一、漏扫出现问题
检测到目标X-Content-Type-Options响应头缺失
add_header 'Referrer-Policy' 'origin';
1
检测到错误页面web应用服务器版本信息泄露 修改404页面及500页面,不要出现apache、nginx等字样
检测到目标Referrer-Policy响应头缺失
add_header 'Referrer-Policy' 'origin';
1
检测到目标X-XSS-Protection响应头缺失
add_header X-Xss-header “1;mode=block”;
1
检测到目标X-Download-Options响应头缺失
add_header X-Download-Options "noopen" always;
1
检测到目标Strict-Transport-Security响应头缺失
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
1
检测到目标Content-Security-Policy响应头缺失
add_header X-Frame-Options SAMEORIGIN;
1
检测到目标X-Permitted-Cross-Domain-Policies响应头缺失
header("X-Permitted-Cross-Domain-Policies:'master-only';");
1
展开全文
点击劫持:X-Frame-Options未配置
add_header X-Frame-Options SAMEORIGIN;
1
二、nginx.conf
;
替换对应的站点域名;
#user nobody;
worker_processes 4;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events {
worker_connections 40960;
http {
include mime.types;
default_type application/octet-stream;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$" '
# '"$"';
#access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
server_tokens off;
server {
listen 8080;
server_name *.demo.com;
root "/";
location / {
index index.php index.html error/index.html;
error_page 400 /error/400.html;
error_page 403 /error/403.html;
error_page 404 /error/404.html;
error_page 500 /error/500.html;
error_page 501 /error/501.html;
error_page 502 /error/502.html;
error_page 503 /error/503.html;
error_page 504 /error/504.html;
error_page 505 /error/505.html;
error_page 506 /error/506.html;
error_page 507 /error/507.html;
error_page 509 /error/509.html;
error_page 510 /error/510.html;
include D:/phpstudy_pro/;
autoindex off;
location ~ \.php(.*)$ {
fastcgi_pass 127.0.0.1:9007;
fastcgi_index index.php;
fastcgi_split_path_info ^((?U).+\.php)(/?.+)$;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;
include fastcgi_params;
add_header X-Content-Type-Options nosniff;
add_header 'Referrer-Policy' 'origin';
add_header X-Download-Options "noopen" always;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header X-Permitted-Cross-Domain-Policies "master-only";
add_header X-Frame-Options SAMEORIGIN;
add_header Content-Security-Policy "default-src 'self' data: *.xxx.com 'unsafe-inline' 'unsafe-eval' mediastream: ";
add_header X-Content-Type-Options: nosniff;
add_header X-XSS-Protection "1; mode=block";
# proxy_hide_header X-Powered-By;
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
版权声明:本文为CSDN博主「那小子很拽」的原创文章,遵循CC 4.0 BY-SA版权协议,转载请附上原文出处链接及本声明。
原文链接:
特别声明
本文仅代表作者观点,不代表本站立场,本站仅提供信息存储服务。