Nginx安全配置

目录

1、跨域防护

#CORS-START
add_header X-Frame-Options "SAMEORIGIN";
add_header Access-Control-Allow-Origin "xyz.com";
add_header Access-Control-Allow-Methods "GET,POST,OPTIONS";
add_header Access-Control-Allow-Headers "Content-Type,Authorization,X-Requested-With,Range,Accept,Cache-Control,If-Modified-Since";
add_header Access-Control-Max-Age "60";
add_header Access-Control-Expose-Headers "X-Custom-Header,Content-Length,ETag,Cache-Control,Last-Modified,Expires,Vary";
if ($request_method = 'OPTIONS') {
  return 204;
}
#CORS-END

2、给 Cookie 增加 Secure 和 HttpOnly

  location /api {
      proxy_pass http://localhost:8080;
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

      # 在这里设置
      proxy_cookie_path / "/; httponly; secure; SameSite=Lax";
  }

3、XSS攻击防护

#XSS-START
add_header X-XSS-Protection "1; mode=block";
add_header Content-Security-Policy "default-src 'self'; frame-ancestors 'none';";
#XSS-END
posted @ 2025-10-17 10:16  Bruce.Chang.Lee  阅读(3)  评论(0)    收藏  举报