php.ini 中修改
expose_php off // php彩蛋信息泄露 session.cookie_httponly=true // cookie没有设置httponly属性
PHP 配置
header("X-Frame-Options:SAMEORIGIN;"); // X-Frame-Options 响应头缺失 header("Referer-Policy:origin;");//Referer-Policy 响应头缺失 header("Content-Security-Policy:frame-ancestors 'self';");//Content-Security-Policy 响应头缺失 header("X-Permitted-Cross-Domain-Policies:'master-only';");//X-Permitted-Cross-Domain-Policies 响应头缺失 header("X-XSS-Protection:1; mode=block;");//X-XSS-Protection 响应头缺失 header("X-Download-Options: SAMEORIGIN;");//X-Download-Options 响应头缺失 header("X-Content-Type-Options:nosniff;");//X-Content-Type-Options 响应头缺失 header("Strict-Transport-Security:max-age=31536000;");//Strict-Transport-Security 响应头缺失
Nginx 配置
add_header X-Frame-Options SAMEORIGIN; add_header Referer-Policy origin; add_header Content-Security-Policy "frame-ancestors 'self'"; add_header X-Permitted-Cross-Domain-Policies "master-only"; add_header X-XSS-Protection "1; mode=block;"; add_header X-Download-Options SAMEORIGIN; add_header X-Content-Type-Options nosniff; add_header Strict-Transport-Security max-age=31536000;
httpd.conf
添加
LoadModule headers_module modules/mod_headers.so Header always append X-Frame-Options SAMEORIGIN Header set X-XSS-Protection "1; mode=block" Header set X-Content-Type-Options nosniff Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
禁止目录访问
blog.itpub.net/69926532/vi…
Options None
