小岑博客ssllab本来的测试为A+,但是mozilla安全测试为D,于是优化了一下,得到了A+,不过安全是把双刃剑。具体适不适合各位,观众们需要自己斟酌了。
SSl测试
https://securityheaders.io/
https://mozilla.github.io/http-observatory-website/ 这个测试比较严格
主要是以下内容优化,仅仅为nginx的配置,大家在server段加入即可
1.Strict-Transport-Security
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
2.X-Frame-Options
add_header X-Frame-Options SAMEORIGIN;
3.X-Content-Type-Options
add_header X-Content-Type-Options nosniff;
4.X-XSS-Protection
add_header X-XSS-Protection "1; mode=block";
5.Content-Security-Policy
该项为资源策略,大家把自己外链的资源地址加入即可
add_header Content-Security-Policy "script-src 'self' https://duoshuo.com;img-src data: https: https://duoshuo.com ";
6.Public-Key-Pins
这个需要用ssl工具计算出自己的pin-sha256的pin,计算方式在后面
add_header Public-Key-Pins 'pin-sha256="47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU="; pin-sha256="tewDBI59geBDDqF5mhU3o0wnlM98bBvMK+Z8oAp6B1g="; max-age=2592000';
计算方法
RSA key
$ openssl rsa -in my.key -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64
ECDSA (例如 COMODO ECC )
$ openssl ec -in my.key -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64
大家把上述生成的key填入即可,模版如下
add_header Public-Key-Pins 'pin-sha256="ABCD"; pin-sha256="EFGI"; max-age=2592000';
以下是小岑本次安全优化的配置部分
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Content-Security-Policy "script-src 'self' https://duoshuo.com;img-src data: https: https://duoshuo.com ";
add_header Public-Key-Pins 'pin-sha256="47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU="; pin-sha256="tewDBI59geBDDqF5mhU3o0wnlM98bBvMK+Z8oAp6B1g="; max-age=2592000';