很多網(wǎng)站通過第三方平臺掃描會出現(xiàn)很多低危漏洞，特別是使用綠盟進行安全檢測經(jīng)常會出現(xiàn)。Linux和虛擬主機都會有這個情況，可以通過偽靜態(tài)的方式進行設(shè)置。

l Windows主機

Windows主機需要在wwwroot目錄下的web.config里面添加以下規(guī)則：

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
        <httpCookies httpOnlyCookies="true"  requireSSL="true"  />
    </system.web>
    <system.webServer>
        <security>
            <requestFiltering>
                <verbs allowUnlisted="true">
                    <add verb="OPTIONS" allowed="false"/>
                    <add verb="TRACE" allowed="false"/>
                </verbs>
            </requestFiltering>
       </security>
       <httpProtocol>
           <customHeaders>
               <!--檢測到目標X-Content-Type-Options響應(yīng)頭缺失-->
               <add name="X-Content-Type-Options" value="nosniff" />
               <!--檢測到目標X-XSS-Protection響應(yīng)頭缺失-->
               <add name="X-XSS-Protection" value="1;mode=block" />
               <!--檢測到目標Content-Security-Policy響應(yīng)頭缺失 /-->
               <add name="Content-Security-Policy" value="default-src 'self' 'unsafe-inline' ; img-src 'self' data:" />
               <!--檢測到目標Strict-Transport-Security響應(yīng)頭缺失-->
               <add name="Strict-Transport-Security" value="max-age=31536000" />
               <!--檢測到目標Referrer-Policy響應(yīng)頭缺失-->
               <add name="Referrer-Policy" value="origin-when-cross-origin" />
               <!--檢測到目標X-Permitted-Cross-Domain-Policies響應(yīng)頭缺失-->
               <add name="X-Permitted-Cross-Domain-Policies" value="master-only" />
               <!--檢測到目標X-Download-Options響應(yīng)頭缺失-->
               <add name="X-Download-Options" value="noopen" />
               <!--點擊劫持：X-Frame-Options未配置-->
               <add name="X-Frame-Options" value="SAMEORIGIN" />
           </customHeaders>
       </httpProtocol>
        <rewrite>       
        <outboundRules>
            <rule name="Add HttpOnly" preCondition="No HttpOnly">
                <match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
                <action type="Rewrite" value="{R:0}; HttpOnly" />
                <conditions>
                </conditions>
            </rule>
            <preConditions>
                <preCondition name="No HttpOnly">
                    <add input="{RESPONSE_Set_Cookie}" pattern="." />
                    <add input="{RESPONSE_Set_Cookie}" pattern="; HttpOnly" negate="true" />
                </preCondition>
            </preConditions>
        </outboundRules>
        </rewrite>
    </system.webServer>
</configuration>

請注意規(guī)則必須要添加的節(jié)點，如果添加錯誤會導致網(wǎng)站無法打開。

l Linux主機

在wwwroot目錄下的.htaccess中添加以下規(guī)則：

<IfModule mod_headers.c> 
Header set X-Content-Type-Options "nosniff"
Header set X-XSS-Protection "1; mode=block"
Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' ; img-src 'self' data:"
Header set Strict-Transport-Security: "max-age=31536000 ; includeSubDomains ;"
Header set Referrer-Policy: strict-origin-when-cross-origin
Header set X-Permitted-Cross-Domain-Policies "master-only"
Header set X-Download-Options "noopen"
Header set X-Frame-Options "SAMEORIGIN"
</IfModule>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(TRACE|OPTIONS)
RewriteRule .* - [F]

# .htaccess只能管的了靜態(tài)文件，php動態(tài)程序是要php代碼中設(shè)置。

<?php
// 全局設(shè)置Session Cookie的Secure屬性，需要部署https
// ini_set("session.cookie_secure", "1");
// 同時設(shè)置HttpOnly
ini_set("session.cookie_httponly", "1");

header("X-Content-Type-Options: nosniff");
header("X-XSS-Protection: 1; mode=bloc");
header("Content-Security-Policy: default-src 'self' 'unsafe-inline' ; img-src 'self' data:");
header("Strict-Transport-Security: max-age=31536000 ; includeSubDomains ;");
header("Referrer-Policy: strict-origin-when-cross-origin");
header("X-Permitted-Cross-Domain-Policies: master-only");
header("X-Download-Options: noopen");
header("X-Frame-Options: SAMEORIGIN");
?>

NGINX規(guī)則 添加到站點配置文件server里

add_header Cross-Origin-Opener-Policy "same-origin";
add_header Cross-Origin-Embedder-Policy "require-corp";
add_header Cross-Origin-Resource-Policy "same-origin";
add_header Clear-Site-Data '"cache", "cookies", "storage"';
add_header Permissions-Policy "camera=(self), microphone=(self), autoplay=(self), picture-in-picture=(self), fullscreen=(self), display-capture=(), geolocation=()";
add_header Referrer-Policy "strict-origin-when-cross-origin";
add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' ; img-src 'self' data:";
add_header X-Download-Options "noopen";
add_header X-Content-Type-Options "nosniff";
add_header X-Frame-Options "SAMEORIGIN";
add_header X-Permitted-Cross-Domain-Policies "none";
add_header X-XSS-Protection "1; mode=block";

注意：無論windows還是Linux主機，添加規(guī)則即可生效不需要做其他設(shè)置。