基本的http 关于web安全的头部

刚刚用Nikto2这个web安全测试工具测试了一下

得到下列结果

+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
+ The site uses SSL and Expect-CT header is not present.
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Hostname 'gitee.fyping.cn' does not match certificate's names:


X-Frame-Options 避免点击劫持攻击

	X-Frame-Options: deny
	X-Frame-Options: sameorigin
	X-Frame-Options: allow-from https://example.com/
	


X-XSS-Protection 跨站点脚本(XSS)攻击时阻止页面加载

跟 Content-Security-Policy 功能是一样的 , 但是Content-Security-Policy 不支持某些旧版本的浏览器



Strict-Transport-Security 告诉浏览器必须使用https来传输内容

Strict-Transport-Security: max-age=
Strict-Transport-Security: max-age=; includeSubDomains
Strict-Transport-Security: max-age=; preload


Except-CT 确保证书出现在 https://www.certificate-transparency.org/known-logs



X-Content-Type-Options 指示该标记MIME类型的广告Content-Type标题不应该被改变

X-Content-Type-Options:nosniff