1.点击劫持:X-Frame-Options 报头缺失
参考地址:https://www.cnblogs.com/lianzhilei/p/6429514.html
自己项目的解决办法,在Nginx中增加配置:add_header X-Frame-Options SAMEORIGIN;
2.未实施 HTTP 严格传输安全 (HSTS)
参考地址:https://www.cnblogs.com/xiewenming/p/7298893.html?utm_source=itdadao&utm_medium=referral
自己项目的解决办法,在Nginx中增加配置:add_header Strict-Transport-Security "max-age=63072000; includeSubDomains preload";
3.不安全的 Referrer Policy
参考地址:https://blog.csdn.net/liulangdewoniu/article/details/116459468
自己项目的解决办法,在Nginx中增加配置:add_header Referrer-Policy strict-origin-when-cross-origin;
4.未实施内容安全策略 (CSP)
参考地址:https://blog.csdn.net/liulangdewoniu/article/details/116459468
自己项目的解决办法,在Nginx中增加配置:add_header
Content-Security-Policy "default-src * 'self' 'unsafe-inline' data:;
worker-src * 'self' 'unsafe-inline' blob:; style-src * 'self'
'unsafe-inline'; img-src * 'self' 'unsafe-inline' data:; font-src data: *
'self' 'unsafe-inline'; frame-ancestors 'self'; script-src * 'self'
'unsafe-inline' 'unsafe-eval' static.e6yun.com;";