1. 安全扫描被告知缺少配置:
Missing security header configuration:
X-Xss-Protection “1;mode=block”
X-Frame-Options “SAMEORIGIN”
X-Content-Type-Options: nosniff
参考地址:
https://scotthelme.co.uk/hardening-your-http-response-headers/
解决方法
在nginx 的每个代理中添加如下配置:
add_header X-Xss-Protection "1; mode=block";
add_header X-Frame-Options "SAMEORIGIN";
add_header X-Content-Type-Options "nosniff";
2. 其他安全配置
// Content Security Policy:只允许 leinovo.com 域名结尾的数据被接受,防止跨域web 攻击
add_header Content-Security-Policy "default-src *.leinovo.com https: data: blob: 'unsafe-inline' 'unsafe-eval'; img-src * data: blob:";
// HTTP Strict Transport Security:
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";