Quantcast
Channel: CodeSection,代码区,网络安全 - CodeSec
Viewing all articles
Browse latest Browse all 12749

博客https安全优化到A+

$
0
0

小岑博客ssllab本来的测试为A+,但是mozilla安全测试为D,于是优化了一下,得到了A+,不过安全是把双刃剑。具体适不适合各位,观众们需要自己斟酌了。

SSl测试

https://securityheaders.io/

https://mozilla.github.io/http-observatory-website/ 这个测试比较严格

主要是以下内容优化,仅仅为nginx的配置,大家在server段加入即可

1.Strict-Transport-Security

add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";

2.X-Frame-Options

add_header X-Frame-Options SAMEORIGIN;

3.X-Content-Type-Options

add_header X-Content-Type-Options nosniff;

4.X-XSS-Protection

add_header X-XSS-Protection "1; mode=block";

5.Content-Security-Policy

该项为资源策略,大家把自己外链的资源地址加入即可

add_header Content-Security-Policy "script-src 'self' https://duoshuo.com;img-src data: https: https://duoshuo.com ";

6.Public-Key-Pins

这个需要用ssl工具计算出自己的pin-sha256的pin,计算方式在后面

add_header Public-Key-Pins 'pin-sha256="47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU="; pin-sha256="tewDBI59geBDDqF5mhU3o0wnlM98bBvMK+Z8oAp6B1g="; max-age=2592000';

计算方法

RSA key

$ openssl rsa -in my.key -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64

ECDSA (例如 COMODO ECC )

$ openssl ec -in my.key -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64

大家把上述生成的key填入即可,模版如下

add_header Public-Key-Pins 'pin-sha256="ABCD"; pin-sha256="EFGI"; max-age=2592000';

以下是小岑本次安全优化的配置部分

add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";

add_header X-Frame-Options SAMEORIGIN;

add_header X-Content-Type-Options nosniff;

add_header X-XSS-Protection "1; mode=block";

add_header Content-Security-Policy "script-src 'self' https://duoshuo.com;img-src data: https: https://duoshuo.com ";

add_header Public-Key-Pins 'pin-sha256="47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU="; pin-sha256="tewDBI59geBDDqF5mhU3o0wnlM98bBvMK+Z8oAp6B1g="; max-age=2592000';


Viewing all articles
Browse latest Browse all 12749

Trending Articles