Nginx漏洞修复记录漏洞类型检测到错误页面web应用服务器版本信息泄露检测到目标Content-Security-

漏洞类型

检测到错误页面web应用服务器版本信息泄露
```
server_tokens off;
```

检测到目标Content-Security-Policy响应头缺失

add_header Content-Security-Policy "default-src 'self' http: https://* data: blob: 'unsafe-eval' 'unsafe-inline';child-src 'none' " always;

检测到目标X-Content-Type-Options响应头缺失
```
add_header X-Content-Type-Options nosniff;
```

检测到目标X-XSS-Protection响应头缺失

add_header X-XSS-Protection "1;mode=block";

点击劫持:X-Frame-0ptions未配置
```
add_header X-Frame-Options DENY;
```

检测到目标Strict-Transport-Security响应头缺失

add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";

检测到目标Referrer-Policy响应头缺失
```
add_header Referrer-Policy "no-referrer";
```
检测到目标X-Permitted-Cross-Domain-Policies响应头缺失
```
add_header X-Permitted-Cross-Domain-Policies 'none';
```
检测到目标X-Download-0ptions响应头缺失
```
add_header X-Download-Options "noopen";
```

修复配置

以上漏洞修复都在nginx.conf文件中增加配置

http {
    include       mime.types;
    default_type  application/octet-stream;

    server_tokens off;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1;mode=block";
    add_header Content-Security-Policy "default-src 'self' http: https://* data: blob: 'unsafe-eval' 'unsafe-inline';child-src 'none' " always;
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
    add_header Referrer-Policy "no-referrer";
    add_header X-Permitted-Cross-Domain-Policies 'none';
    add_header X-Download-Options "noopen";
    add_header X-Frame-Options DENY;
...
...
...