nginx扫描漏洞响应头缺失解决方法
一、漏扫出现问题
检测到目标X-Content-Type-Options响应头缺失
add_header X-Content-Type-Options nosniff;
检测到错误页面web应用服务器版本信息泄露 修改404页面及500页面,不要出现apache、nginx等字样
检测到目标Referrer-Policy响应头缺失
add_header 'Referrer-Policy' 'origin';
检测到目标X-XSS-Protection响应头缺失
add_header X-Xss-header "1;mode=block";
检测到目标X-Download-Options响应头缺失
add_header X-Download-Options "noopen" always;
检测到目标Strict-Transport-Security响应头缺失
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
检测到目标Content-Security-Policy响应头缺失
add_header X-Frame-Options SAMEORIGIN;
检测到目标X-Permitted-Cross-Domain-Policies响应头缺失
header("X-Permitted-Cross-Domain-Policies:'master-only';");
点击劫持:X-Frame-Options未配置
add_header X-Frame-Options SAMEORIGIN;
二、nginx.conf
http当中添加server_tokens off;
替换对应的站点域名;
#user nobody; worker_processes 4; #error_log logs/error.log; #error_log logs/error.log notice; #error_log logs/error.log info; #pid logs/nginx.pid; events { worker_connections 40960; } http { include mime.types; default_type application/octet-stream; #log_format main '$remote_addr - $remote_user [$time_local] "$request" ' # '$status $body_bytes_sent "$http_referer" ' # '"$http_user_agent" "$http_x_forwarded_for"'; #access_log logs/access.log main; sendfile on; #tcp_nopush on; #keepalive_timeout 0; keepalive_timeout 65; server_tokens off; server { listen 8080; server_name *.demo.com; root "/www/demo"; location / { index index.php index.html error/index.html; error_page 400 /error/400.html; error_page 403 /error/403.html; error_page 404 /error/404.html; error_page 500 /error/500.html; error_page 501 /error/501.html; error_page 502 /error/502.html; error_page 503 /error/503.html; error_page 504 /error/504.html; error_page 505 /error/505.html; error_page 506 /error/506.html; error_page 507 /error/507.html; error_page 509 /error/509.html; error_page 510 /error/510.html; include D:/phpstudy_pro/WWW/8100ktc/nginx.htaccess; autoindex off; } location ~ \.php(.*)$ { fastcgi_pass 127.0.0.1:9007; fastcgi_index index.php; fastcgi_split_path_info ^((?U).+\.php)(/?.+)$; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info; include fastcgi_params; } add_header X-Content-Type-Options nosniff; add_header 'Referrer-Policy' 'origin'; add_header X-Download-Options "noopen" always; add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"; add_header X-Permitted-Cross-Domain-Policies "master-only"; add_header X-Frame-Options SAMEORIGIN; add_header Content-Security-Policy "default-src 'self' data: *.xxx.com 'unsafe-inline' 'unsafe-eval' mediastream: "; add_header X-Content-Type-Options: nosniff; add_header X-XSS-Protection "1; mode=block"; # proxy_hide_header X-Powered-By; } }