HTTP响应头漏洞 - 广州安可信息技术有限公司

出现HTTP响应头漏洞

1）、HTTP响应头 X-Frame-Options缺失漏洞
2）、HTTP响应头 X-Frame-Options缺失漏洞
3）、HTTP响应头 X-XSS-Protection缺失漏洞

解决办法：
参考：https://blog.csdn.net/m0_54434140/article/details/125517292

http当中添加server_tokens off;
替换对应的站点域名；

#user  nobody;
worker_processes 4;
#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;
#pid        logs/nginx.pid;
events {
     worker_connections 40960;
}
http {
    include       mime.types;
    default_type  application/octet-stream;
    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';
    #access_log  logs/access.log  main;
     sendfile  on;
    #tcp_nopush     on;
    #keepalive_timeout  0;
     keepalive_timeout 65;

     server_tokens off;

server {
        listen        8080;
        server_name  *.demo.com;
        root   "/www/demo";

        location / {
            index index.html error/index.html;
        }
        ### 重点重点重点  .xxx.com 替换成实际域名
        add_header X-Content-Type-Options nosniff;
        add_header 'Referrer-Policy' 'origin';
        add_header X-Download-Options "noopen" always;
        add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
        add_header X-Permitted-Cross-Domain-Policies  "master-only";
        add_header X-Frame-Options SAMEORIGIN;
        add_header Content-Security-Policy "default-src 'self' data: *.xxx.com  'unsafe-inline' 'unsafe-eval' mediastream: ";
        add_header X-Content-Type-Options: nosniff;
        add_header X-XSS-Protection "1; mode=block";
        # proxy_hide_header  X-Powered-By;

作者：hugh 创建时间：2024-11-21 20:34
最后编辑：hugh 更新时间：2024-11-25 19:17