diff --git a/ncac/package/80-ssl.conf b/ncac/package/80-ssl.conf
new file mode 100644
index 0000000..3987f3a
--- /dev/null
+++ b/ncac/package/80-ssl.conf
@@ -0,0 +1,6 @@
+server {
+    listen       80;
+    server_name  cacserver;
+
+    rewrite ^/(.*)$ https://$host/$1 permanent;
+}
diff --git a/ncac/package/cac-ssl.conf b/ncac/package/cac-ssl.conf
index a3f07dd..d20a4d8 100644
--- a/ncac/package/cac-ssl.conf
+++ b/ncac/package/cac-ssl.conf
@@ -1,6 +1,19 @@
 server {
     listen       443 ssl;
     server_name  cacserver;
+    # 安全头配置
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Content-Security-Policy
+        "default-src 'self';
+         connect-src 'self' data:;
+         script-src 'self' 'unsafe-inline' 'unsafe-eval';
+         worker-src 'self' blob:;
+         img-src 'self' data:;
+         style-src 'self' 'unsafe-inline';
+         font-src 'self';
+         frame-ancestors 'none';" always;
+    add_header X-Frame-Options "SAMEORIGIN" always;
     proxy_set_header Upgrade $http_upgrade;
     proxy_set_header Connection "upgrade";
     ssl_certificate     /home/xydl/cert/ca.cert;