security-headers-configuration
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseSecurity Headers Configuration
安全标头配置
Implement HTTP security headers to defend against common browser-based attacks.
配置HTTP安全标头以抵御常见的基于浏览器的攻击。
Essential Headers
核心安全标头
| Header | Purpose | Value |
|---|---|---|
| HSTS | Force HTTPS | |
| CSP | Restrict resources | |
| X-Frame-Options | Prevent clickjacking | |
| X-Content-Type-Options | Prevent MIME sniffing | |
| 标头名称 | 作用 | 配置值 |
|---|---|---|
| HSTS | 强制使用HTTPS | |
| CSP | 限制资源加载 | |
| X-Frame-Options | 防止点击劫持 | |
| X-Content-Type-Options | 防止MIME嗅探 | |
Express Implementation
Express框架实现
javascript
const helmet = require('helmet');
app.use(helmet());
// Custom CSP
app.use(helmet.contentSecurityPolicy({
directives: {
defaultSrc: ["'self'"],
scriptSrc: ["'self'", "'unsafe-inline'"],
styleSrc: ["'self'", "'unsafe-inline'"],
imgSrc: ["'self'", "data:", "https:"],
connectSrc: ["'self'", "https://api.example.com"],
fontSrc: ["'self'", "https://fonts.gstatic.com"],
frameAncestors: ["'none'"]
}
}));javascript
const helmet = require('helmet');
app.use(helmet());
// Custom CSP
app.use(helmet.contentSecurityPolicy({
directives: {
defaultSrc: ["'self'"],
scriptSrc: ["'self'", "'unsafe-inline'"],
styleSrc: ["'self'", "'unsafe-inline'"],
imgSrc: ["'self'", "data:", "https:"],
connectSrc: ["'self'", "https://api.example.com"],
fontSrc: ["'self'", "https://fonts.gstatic.com"],
frameAncestors: ["'none'"]
}
}));Nginx Configuration
Nginx服务器配置
nginx
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header X-Frame-Options "DENY" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self'" always;nginx
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header X-Frame-Options "DENY" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self'" always;Verification Tools
验证工具
Security Headers Checklist
安全标头检查清单
- HSTS enabled with long max-age
- CSP configured and tested
- X-Frame-Options set to DENY
- X-Content-Type-Options set to nosniff
- Referrer-Policy configured
- Permissions-Policy disables unused features
- 启用HSTS并设置较长的max-age值
- 配置并测试CSP
- 将X-Frame-Options设置为DENY
- 将X-Content-Type-Options设置为nosniff
- 配置Referrer-Policy
- 通过Permissions-Policy禁用未使用的功能
Additional Implementations
其他实现方式
See references/python-apache.md for:
- Python Flask security headers middleware
- Flask-Talisman library configuration
- Apache .htaccess configuration
- Header testing script
参考references/python-apache.md获取以下内容:
- Python Flask安全标头中间件
- Flask-Talisman库配置
- Apache .htaccess配置
- 标头测试脚本
Common Mistakes
常见错误
- Setting CSP to report-only permanently
- Using overly permissive policies
- Forgetting to test after changes
- Not including all subdomains in HSTS
- 长期将CSP设置为仅报告模式
- 使用过于宽松的策略
- 修改后忘记测试
- HSTS未包含所有子域名