molong/vibe_coding
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
130de0fd5dda69658bc0f941d09b9964b8253f0b
vibe_coding/.cursor/skills/security-audit/references/security-headers.md
molong 130de0fd5d 初始化
2026-03-05 21:27:11 +08:00

1.4 KiB
Raw Blame History

安全响应头配置

Nginx 配置(推荐)

# /etc/nginx/conf.d/security-headers.conf
# 在 server 块或 http 块中添加

add_header X-DNS-Prefetch-Control "on" always;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "DENY" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline';" always;

Hyperf 中间件方式(备选)

// app/Middleware/SecurityHeadersMiddleware.php
class SecurityHeadersMiddleware implements MiddlewareInterface
{
    public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
    {
        $response = $handler->handle($request);

        return $response
            ->withHeader('X-Content-Type-Options', 'nosniff')
            ->withHeader('X-Frame-Options', 'DENY')
            ->withHeader('X-XSS-Protection', '1; mode=block')
            ->withHeader('Referrer-Policy', 'strict-origin-when-cross-origin');
    }
}

验证安全头

curl -I https://your-domain.com | grep -iE "(strict|content-security|x-frame|x-content|referrer)"
Reference in New Issue View Git Blame Copy Permalink