Nginx与安全相关的几个配置

server_tokens off;1.

ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384; ssl_prefer_server_ciphers off;1.2.3.

add_header X-Frame-Options "SAMEORIGIN";1.

add_header X-XSS-Protection "1; mode=block";1.

add_header X-Content-Type-Options "nosniff";1.

client_max_body_size 10M; client_body_timeout 12s;1.2.

add_header Cache-Control "no-cache, no-store, must-revalidate"; add_header Expires "0";1.2.

add_header Set-Cookie "cookie_name=value; Path=/; Secure; HttpOnly";1.

if ($request_method = OPTIONS) { add_header Access-Control-Allow-Origin https://your-allowed-domain.com; add_header Access-Control-Allow-Methods GET, POST, OPTIONS; add_header Access-Control-Allow-Headers DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range; add_header Access-Control-Max-Age 1728000; add_header Content-Type text/plain; charset=utf-8; add_header Content-Length 0; return 204; } if ($request_method = POST) { add_header Access-Control-Allow-Origin https://your-allowed-domain.com always; add_header Access-Control-Allow-Methods GET, POST, OPTIONS always; add_header Access-Control-Allow-Headers DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range always; add_header Access-Control-Expose-Headers Content-Length,Content-Range always; } if ($request_method = GET) { add_header Access-Control-Allow-Origin https://your-allowed-domain.com always; add_header Access-Control-Allow-Methods GET, POST, OPTIONS always; add_header Access-Control-Allow-Headers DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range always; add_header Access-Control-Expose-Headers Content-Length,Content-Range always; }1.2.3.4.5.6.7.8.9.10.11.12.13.14.15.16.17.18.19.20.21.