nginx安全头配置


server_tokens off;
add_header Cache-Control no-cache;

add_header Referrer-Policy no-referrer-when-downgrade;
add_header X-Permitted-Cross-Domain-Policies master-only;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Download-Options noopen;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
add_header Content-Security-Policy "connect-src *";
add_header Set-Cookie "SameSite=Strict; HttpOnly; Secure";
SameSite:有3个值 Strict,Lax,None
Set-Cookie: CookieName=CookieValue; SameSite=Strict;  #完全禁止第三方 Cookie,跨站点时,任何情况下都不会发送 Cookie;只有当前网页的 URL 与请求目标一致,才会带上 Cookie
Set-Cookie: CookieName=CookieValue; SameSite=Lax;  #大多数情况也是不发送第三方 Cookie,但是导航到目标网址的 Get 请求除外