Nginx 网站安全头配置大全

1. 点击劫持保护

# 防止页面被嵌入到iframe中

add_header X-Frame-Options "SAMEORIGIN" always;

# 现代替代方案

add_header Content-Security-Policy "frame-ancestors 'self';" always;

2. MIME类型嗅探保护

# 防止浏览器猜测文件类型

add_header X-Content-Type-Options "nosniff" always;

3. XSS保护

# 启用XSS过滤器

add_header X-XSS-Protection "1; mode=block" always;

4. HSTS (HTTP严格传输安全)

# 强制使用HTTPS

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

5. 引用策略

# 控制Referer头信息

add_header Referrer-Policy "strict-origin-when-cross-origin" always;

# 其他可选值:

# add_header Referrer-Policy "no-referrer" always;

# add_header Referrer-Policy "same-origin" always;

# add_header Referrer-Policy "strict-origin" always;

6. 权限策略

# 控制浏览器功能访问

add_header Permissions-Policy "geolocation=(), microphone=(), camera=(), payment=()" always;

# 完整的功能控制示例:

# add_header Permissions-Policy "geolocation=(), microphone=(), camera=(), payment=(), fullscreen=(self), display-capture=()" always;

7. 跨源策略

# 资源加载策略

add_header Cross-Origin-Resource-Policy "same-origin" always;

# 窗口操作策略

add_header Cross-Origin-Opener-Policy "same-origin" always;

# 嵌入式资源策略

add_header Cross-Origin-Embedder-Policy "require-corp" always;

8.内容安全策略 (CSP) 详细配置

# 严格的CSP策略

add_header Content-Security-Policy "

    default-src 'none';

    script-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net;

    style-src 'self' 'unsafe-inline' https://fonts.googleapis.com;

    img-src 'self' data: https:;

    font-src 'self' https://fonts.gstatic.com;

    connect-src 'self' https://api.example.com;

    frame-src 'self';

    base-uri 'self';

    form-action 'self';

    frame-ancestors 'none';

    upgrade-insecure-requests;

" always;

# 更宽松的CSP策略（适合现有网站）

add_header Content-Security-Policy "

    default-src 'self';

    script-src 'self' 'unsafe-inline' 'unsafe-eval' https:;

    style-src 'self' 'unsafe-inline' https:;

    img-src 'self' data: https:;

    font-src 'self' https:;

    connect-src 'self' https:;

    frame-src 'self' https:;

    media-src 'self' https:;

    object-src 'none';

" always;

9.针对文件类型的特定配置

# 静态资源安全头

location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {

    expires 1y;

    add_header Cache-Control "public, immutable";

    add_header X-Content-Type-Options "nosniff";

    add_header Cross-Origin-Resource-Policy "same-origin";

}

# PDF和文档文件

location ~* \.(pdf|doc|docx|xls|xlsx|ppt|pptx)$ {

    add_header X-Content-Type-Options "nosniff";

    add_header Cross-Origin-Resource-Policy "same-origin";

    add_header Content-Disposition "attachment";

}

# API端点安全头

location /api/ {

    add_header X-Content-Type-Options "nosniff";

    add_header X-Frame-Options "DENY";

    add_header Content-Security-Policy "default-src 'none'; frame-ancestors 'none';";

}