一、漏掃出現(xiàn)問題

檢測到目標(biāo)X-Content-Type-Options響應(yīng)頭缺失

add_header 'Referrer-Policy' 'origin';

1

檢測到錯誤頁面web應(yīng)用服務(wù)器版本信息泄露 修改404頁面及500頁面，不要出現(xiàn)apache、nginx等字樣

檢測到目標(biāo)Referrer-Policy響應(yīng)頭缺失

add_header 'Referrer-Policy' 'origin';

1

檢測到目標(biāo)X-XSS-Protection響應(yīng)頭缺失

add_header X-Xss-header “1;mode=block”;

1

檢測到目標(biāo)X-Download-Options響應(yīng)頭缺失

add_header X-Download-Options "noopen" always;

1

檢測到目標(biāo)Strict-Transport-Security響應(yīng)頭缺失

add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";

1

檢測到目標(biāo)Content-Security-Policy響應(yīng)頭缺失

add_header X-Frame-Options SAMEORIGIN;

1

檢測到目標(biāo)X-Permitted-Cross-Domain-Policies響應(yīng)頭缺失

header("X-Permitted-Cross-Domain-Policies:'master-only';");

1

展開全文

點擊劫持：X-Frame-Options未配置

add_header X-Frame-Options SAMEORIGIN;

1

二、nginx.conf

http當(dāng)中添加server_tokens off;

替換對應(yīng)的站點域名；

#user nobody;

worker_processes 4;

#error_log logs/error.log;

#error_log logs/error.log notice;

#error_log logs/error.log info;

#pid logs/nginx.pid;

events {

worker_connections 40960;

}

http {

include mime.types;

default_type application/octet-stream;

#log_format main '$remote_addr - $remote_user [$time_local] "$request" '

# '$status $body_bytes_sent "$http_referer" '

# '"$http_user_agent" "$http_x_forwarded_for"';

#access_log logs/access.log main;

sendfile on;

#tcp_nopush on;

#keepalive_timeout 0;

keepalive_timeout 65;

server_tokens off;

server {

listen 8080;

server_name *.demo.com;

root "/www/demo";

location / {

index index.php index.html error/index.html;

error_page 400 /error/400.html;

error_page 403 /error/403.html;

error_page 404 /error/404.html;

error_page 500 /error/500.html;

error_page 501 /error/501.html;

error_page 502 /error/502.html;

error_page 503 /error/503.html;

error_page 504 /error/504.html;

error_page 505 /error/505.html;

error_page 506 /error/506.html;

error_page 507 /error/507.html;

error_page 509 /error/509.html;

error_page 510 /error/510.html;

include D:/phpstudy_pro/WWW/8100ktc/nginx.htaccess;

autoindex off;

}

location ~ \.php(.*)$ {

fastcgi_pass 127.0.0.1:9007;

fastcgi_index index.php;

fastcgi_split_path_info ^((?U).+\.php)(/?.+)$;

fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

fastcgi_param PATH_INFO $fastcgi_path_info;

fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;

include fastcgi_params;

}

add_header X-Content-Type-Options nosniff;

add_header 'Referrer-Policy' 'origin';

add_header X-Download-Options "noopen" always;

add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";

add_header X-Permitted-Cross-Domain-Policies "master-only";

add_header X-Frame-Options SAMEORIGIN;

add_header Content-Security-Policy "default-src 'self' data: *.xxx.com 'unsafe-inline' 'unsafe-eval' mediastream: ";

add_header X-Content-Type-Options: nosniff;

add_header X-XSS-Protection "1; mode=block";

# proxy_hide_header X-Powered-By;

}

}

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

————————————————

版權(quán)聲明：本文為CSDN博主「那小子很拽」的原創(chuàng)文章，遵循CC 4.0 BY-SA版權(quán)協(xié)議，轉(zhuǎn)載請附上原文出處鏈接及本聲明。

原文鏈接：https://blog.csdn.net/haoqi9999/article/details/123271036