security-headers-configuration
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseSecurity Headers Configuration
安全标头配置
Overview
概述
Implement comprehensive HTTP security headers to protect web applications from XSS, clickjacking, MIME sniffing, and other browser-based attacks.
配置全面的HTTP安全标头,以保护Web应用免受XSS、点击劫持、MIME嗅探及其他基于浏览器的攻击。
When to Use
适用场景
- New web application deployment
- Security audit remediation
- Compliance requirements
- Browser security hardening
- API security
- Static site protection
- 新Web应用部署
- 安全审计整改
- 合规要求满足
- 浏览器安全强化
- API安全防护
- 静态站点保护
Implementation Examples
实现示例
1. Node.js/Express Security Headers
1. Node.js/Express 安全标头配置
javascript
// security-headers.js
const helmet = require('helmet');
function configureSecurityHeaders(app) {
// Comprehensive Helmet configuration
app.use(helmet({
// Content Security Policy
contentSecurityPolicy: {
directives: {
defaultSrc: ["'self'"],
scriptSrc: [
"'self'",
"'unsafe-inline'", // Remove in production
"https://cdn.example.com",
"https://www.google-analytics.com"
],
styleSrc: [
"'self'",
"'unsafe-inline'",
"https://fonts.googleapis.com"
],
fontSrc: [
"'self'",
"https://fonts.gstatic.com"
],
imgSrc: [
"'self'",
"data:",
"https:",
"blob:"
],
connectSrc: [
"'self'",
"https://api.example.com"
],
frameSrc: ["'none'"],
objectSrc: ["'none'"],
upgradeInsecureRequests: []
}
},
// Strict Transport Security
hsts: {
maxAge: 31536000, // 1 year
includeSubDomains: true,
preload: true
},
// X-Frame-Options
frameguard: {
action: 'deny'
},
// X-Content-Type-Options
noSniff: true,
// X-XSS-Protection
xssFilter: true,
// Referrer-Policy
referrerPolicy: {
policy: 'strict-origin-when-cross-origin'
},
// Permissions-Policy (formerly Feature-Policy)
permittedCrossDomainPolicies: {
permittedPolicies: 'none'
}
}));
// Additional custom headers
app.use((req, res, next) => {
// Permissions Policy
res.setHeader(
'Permissions-Policy',
'geolocation=(), microphone=(), camera=(), payment=(), usb=()'
);
// Expect-CT
res.setHeader(
'Expect-CT',
'max-age=86400, enforce'
);
// Cross-Origin policies
res.setHeader('Cross-Origin-Embedder-Policy', 'require-corp');
res.setHeader('Cross-Origin-Opener-Policy', 'same-origin');
res.setHeader('Cross-Origin-Resource-Policy', 'same-origin');
// Remove powered-by header
res.removeHeader('X-Powered-By');
next();
});
}
// CSP Violation Reporter
app.post('/api/csp-report', express.json({ type: 'application/csp-report' }), (req, res) => {
const report = req.body['csp-report'];
console.error('CSP Violation:', {
documentUri: report['document-uri'],
violatedDirective: report['violated-directive'],
blockedUri: report['blocked-uri'],
sourceFile: report['source-file'],
lineNumber: report['line-number']
});
// Store in database or send to monitoring service
// monitoringService.logCSPViolation(report);
res.status(204).end();
});
module.exports = { configureSecurityHeaders };javascript
// security-headers.js
const helmet = require('helmet');
function configureSecurityHeaders(app) {
// Comprehensive Helmet configuration
app.use(helmet({
// Content Security Policy
contentSecurityPolicy: {
directives: {
defaultSrc: ["'self'"],
scriptSrc: [
"'self'",
"'unsafe-inline'", // Remove in production
"https://cdn.example.com",
"https://www.google-analytics.com"
],
styleSrc: [
"'self'",
"'unsafe-inline'",
"https://fonts.googleapis.com"
],
fontSrc: [
"'self'",
"https://fonts.gstatic.com"
],
imgSrc: [
"'self'",
"data:",
"https:",
"blob:"
],
connectSrc: [
"'self'",
"https://api.example.com"
],
frameSrc: ["'none'"],
objectSrc: ["'none'"],
upgradeInsecureRequests: []
}
},
// Strict Transport Security
hsts: {
maxAge: 31536000, // 1 year
includeSubDomains: true,
preload: true
},
// X-Frame-Options
frameguard: {
action: 'deny'
},
// X-Content-Type-Options
noSniff: true,
// X-XSS-Protection
xssFilter: true,
// Referrer-Policy
referrerPolicy: {
policy: 'strict-origin-when-cross-origin'
},
// Permissions-Policy (formerly Feature-Policy)
permittedCrossDomainPolicies: {
permittedPolicies: 'none'
}
}));
// Additional custom headers
app.use((req, res, next) => {
// Permissions Policy
res.setHeader(
'Permissions-Policy',
'geolocation=(), microphone=(), camera=(), payment=(), usb=()'
);
// Expect-CT
res.setHeader(
'Expect-CT',
'max-age=86400, enforce'
);
// Cross-Origin policies
res.setHeader('Cross-Origin-Embedder-Policy', 'require-corp');
res.setHeader('Cross-Origin-Opener-Policy', 'same-origin');
res.setHeader('Cross-Origin-Resource-Policy', 'same-origin');
// Remove powered-by header
res.removeHeader('X-Powered-By');
next();
});
}
// CSP Violation Reporter
app.post('/api/csp-report', express.json({ type: 'application/csp-report' }), (req, res) => {
const report = req.body['csp-report'];
console.error('CSP Violation:', {
documentUri: report['document-uri'],
violatedDirective: report['violated-directive'],
blockedUri: report['blocked-uri'],
sourceFile: report['source-file'],
lineNumber: report['line-number']
});
// Store in database or send to monitoring service
// monitoringService.logCSPViolation(report);
res.status(204).end();
});
module.exports = { configureSecurityHeaders };2. Nginx Security Headers Configuration
2. Nginx 安全标头配置
nginx
undefinednginx
undefinednginx-security-headers.conf
nginx-security-headers.conf
server {
listen 443 ssl http2;
server_name example.com;
# SSL Configuration
ssl_certificate /etc/ssl/certs/example.com.crt;
ssl_certificate_key /etc/ssl/private/example.com.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
# Security Headers
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header X-Frame-Options "DENY" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
# Content Security Policy
add_header Content-Security-Policy "default-src 'self'; script-src 'self' https://cdn.example.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https:; connect-src 'self' https://api.example.com; frame-ancestors 'none'; base-uri 'self'; form-action 'self'; report-uri /api/csp-report" always;
# Cross-Origin Policies
add_header Cross-Origin-Embedder-Policy "require-corp" always;
add_header Cross-Origin-Opener-Policy "same-origin" always;
add_header Cross-Origin-Resource-Policy "same-origin" always;
# Expect-CT
add_header Expect-CT "max-age=86400, enforce" always;
# Hide server version
server_tokens off;
location / {
root /var/www/html;
index index.html;
}
# API endpoints
location /api/ {
proxy_pass http://backend:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Remove backend headers that might leak info
proxy_hide_header X-Powered-By;
proxy_hide_header Server;
}}
server {
listen 443 ssl http2;
server_name example.com;
# SSL Configuration
ssl_certificate /etc/ssl/certs/example.com.crt;
ssl_certificate_key /etc/ssl/private/example.com.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
# Security Headers
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header X-Frame-Options "DENY" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
# Content Security Policy
add_header Content-Security-Policy "default-src 'self'; script-src 'self' https://cdn.example.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https:; connect-src 'self' https://api.example.com; frame-ancestors 'none'; base-uri 'self'; form-action 'self'; report-uri /api/csp-report" always;
# Cross-Origin Policies
add_header Cross-Origin-Embedder-Policy "require-corp" always;
add_header Cross-Origin-Opener-Policy "same-origin" always;
add_header Cross-Origin-Resource-Policy "same-origin" always;
# Expect-CT
add_header Expect-CT "max-age=86400, enforce" always;
# Hide server version
server_tokens off;
location / {
root /var/www/html;
index index.html;
}
# API endpoints
location /api/ {
proxy_pass http://backend:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Remove backend headers that might leak info
proxy_hide_header X-Powered-By;
proxy_hide_header Server;
}}
Redirect HTTP to HTTPS
Redirect HTTP to HTTPS
server {
listen 80;
server_name example.com;
return 301 https://$server_name$request_uri;
}
undefinedserver {
listen 80;
server_name example.com;
return 301 https://$server_name$request_uri;
}
undefined3. Python Flask Security Headers
3. Python Flask 安全标头配置
python
undefinedpython
undefinedsecurity_headers.py
security_headers.py
from flask import Flask, make_response
from functools import wraps
app = Flask(name)
def add_security_headers(f):
@wraps(f)
def decorated_function(*args, **kwargs):
resp = make_response(f(*args, **kwargs))
# Strict Transport Security
resp.headers['Strict-Transport-Security'] = \
'max-age=31536000; includeSubDomains; preload'
# X-Frame-Options
resp.headers['X-Frame-Options'] = 'DENY'
# X-Content-Type-Options
resp.headers['X-Content-Type-Options'] = 'nosniff'
# X-XSS-Protection
resp.headers['X-XSS-Protection'] = '1; mode=block'
# Referrer-Policy
resp.headers['Referrer-Policy'] = 'strict-origin-when-cross-origin'
# Permissions-Policy
resp.headers['Permissions-Policy'] = \
'geolocation=(), microphone=(), camera=(), payment=()'
# Content Security Policy
csp = {
"default-src": ["'self'"],
"script-src": ["'self'", "https://cdn.example.com"],
"style-src": ["'self'", "'unsafe-inline'"],
"img-src": ["'self'", "data:", "https:"],
"font-src": ["'self'"],
"connect-src": ["'self'", "https://api.example.com"],
"frame-ancestors": ["'none'"],
"base-uri": ["'self'"],
"form-action": ["'self'"],
"report-uri": ["/api/csp-report"]
}
csp_string = "; ".join([
f"{key} {' '.join(values)}"
for key, values in csp.items()
])
resp.headers['Content-Security-Policy'] = csp_string
# Cross-Origin Policies
resp.headers['Cross-Origin-Embedder-Policy'] = 'require-corp'
resp.headers['Cross-Origin-Opener-Policy'] = 'same-origin'
resp.headers['Cross-Origin-Resource-Policy'] = 'same-origin'
# Expect-CT
resp.headers['Expect-CT'] = 'max-age=86400, enforce'
# Remove server header
resp.headers.pop('Server', None)
return resp
return decorated_functionfrom flask import Flask, make_response
from functools import wraps
app = Flask(name)
def add_security_headers(f):
@wraps(f)
def decorated_function(*args, **kwargs):
resp = make_response(f(*args, **kwargs))
# Strict Transport Security
resp.headers['Strict-Transport-Security'] = \
'max-age=31536000; includeSubDomains; preload'
# X-Frame-Options
resp.headers['X-Frame-Options'] = 'DENY'
# X-Content-Type-Options
resp.headers['X-Content-Type-Options'] = 'nosniff'
# X-XSS-Protection
resp.headers['X-XSS-Protection'] = '1; mode=block'
# Referrer-Policy
resp.headers['Referrer-Policy'] = 'strict-origin-when-cross-origin'
# Permissions-Policy
resp.headers['Permissions-Policy'] = \
'geolocation=(), microphone=(), camera=(), payment=()'
# Content Security Policy
csp = {
"default-src": ["'self'"],
"script-src": ["'self'", "https://cdn.example.com"],
"style-src": ["'self'", "'unsafe-inline'"],
"img-src": ["'self'", "data:", "https:"],
"font-src": ["'self'"],
"connect-src": ["'self'", "https://api.example.com"],
"frame-ancestors": ["'none'"],
"base-uri": ["'self'"],
"form-action": ["'self'"],
"report-uri": ["/api/csp-report"]
}
csp_string = "; ".join([
f"{key} {' '.join(values)}"
for key, values in csp.items()
])
resp.headers['Content-Security-Policy'] = csp_string
# Cross-Origin Policies
resp.headers['Cross-Origin-Embedder-Policy'] = 'require-corp'
resp.headers['Cross-Origin-Opener-Policy'] = 'same-origin'
resp.headers['Cross-Origin-Resource-Policy'] = 'same-origin'
# Expect-CT
resp.headers['Expect-CT'] = 'max-age=86400, enforce'
# Remove server header
resp.headers.pop('Server', None)
return resp
return decorated_functionApply to all routes
Apply to all routes
@app.after_request
def apply_security_headers(response):
# Same headers as above
response.headers['Strict-Transport-Security'] =
'max-age=31536000; includeSubDomains; preload' response.headers['X-Frame-Options'] = 'DENY' response.headers['X-Content-Type-Options'] = 'nosniff' response.headers['X-XSS-Protection'] = '1; mode=block'
'max-age=31536000; includeSubDomains; preload' response.headers['X-Frame-Options'] = 'DENY' response.headers['X-Content-Type-Options'] = 'nosniff' response.headers['X-XSS-Protection'] = '1; mode=block'
return response@app.after_request
def apply_security_headers(response):
# Same headers as above
response.headers['Strict-Transport-Security'] =
'max-age=31536000; includeSubDomains; preload' response.headers['X-Frame-Options'] = 'DENY' response.headers['X-Content-Type-Options'] = 'nosniff' response.headers['X-XSS-Protection'] = '1; mode=block'
'max-age=31536000; includeSubDomains; preload' response.headers['X-Frame-Options'] = 'DENY' response.headers['X-Content-Type-Options'] = 'nosniff' response.headers['X-XSS-Protection'] = '1; mode=block'
return responseCSP Violation endpoint
CSP Violation endpoint
@app.route('/api/csp-report', methods=['POST'])
def csp_report():
report = request.get_json()
print(f"CSP Violation: {report}")
# Log to monitoring service
# monitoring.log_csp_violation(report)
return '', 204if name == 'main':
# Run with HTTPS only
app.run(ssl_context='adhoc', port=443)
undefined@app.route('/api/csp-report', methods=['POST'])
def csp_report():
report = request.get_json()
print(f"CSP Violation: {report}")
# Log to monitoring service
# monitoring.log_csp_violation(report)
return '', 204if name == 'main':
# Run with HTTPS only
app.run(ssl_context='adhoc', port=443)
undefined4. Apache .htaccess Configuration
4. Apache .htaccess 配置
apache
undefinedapache
undefined.htaccess - Apache security headers
.htaccess - Apache security headers
Strict Transport Security
Strict Transport Security
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
X-Frame-Options
X-Frame-Options
Header always set X-Frame-Options "DENY"
Header always set X-Frame-Options "DENY"
X-Content-Type-Options
X-Content-Type-Options
Header always set X-Content-Type-Options "nosniff"
Header always set X-Content-Type-Options "nosniff"
X-XSS-Protection
X-XSS-Protection
Header always set X-XSS-Protection "1; mode=block"
Header always set X-XSS-Protection "1; mode=block"
Referrer-Policy
Referrer-Policy
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Permissions-Policy
Permissions-Policy
Header always set Permissions-Policy "geolocation=(), microphone=(), camera=()"
Header always set Permissions-Policy "geolocation=(), microphone=(), camera=()"
Content Security Policy
Content Security Policy
Header always set Content-Security-Policy "default-src 'self'; script-src 'self' https://cdn.example.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; frame-ancestors 'none'"
Header always set Content-Security-Policy "default-src 'self'; script-src 'self' https://cdn.example.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; frame-ancestors 'none'"
Cross-Origin Policies
Cross-Origin Policies
Header always set Cross-Origin-Embedder-Policy "require-corp"
Header always set Cross-Origin-Opener-Policy "same-origin"
Header always set Cross-Origin-Resource-Policy "same-origin"
Header always set Cross-Origin-Embedder-Policy "require-corp"
Header always set Cross-Origin-Opener-Policy "same-origin"
Header always set Cross-Origin-Resource-Policy "same-origin"
Remove server signature
Remove server signature
ServerSignature Off
Header unset Server
Header unset X-Powered-By
ServerSignature Off
Header unset Server
Header unset X-Powered-By
Force HTTPS
Force HTTPS
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
undefinedRewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
undefined5. Security Headers Testing Script
5. 安全标头测试脚本
javascript
// test-security-headers.js
const axios = require('axios');
async function testSecurityHeaders(url) {
console.log(`\n=== Testing Security Headers for ${url} ===\n`);
try {
const response = await axios.get(url, {
validateStatus: () => true
});
const headers = response.headers;
const tests = {
'Strict-Transport-Security': {
present: !!headers['strict-transport-security'],
value: headers['strict-transport-security'],
recommended: 'max-age=31536000; includeSubDomains; preload'
},
'X-Frame-Options': {
present: !!headers['x-frame-options'],
value: headers['x-frame-options'],
recommended: 'DENY or SAMEORIGIN'
},
'X-Content-Type-Options': {
present: !!headers['x-content-type-options'],
value: headers['x-content-type-options'],
recommended: 'nosniff'
},
'X-XSS-Protection': {
present: !!headers['x-xss-protection'],
value: headers['x-xss-protection'],
recommended: '1; mode=block'
},
'Content-Security-Policy': {
present: !!headers['content-security-policy'],
value: headers['content-security-policy'],
recommended: 'Define strict CSP'
},
'Referrer-Policy': {
present: !!headers['referrer-policy'],
value: headers['referrer-policy'],
recommended: 'strict-origin-when-cross-origin'
},
'Permissions-Policy': {
present: !!headers['permissions-policy'],
value: headers['permissions-policy'],
recommended: 'Restrict dangerous features'
}
};
let passed = 0;
let failed = 0;
for (const [header, test] of Object.entries(tests)) {
if (test.present) {
console.log(`✓ ${header}: ${test.value}`);
passed++;
} else {
console.log(`✗ ${header}: MISSING`);
console.log(` Recommended: ${test.recommended}`);
failed++;
}
}
console.log(`\n=== Summary ===`);
console.log(`Passed: ${passed}/${Object.keys(tests).length}`);
console.log(`Failed: ${failed}/${Object.keys(tests).length}`);
const score = (passed / Object.keys(tests).length) * 100;
console.log(`Security Score: ${score.toFixed(0)}%`);
} catch (error) {
console.error('Error testing headers:', error.message);
}
}
// Usage
testSecurityHeaders('https://example.com');javascript
// test-security-headers.js
const axios = require('axios');
async function testSecurityHeaders(url) {
console.log(`\n=== Testing Security Headers for ${url} ===\n`);
try {
const response = await axios.get(url, {
validateStatus: () => true
});
const headers = response.headers;
const tests = {
'Strict-Transport-Security': {
present: !!headers['strict-transport-security'],
value: headers['strict-transport-security'],
recommended: 'max-age=31536000; includeSubDomains; preload'
},
'X-Frame-Options': {
present: !!headers['x-frame-options'],
value: headers['x-frame-options'],
recommended: 'DENY or SAMEORIGIN'
},
'X-Content-Type-Options': {
present: !!headers['x-content-type-options'],
value: headers['x-content-type-options'],
recommended: 'nosniff'
},
'X-XSS-Protection': {
present: !!headers['x-xss-protection'],
value: headers['x-xss-protection'],
recommended: '1; mode=block'
},
'Content-Security-Policy': {
present: !!headers['content-security-policy'],
value: headers['content-security-policy'],
recommended: 'Define strict CSP'
},
'Referrer-Policy': {
present: !!headers['referrer-policy'],
value: headers['referrer-policy'],
recommended: 'strict-origin-when-cross-origin'
},
'Permissions-Policy': {
present: !!headers['permissions-policy'],
value: headers['permissions-policy'],
recommended: 'Restrict dangerous features'
}
};
let passed = 0;
let failed = 0;
for (const [header, test] of Object.entries(tests)) {
if (test.present) {
console.log(`✓ ${header}: ${test.value}`);
passed++;
} else {
console.log(`✗ ${header}: MISSING`);
console.log(` Recommended: ${test.recommended}`);
failed++;
}
}
console.log(`\n=== Summary ===`);
console.log(`Passed: ${passed}/${Object.keys(tests).length}`);
console.log(`Failed: ${failed}/${Object.keys(tests).length}`);
const score = (passed / Object.keys(tests).length) * 100;
console.log(`Security Score: ${score.toFixed(0)}%`);
} catch (error) {
console.error('Error testing headers:', error.message);
}
}
// Usage
testSecurityHeaders('https://example.com');Best Practices
最佳实践
✅ DO
✅ 建议做法
- Use HTTPS everywhere
- Implement strict CSP
- Enable HSTS with preload
- Block framing with X-Frame-Options
- Prevent MIME sniffing
- Report CSP violations
- Test headers regularly
- Use security scanners
- 全程使用HTTPS
- 实施严格的CSP
- 启用带预加载的HSTS
- 通过X-Frame-Options阻止页面嵌入
- 防止MIME嗅探
- 上报CSP违规事件
- 定期测试标头
- 使用安全扫描工具
❌ DON'T
❌ 禁止做法
- Allow unsafe-inline in CSP
- Skip HSTS on subdomains
- Ignore CSP violations
- Use overly permissive policies
- Forget to test changes
- 在CSP中允许unsafe-inline
- 忽略子域名的HSTS配置
- 无视CSP违规事件
- 使用过于宽松的策略
- 忘记测试变更内容
Security Headers Checklist
安全标头检查清单
- Strict-Transport-Security
- Content-Security-Policy
- X-Frame-Options
- X-Content-Type-Options
- X-XSS-Protection
- Referrer-Policy
- Permissions-Policy
- Cross-Origin policies
- Expect-CT
- Remove server signatures
- Strict-Transport-Security
- Content-Security-Policy
- X-Frame-Options
- X-Content-Type-Options
- X-XSS-Protection
- Referrer-Policy
- Permissions-Policy
- 跨源策略
- Expect-CT
- 移除服务器签名