add_header Set-Cookie "Path=/; HttpOnly; Secure; SameSite=Strict";
location / {
if ($http_referer !~* ^https://(www\.)?yourdomain\.com/) {
return 403;
}
# 其他配置...
}
虽然令牌生成通常在应用层实现,但Nginx可以协助验证:
location /api/ {
if ($request_method = POST) {
set $csrf_check "fail";
if ($http_x_csrf_token = $cookie_csrf_token) {
set $csrf_check "pass";
}
if ($csrf_check = "fail") {
return 403;
}
}
}
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
add_header X-Frame-Options "SAMEORIGIN";
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://trusted.cdn.com; img-src 'self' data:; style-src 'self' 'unsafe-inline'";
虽然主要在应用层实现,但Nginx可以协助过滤:
location / {
# 防止SQL注入和XSS尝试
if ($args ~* "(<|%3C).*script.*(>|%3E)") {
return 403;
}
if ($query_string ~* "union.*select.*\(") {
return 403;
}
}
location / {
if ($request_method !~ ^(GET|HEAD|POST)$ ) {
return 405;
}
}
server_tokens off; # 隐藏Nginx版本信息
# 限制缓冲区大小防止缓冲区溢出攻击
client_body_buffer_size 16k;
client_header_buffer_size 1k;
client_max_body_size 8m;
large_client_header_buffers 4 8k;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256';
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
add_header X-Frame-Options "SAMEORIGIN" always;
allow/deny指令限制敏感路径访问这些配置可以显著提高Nginx服务器的安全性,但安全是一个持续的过程,需要定期审查和更新防护措施。