刚刚用Nikto2这个web安全测试工具测试了一下
得到下列结果
+ The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The site uses SSL and the Strict-Transport-Security HTTP header is not defined. + The site uses SSL and Expect-CT header is not present. + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + No CGI Directories found (use '-C all' to force check all possible dirs) + Hostname 'gitee.fyping.cn' does not match certificate's names:
X-Frame-Options 避免点击劫持攻击
X-Frame-Options: deny X-Frame-Options: sameorigin X-Frame-Options: allow-from https://example.com/
X-XSS-Protection 跨站点脚本(XSS)攻击时阻止页面加载
跟 Content-Security-Policy 功能是一样的 , 但是Content-Security-Policy 不支持某些旧版本的浏览器
Strict-Transport-Security 告诉浏览器必须使用https来传输内容
Strict-Transport-Security: max-age=Strict-Transport-Security: max-age= ; includeSubDomains Strict-Transport-Security: max-age= ; preload
Except-CT 确保证书出现在 https://www.certificate-transparency.org/known-logs
X-Content-Type-Options 指示该标记MIME类型的广告Content-Type标题不应该被改变
X-Content-Type-Options:nosniff