1.防clickjacking攻击
add_header X-Frame-Options "SAMEORIGIN";
2.跨站脚本Cross-site scripting (XSS)攻击
add_header X-XSS-Protection "1; mode=block";
3.强迫浏览器尊重服务器端指定的文件类型
add_header X-Content-Type-Options nosniff;
4.阻止浏览器拒绝被黑客从HTTPS切换到HTTP等不安全的网址
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
6.Content Security Policy
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' (https://link.jianshu.com?t=https://tautt.zendesk.com); object-src 'none'";
7.Cookie Protection
HttpOnly,防止XSS盗取用户cookie
Secure设置Cookie的HTTPS连接,非HTTP,这样,能够访问你的网络的黑客无法读取未加密的Cookie
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options nosniff;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
网友评论