1. #X-Content-Type-Options
add_header X-Content-Type-Options nosniff;
2. #add_header X-XSS-Protection
add_header X-XSS-Protection "1; mode=block";
3. #Strict-Transport-Security (HSTS) 的玩意兒,
來告訴 client 說我們接下來的溝通都使用 https吧
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
add_header Referrer-Policy Referrer-Policy unsafe-url;
5. #網站不能被勘入
add_header X-Frame-Options SAMEORIGIN;
6. #修改一些 用不到的權限
add_header Feature-Policy "geolocation *;midi *;notifications *;push *;sync-xhr *;microphone none;camera none;magnetometer none;gyroscope none;speaker *;vibrate *;fullscreen *;payment *;";
7. #csp 預設打開 不限制
add_header Content-Security-Policy: default-src ;
8. # 不秀 nginx version
server_tokens off;
https://securityheaders.com/ 最後這個網站 可以幫你驗證設定