Shulou(Shulou.com)06/01 Report--

Configure the HSTSHTTP response on Nginx to include the Strict-Transport-Security header to implement the website HSTS, as the following configuration: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload, to achieve HSTS, that is,-- HTTP Strict Transport Security,HTTP strict transport security. Assuming that there are no errors in the TLS connection, compatible browsers will activate HSTS within the retention period specified by the max-age parameter. Once HSTS is enabled on the site, subsequent visits from users will go directly to port 443, but you also need to make sure that users who access port 80 are redirected to the correct address. To support this redirection, and because HSTS response headers are not allowed in plaintext responses. Need to configure redirection # add vim nginx.conf [root @ www conf] # server {listen 80; server_name * .test05.com test05.com; return 301 https://$host$request_uri;}......add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always # max-age: time unit is seconds, 31536000 HSTS 3600mm 24 = 365days # always: send HSTS's hair to the client regardless of the request, including the error response. HSTs headers are not sent by default, such as 404. # includeSubDomains: the parameter specifies that HSTS is enabled on the current host domain name and all its subdomains. # preload: is an optional. In order to solve the problem that the user who visits for the first time cannot know the HSTS setting in advance, the created # should pay attention to the inheritance mode of the add_header directive. If the add_header instruction is set in a sub-configuration block, then the add_header instruction in the upper configuration block will not be inherited. If you need to add additional add_header instructions to the subconfiguration, copy the section about HSTS to the subconfiguration. [root@www conf] #.. / sbin/nginx-tnginx: the configuration file / project/nginx1.15.0/conf/nginx.conf syntax is oknginx: configuration file / project/nginx1.15.0/conf/nginx.conf test is successful [root@www conf] #.. / sbin/nginx-s reload

Using CSP content Security Policy (content security policy,CSP) on Nginx is a declared security mechanism that allows site operators to control the behavior of CSP-compliant user agents (usually browsers). By controlling which features to enable and where to download content, you can reduce the size of the site. The main purpose of CSP is to defend against cross-site scripting (cross-ste scripting,XSS). For example, CSP can completely disable inline JavaScript and control where external code is loaded. It can also prohibit dynamic code execution. With all of these sources disabled, XSS*** becomes more difficult. A website enables the required Content-Security-Policy policy by setting the CSP response header. Specific rules: default-src: default policy script-src:js script style-src: style img-src: picture connect-src: link font-src: font object-src: plug-in, or such media-src: multimedia, such frame-src:framesandbox: sandbox values and meanings:'*': any source 'none': does not load any source' self': homology, resources with the same origin as the request can load resources encoded by data For example, the picture encoded by Base64 'unsafe-inline': inline code can be executed' unsafe-eval': allows dynamic code execution For example, JavaScript's eval () method https: request source is https:// xxx.com of https protocol: request source is a site of https protocol css.test.com: request source is a site * .test.com: request source is a site and all its subsites [root@www ~] # cd / project/nginx1.15.0/conf/ [root@www conf] # vim nginx.conf.add_header Content-Security-Policy "default-src 'self' Img-src *; object-src * script-src www.test05.com " [root@www conf] #.. / sbin/nginx-tnginx: the configuration file / project/nginx1.15.0/conf/nginx.conf syntax is oknginx: configuration file / project/nginx1.15.0/conf/nginx.conf test is successful [root@www conf] #.. / sbin/nginx-s reloadnginx vulnerability caused by misconfiguration [root@www ~] # cd / project/nginx1.15.0/conf/ [root@www conf] # vim nginx.conf.... . # prevent embedding in frame Avoid click hijacking * add_header X-Frame-Options DENY; # prohibit server from automatically parsing resource type add_header X-Content-Type-Options nosniff; # prevent XSS***add_header X-Xss-Protection 1 X-Frame-Options three option values: DENY: reject a page to load SAMEORIGIN as frame: pages under the same origin domain name, you can load ALLOW-FROM by frame: allow the specified domain name to load click hijack in the form of frame, where an iframe loads a page of your website on a page of your own unsafe site, and * * users can tamper with the iframe to induce users to click So it's best to disable iframe from loading your page. Or the same origin and individual specified sites can load your pages in frame form. XSS***: cross-site script * *: X-Xss-Protection:4 option value: 0: do not enable XSS protection 1: enable protection (default in browsers). If cross-site script is detected *, the browser will delete the unsafe part. 1. If mode=block detects *, the browser will block the rendering of the page; if report= detects cross-site scripting *, the browser will clean up the page and report violations. This uses the CSP report-uri function to send reports; only chrome supports sending reports. Nosniff is forbidden to sniff, and the server prompts the client to parse according to the MIME type in the header of Content-Type, and cannot modify it. MIME type sniffing behavior on the client side is disabled to prevent malicious code injection. When you turn on X-Content-Type-Options, you should make sure that all the content transferred must have the correct Content-Type attribute. Without this attribute, it may result in unsuccessful loading and failure to run, because the browser automatically recognizes this item. Some browsers, such as IE9, IE11 don't load content when they can't get the type. Directory traversal in nginx configuration: make sure that both the configured path and the alias configured path have /; or there is no / correct configuration of location / download/ {autoindex on; alias / project/nginx1.15.0/files/;}

Configuration location / download {autoindex on; alias / project/nginx1.15.0/files/;} with security risks

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.