area of the website or web application that contains sensitive information or access to privileged functionality such as remote site administration requires that the certificate used by the server is the same host as the serv原创 2022-01-28 13:55:12 · 2754 阅读 · 0 评论 -
漏洞修复:Cookie Security: Cookie not Sent Over SSL
描述This policy states that any area of the website or web application that contains sensitive information or access to privileged functionality such as remote site administration requires that all cookies are sent via SSL during an SSL session. The URL: ht原创 2022-01-28 11:23:12 · 5385 阅读 · 0 评论 -
漏洞修复:HTML5: CORS Functionality Abuse
描述WebInspect has detected the target application supports “Origin: null” for CORS requests, making it vulnerable to CORS attacks.Cross-Origin Resource Sharing, commonly referred to as CORS, is a technology that allows a domain to define a policy for its原创 2022-01-28 11:16:19 · 2264 阅读 · 3 评论 -
漏洞修复:Often Misused: HTTP Method Override
描述In order to protect access to various resources, web servers may be configured to prevent the usage of specific HTTP verbs. However, some web frameworks provide a way to override the HTTP method in the request by supplying specific HTTP request headers.原创 2022-01-28 10:31:01 · 2758 阅读 · 0 评论 -
漏洞修复:Clickjacking: X-Frame-Options header missing
描述Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidentia原创 2022-01-27 18:26:52 · 4255 阅读 · 1 评论 -
漏洞修复:Cross-Frame Scripting Medium
描述:A Cross-Frame Scripting (XFS) vulnerability can allow an attacker to load the vulnerable application inside an HTML iframe tag on a malicious page. The attacker could use this weakness to devise a Clickjacking attack to conduct phishing, frame sniffing原创 2022-01-27 18:10:38 · 967 阅读 · 0 评论 -
漏洞修复:TLS 1.0 enabled
描述The web server supports encryption through TLS 1.0. TLS 1.0 is not considered to be "strong cryptography" as defined and required by the PCI Data Security Standard 3.2(.1) when used to protect sensitive information transferred to or from web sites. Acco原创 2022-01-27 18:01:07 · 9293 阅读 · 1 评论 -
在windows系统下使用Nginx实现tomcat集群
nginx下载地址:https://nginx.org/en/download.html tomcat 8.0下载地址:https://tomcat.apache.org/download-80.cgi既然要部署集群了,tomcat更改端口什么的应该是小意思了,就不着重讲了。 更改2个tomcat端口号分别为18080,28080,为了区分2个tomcat,分别修改\webapps\ROO...原创 2018-07-13 16:28:20 · 758 阅读 · 0 评论