Nginx安全加固02

server {
  server_name xxxxx.com;
  listen 443 ssl;
  add_header Strict-Transport-Security "max-age=63072000";
  add_header X-Permitted-Cross-Domain-Policies "master-only";
  add_header X-XSS-Protection "1; mode=block";
  add_header X-Frame-Options SAMEORIGIN;
  add_header X-Content-Type-Options "nosniff";
  add_header X-Download-Options noopen;
  add_header X-Permitted-Cross-Domain-Policies none;
  add_header Referrer-Policy "origin";
  add_header Content-Security-Policy "default-src 'self' data: *.xxx.com 'unsafe-inline' 'unsafe-eval' mediastream: ";
  …
  }


Nginx一些安全设置:

1、Nginx响应头缺失,nginx.conf中location下配置:
  HTTP X-Permitted-Cross-Domain-Policies 响应头缺失
  add_header X-Permitted-Cross-Domain-Policies value;

HTTP Referrer-Policy 响应头缺失
  add_header 'Referrer-Policy' 'origin';

HTTP X-Content-Type-Options 响应头缺失
  add_header X-Content-Type-Options nosniff;

HTTP X-Download-Options 响应头缺失
  add_header X-Download-Options "noopen" always;

HTTP Content-Security-Policy 响应头缺失
  add_header Content-Security-Policy "default-src 'self' * 'unsafe-inline' 'unsafe-eval' blob: data: ;";

点击劫持:缺少 X-Frame-Options 头
  add_header X-Frame-Options SAMEORIGIN;

HTTP X-XSS-Protection 响应头缺失
  add_header X-XSS-Protection 1;

 

2、set-cookies 属性缺失,nginx.conf location 根据项目路径配置(实际就是把/替换为/; Secure; HttpOnly)
set-Cookie 没有设置 secure 、HttpOnly属性
  proxy_cookie_path / "/; Secure; HttpOnly";

负载也会产生一条set-cookies信息,upstream route后加上Secure HttpOnly

  upstream portal{
    sticky path=/hh name=hh_route Secure HttpOnly;

3、CSRF跨站域请求伪造攻击
控制referer来源,例如非192.168.41网段地址返回403错误

nginx.conf server 下配置

  valid_referers none server_names 192.168.41.*;

  if ($invalid_referer) {
    return 403;
  }

4、不安全的http请求方式漏洞
例如只允许get post请求,其他返回403

nginx.conf location 添加

  if ($request_method !~* GET|POST) {
    return 403;
  }

5、nginx版本号信息隐藏

nginx.conf http 添加
  server_tokens off;

应用服务版本号信息隐藏
nginx.conf location 设置
  proxy_hide_header aas-version;


6、请求头控制web访问
例如只允许手机访问,则请求头Windows、Macintosh,直接返回404

nginx location 配置

  set $flag 0;
  if ($http_user_agent ~* "Windows" ) {
    set $flag "1";
  }
  if ($http_user_agent ~* "Macintosh" ) {
    set $flag "1";
  }
  if ($flag = "1"){
    return 404;
  }



原文链接:https://blog.csdn.net/fanggeyan/article/details/125865158

posted @ 2025-06-25 16:47  walkersss  阅读(34)  评论(0)    收藏  举报