引入谷歌 / hotjar统计,等外站的js/frame/css,会出现script-src、style-src、connect-src、frame-src、img-src等提示不安全,需要在nginx的头部增加Content-Security-Policy
支持https://*.xxx.com
add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' https://www.googletagmanager.com https://www.google-analytics.com https://static.hotjar.com https://script.hotjar.com https://vars.hotjar.com 'unsafe-eval' 'unsafe-inline'; connect-src 'self' https://www.google-analytics.com https://*.hotjar.com https://stats.g.doubleclick.net https://www.google.com; frame-src 'self' https://*.hotjar.com 'unsafe-eval' 'unsafe-inline'; img-src 'self' https://www.google-analytics.com https://api.qrserver.com https://www.google.com data:" always
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" always;
add_header Content-Security-Policy "upgrade-insecure-requests;connect-src *";
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" always;
add_header Cache-Control no-store;
add_header X-Frame-Options SAMEORIGIN;
add_header Permissions-Policy "geolocation=(),midi=(),microphone=(),camera=(),fullscreen=(self)";
add_header Referrer-Policy "no-referrer-when-downgrade";