# ============================================================ # Nginx 安全响应头配置示例 # ============================================================ # # 功能说明: # - X-Frame-Options: 防止点击劫持 # - X-Content-Type-Options: 防止 MIME 嗅探 # - Content-Security-Policy: 内容安全策略 # - Referrer-Policy: 引用策略 # - Permissions-Policy: 权限策略 # # Lolly 对应配置: # server: # security: # headers: # x_frame_options: "DENY" # x_content_type_options: "nosniff" # referrer_policy: "strict-origin-when-cross-origin" # content_security_policy: "default-src 'self'" # permissions_policy: "geolocation=(), camera=()" # ============================================================ server { listen 443 ssl http2; server_name secure-headers.example.com; ssl_certificate /etc/nginx/ssl/server.crt; ssl_certificate_key /etc/nginx/ssl/server.key; ssl_protocols TLSv1.2 TLSv1.3; # 安全响应头配置 # Lolly 对应: security.headers 配置块 # X-Frame-Options: 防止点击劫持 # DENY: 完全禁止嵌入 # SAMEORIGIN: 只允许同源嵌入 # ALLOW-FROM uri: 允许特定源(已弃用) # Lolly 对应: x_frame_options: "DENY" add_header X-Frame-Options "DENY" always; # X-Content-Type-Options: 防止 MIME 嗅探 # nosniff: 强制使用声明的 Content-Type # Lolly 对应: x_content_type_options: "nosniff" add_header X-Content-Type-Options "nosniff" always; # X-XSS-Protection: XSS 过滤(已弃用,使用 CSP 替代) # 建议关闭,依赖 CSP add_header X-XSS-Protection "0" always; # Referrer-Policy: 控制引用信息 # no-referrer: 不发送引用信息 # no-referrer-when-downgrade: HTTPS->HTTP 时不发送 # origin: 只发送源 # origin-when-cross-origin: 跨域时只发送源 # same-origin: 同源时发送完整 URL # strict-origin: 只发送源,降级时不发送 # strict-origin-when-cross-origin: 推荐值 # unsafe-url: 发送完整 URL(不安全) # Lolly 对应: referrer_policy: "strict-origin-when-cross-origin" add_header Referrer-Policy "strict-origin-when-cross-origin" always; # Content-Security-Policy: 内容安全策略 # 防止 XSS、数据注入等攻击 # Lolly 对应: content_security_policy add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; connect-src 'self'; frame-ancestors 'none'; base-uri 'self'; form-action 'self'" always; # Permissions-Policy: 权限策略(原 Feature-Policy) # 控制浏览器功能访问 # Lolly 对应: permissions_policy add_header Permissions-Policy "geolocation=(), microphone=(), camera=(), payment=(), usb=(), magnetometer=(), gyroscope=(), accelerometer=()" always; # Cross-Origin 相关头 add_header Cross-Origin-Embedder-Policy "require-corp" always; add_header Cross-Origin-Opener-Policy "same-origin" always; add_header Cross-Origin-Resource-Policy "same-origin" always; # HSTS (HTTP Strict Transport Security) add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; location / { root /var/www/html; } # API 端点 - 更宽松的 CSP location /api { add_header Content-Security-Policy "default-src 'none'; frame-ancestors 'none'" always; proxy_pass http://backend:8080; } } # 安全头说明: # # 1. X-Frame-Options: # - DENY: 完全禁止被嵌入(iframe、frame 等) # - SAMEORIGIN: 只允许同源页面嵌入 # - 推荐使用 DENY 或 CSP frame-ancestors # # 2. X-Content-Type-Options: # - nosniff: 防止浏览器猜测 MIME 类型 # - 防止将非执行文件误解析为脚本 # # 3. Content-Security-Policy: # - default-src: 默认资源来源 # - script-src: JavaScript 来源 # - style-src: CSS 来源 # - img-src: 图片来源 # - connect-src: AJAX/WebSocket 来源 # - frame-ancestors: 嵌入来源(替代 X-Frame-Options) # - 'self': 同源 # - 'unsafe-inline': 允许内联脚本/样式 # - 'unsafe-eval': 允许 eval(不安全) # - nonce-xxx: 使用 nonce 授权 # # 4. Referrer-Policy: # - 控制请求中的 Referer 头信息 # - 防止敏感 URL 泄露 # - strict-origin-when-cross-origin 为推荐值 # # 5. Permissions-Policy: # - 控制浏览器功能访问权限 # - 如摄像头、麦克风、地理位置等 # - =() 表示完全禁用