Loading... <p>小岑博客ssllab本来的测试为A+,但是mozilla安全测试为D,于是优化了一下,得到了A+,不过安全是把双刃剑。具体适不适合各位,观众们需要自己斟酌了。<br />SSl测试<br /><span class="external-link"><a class="no-external-link" href="https://securityheaders.io/" target="_blank"><i data-feather="external-link"></i>https://securityheaders.io/</a></span><br /><span class="external-link"><a class="no-external-link" href="https://mozilla.github.io/http-observatory-website/" target="_blank"><i data-feather="external-link"></i>https://mozilla.github.io/http-observatory-website/</a></span> 这个测试比较严格<br />主要是以下内容优化,仅仅为nginx的配置,大家在server段加入即可<br />1.Strict-Transport-Security<br />add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";<br />2.X-Frame-Options<br />add_header X-Frame-Options SAMEORIGIN;<br />3.X-Content-Type-Options<br />add_header X-Content-Type-Options nosniff;<br />4.X-XSS-Protection<br />add_header X-XSS-Protection "1; mode=block";<br />5.Content-Security-Policy<br />该项为资源策略,大家把自己外链的资源地址加入即可<br />add_header Content-Security-Policy "script-src 'self' <span class="external-link"><a class="no-external-link" href="https://duoshuo.com;img-src" target="_blank"><i data-feather="external-link"></i>https://duoshuo.com;img-src</a></span> data: https: <span class="external-link"><a class="no-external-link" href="https://duoshuo.co" target="_blank"><i data-feather="external-link"></i>https://duoshuo.co</a></span>m";<br />6.Public-Key-Pins<br />这个需要用ssl工具计算出自己的pin-sha256的pin,计算方式在后面<br />add_header Public-Key-Pins 'pin-sha256="47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU="; pin-sha256="tewDBI59geBDDqF5mhU3o0wnlM98bBvMK+Z8oAp6B1g="; max-age=2592000';<br />计算方法<br />RSA key<br />$ openssl rsa -in my.key -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64<br />ECDSA (例如 COMODO ECC )<br />$ openssl ec -in my.key -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64<br />大家把上述生成的key填入即可,模版如下<br />add_header Public-Key-Pins 'pin-sha256="ABCD"; pin-sha256="EFGI"; max-age=2592000';</p><p>以下是小岑本次安全优化的配置部分<br />add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";<br />add_header X-Frame-Options SAMEORIGIN;<br />add_header X-Content-Type-Options nosniff;<br />add_header X-XSS-Protection "1; mode=block";<br />add_header Content-Security-Policy "script-src 'self' <span class="external-link"><a class="no-external-link" href="https://duoshuo.com;img-src" target="_blank"><i data-feather="external-link"></i>https://duoshuo.com;img-src</a></span> data: https: <span class="external-link"><a class="no-external-link" href="https://duoshuo.co" target="_blank"><i data-feather="external-link"></i>https://duoshuo.co</a></span>m";<br />add_header Public-Key-Pins 'pin-sha256="47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU="; pin-sha256="tewDBI59geBDDqF5mhU3o0wnlM98bBvMK+Z8oAp6B1g="; max-age=2592000';</p> Last modification:October 6, 2023 © Allow specification reprint Support Appreciate the author AliPayWeChat Like 如果觉得我的文章对你有用,请随意赞赏
8 comments
博主再优化一下速度吧。 我浙江电信打开真心慢
舒服了好多
已经搬回国内了!!现在速度应该不错了!
主要就是静态资源加载太慢
哈哈,之前用的七牛,后来要身份证,就没用了。。。在观望香港vps...
不至于,用七牛、又拍缓存静态内容可解
站点在国外。。。考虑是不是要搬回来!
附上duoshuo,和cnzz的代码
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' blob: https://*.duoshuo.com https://*.cnzz.com; img-src 'self' data: https://*.duoshuo.com; style-src 'self' 'unsafe-inline' https://*.duoshuo.com; connect-src wss://*.duoshuo.com:* https://*.duoshuo.com";