perf: 更新ssl对应的安全头配置

2 months ago · 1fd4d6b542
parent 838144e66a
commit 1fd4d6b542
2 changed files with 19 additions and 0 deletions
--- a/ncac/package/80-ssl.conf
+++ b/ncac/package/80-ssl.conf
@ -0,0 +1,6 @@
+server {
+    listen       80;
+    server_name  cacserver;
+
+    rewrite ^/(.*)$ https://$host/$1 permanent;
+}
--- a/ncac/package/cac-ssl.conf
+++ b/ncac/package/cac-ssl.conf
@ -1,6 +1,19 @@
 server {
    listen       443 ssl;
    server_name  cacserver;
+    # 安全头配置
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Content-Security-Policy
+        "default-src 'self';
+         connect-src 'self' data:;
+         script-src 'self' 'unsafe-inline' 'unsafe-eval';
+         worker-src 'self' blob:;
+         img-src 'self' data:;
+         style-src 'self' 'unsafe-inline';
+         font-src 'self';
+         frame-ancestors 'none';" always;
+    add_header X-Frame-Options "SAMEORIGIN" always;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    ssl_certificate     /home/xydl/cert/ca.cert;