nginx安全头配置

server_tokens off;
add_header Cache-Control no-cache;

add_header Referrer-Policy no-referrer-when-downgrade;
add_header X-Permitted-Cross-Domain-Policies master-only;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Download-Options noopen;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
add_header Content-Security-Policy "connect-src *";
add_header Set-Cookie "SameSite=Strict; HttpOnly; Secure";

• SameSite 属性
  https://cloud.tencent.com/developer/article/1579121

SameSite：有3个值 Strict，Lax，None
Set-Cookie: CookieName=CookieValue; SameSite=Strict;  #完全禁止第三方 Cookie，跨站点时，任何情况下都不会发送 Cookie;只有当前网页的 URL 与请求目标一致，才会带上 Cookie
Set-Cookie: CookieName=CookieValue; SameSite=Lax;  #大多数情况也是不发送第三方 Cookie，但是导航到目标网址的 Get 请求除外