漏洞扫描结果中安全漏洞的修复方法
本帖最后由 user 于 2024-3-21 11:54 编辑未设置X-Content-Type-Options响应头解决方法:在nginx.conf配置文件中添加如下配置:
# 相关安全漏洞响应头
# 检测到目标 X-Content-Type-Options响应头缺失 这个暂时不开启,不然部分banner无法使用
#add_header X-Content-Type-Options "nosniff";
# 检测到目标 Content-Security-Policy响应头缺失这个暂时不开启,不然会导致Cesium无法使用
#add_header Content-Security-Policy "default-src 'self' http: https://* data: blob: 'unsafe-eval' 'unsafe-inline';child-src 'none' " always;
# 检测到目标 X-XSS-Protection响应头缺失
add_header X-XSS-Protection "1; mode=block";
# 检测到目标 Referrer-Policy响应头缺失
add_header Referrer-Policy "no-referrer-when-downgrade" always;
# 检测到目标 X-Permitted-Cross-Domain-Policies响应头缺失
add_header X-Permitted-Cross-Domain-Policies none;
# 检测到目标 X-Download-Options响应头缺失
add_header X-Download-Options noopen;
# 检测到目标 Strict-Transport-Security响应头缺失
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
#点击劫持:X-Frame-Options未配置
add_header X-Frame-Options SAMEORIGIN;
#检测到目标 X-Content-Type-Options响应头缺失开启后部分banner无法使用不影像我们系统使用 可开启
add_header X-Content-Type-Options "nosniff";
配置后重新nginx即可。如果配置后出现如下问题Cesium无法使用,nginx不配置Content-Security-Policy即可,不影响漏扫,上面配置是已注释掉Content-Security-Policy的,可直接复制使用。
本帖最后由 user 于 2024-3-21 12:00 编辑
完整nginx.conf文件内容:
#usernobody;
worker_processes1;
#error_loglogs/error.log;
#error_loglogs/error.lognotice;
#error_loglogs/error.loginfo;
#pid logs/nginx.pid;
events {
worker_connections1024;
}
http {
include mime.types;
default_typeapplication/octet-stream;
server {
listen 8080ssl;
server_namewww.aaa.cn;
client_max_body_size 300m; #主要是这个参数,限制了上传文件大大小
ssl_certificate www.aaa.cn_bundle.pem;
ssl_certificate_key www.aaa.cn.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
#只允许TLS协议
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
#加密套件,这里用了CloudFlares Internet facing SSL cipher configuration
ssl_prefer_server_ciphers on;
#由服务器协商最佳的加密算法
# 相关安全漏洞响应头
# 检测到目标 X-XSS-Protection响应头缺失
add_header X-XSS-Protection "1; mode=block";
# 检测到目标 Referrer-Policy响应头缺失
add_header Referrer-Policy "no-referrer-when-downgrade" always;
# 检测到目标 X-Permitted-Cross-Domain-Policies响应头缺失
add_header X-Permitted-Cross-Domain-Policies none;
# 检测到目标 X-Download-Options响应头缺失
add_header X-Download-Options noopen;
# 检测到目标 Strict-Transport-Security响应头缺失
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
#点击劫持:X-Frame-Options未配置
add_header X-Frame-Options SAMEORIGIN;
location /ak_hwrl {
proxy_pass http://192.168.100.10:8012;
}
location /sys-api {
proxy_pass http://192.168.100.10:9999;
}
location /manage-api {
proxy_pass http://192.168.100.10:9999;
}
location /hangjingsoft {
proxy_pass http://192.168.100.10:8012;
}
location /excel {
proxy_pass http://192.168.100.10:8012;
}
location /ryjl {
proxy_pass http://192.168.100.10:8012;
}
location /ueditor {
proxy_pass http://192.168.100.10:8012;
}
location / {
root html;
indexindex.html index.htm;
}
}
}
页:
[1]