server {
listen 8080;
server_name localhost;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Permitted-Cross-Domain-Policies value;
add_header Referrer-Policy "no-referrer-when-downgrade";
add_header X-Download-Options "noopen" always;
add_header Content-Security-Policy "default-src 'self' * 'unsafe-inline' 'unsafe-eval' blob: data: ;";
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" always;
add_header Cache-Control no-store;
add_header Permissions-Policy "geolocation=(),midi=(),microphone=(),camera=(),fullscreen=(self)";
add_header Content-Security-Policy "default-src *;style-src 'self' 'unsafe-inline';script-src 'self' 'unsafe-inline' 'unsafe-eval';img-src * data:;worker-src * blob:;font-src 'self' data:;";
location ^~/ {
proxy_connect_timeout 600s;
proxy_send_timeout 600s;
proxy_read_timeout 600s;
proxy_pass http://xxx:xxx/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header REMOTE-HOST $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
标签:xss,header,攻击,self,unsafe,nginx,add,proxy,src From: https://www.cnblogs.com/wjsqqj/p/17536151.html