#!/bin/bash
###########################################################
# 宝塔 Nginx 安全头一键加固脚本
# 适用:swhswl.com
# 作用:自动添加全套安全头,实现安全检测 A+
###########################################################
DOMAIN="swhswl.com"
NGINX_CONF="/www/server/panel/vhost/nginx/${DOMAIN}.conf"
# 备份原有配置
cp -f ${NGINX_CONF} ${NGINX_CONF}.bak.$(date +%Y%m%d%H%M%S)
# 插入安全头(自动写入)
sed -i '/listen 80;/d' ${NGINX_CONF}
sed -i '/listen 443;/d' ${NGINX_CONF}
sed -i '/server_name/a\
# 安全头加固 - 创世神一键脚本\
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;\
add_header X-Frame-Options SAMEORIGIN always;\
add_header X-Content-Type-Options nosniff always;\
add_header X-XSS-Protection "1; mode=block" always;\
add_header Referrer-Policy "strict-origin-when-cross-origin" always;\
add_header Permissions-Policy "geolocation=(),camera=(),microphone=()" always;\
add_header Expect-CT "max-age=86400" always;\
' ${NGINX_CONF}
# 重启 nginx
systemctl restart nginx
echo "========================================"
echo "✅ 安全头已一键配置完成!"
echo "✅ 网站:${DOMAIN}"
echo "✅ 配置文件:${NGINX_CONF}"
echo "✅ 已自动备份原配置"
echo "========================================"上面的脚本, 或者直接用下面这个 一键脚本,复制到宝塔 → 计划任务 → Shell 脚本 → 执行一次即可。
ssl_session_timeout 10m;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
add_header X-Frame-Options "SAMEORIGIN";
add_header Referrer-Policy "strict-origin-when-cross-origin";
🧱 安全头缺失(高危)这个应该很多人都没有搞过.但是这的确是的
下面这个才准确.
server {
listen 80;
listen 443 ssl;
listen 443 quic;
http2 on;
server_name swhswl.com;
# 安全头加固(精简兼容版,微信友好)
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options SAMEORIGIN always;
add_header X-Content-Type-Options nosniff always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
index index.php index.html index.htm default.php default.htm default.html;
root /home/www/wwwroot/swhswl.com/wordpress;
#CERT-APPLY-CHECK--START
include /www/server/panel/vhost/nginx/well-known/swhswl.com.conf;
#CERT-APPLY-CHECK--END
include /www/server/panel/vhost/nginx/extension/swhswl.com/*.conf;
#SSL-START SSL相关配置,请勿删除或修改下一行带注释的404规则
#error_page 404 /404.html;
#HTTP_TO_HTTPS_START
set $isRedcert 1;
if ($server_port != 443) {
set $isRedcert 2;
}
if ($uri ~ /\.well-known/ ) {
set $isRedcert 1;
}
if ($isRedcert != 1) {
rewrite ^/(.*)$ https://$host$1 permanent;
}
#HTTP_TO_HTTPS_END
ssl_certificate /www/server/panel/vhost/cert/swhswl.com/fullchain.pem;
ssl_certificate_key /www/server/panel/vhost/cert/swhswl.com/privkey.pem;
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES256:EECDH+AES128:RSA+AES256:RSA+AES128:RSA+3DES:EECDH+3DES:!MD5;
ssl_prefer_server_ciphers on;
ssl_session_tickets on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
#ERROR-PAGE-START 错误页配置,可以注释、删除或修改
error_page 404 /404.html;
#error_page 502 /502.html;
#ERROR-PAGE-END
#PHP-INFO-START PHP引用配置,可以注释或修改
include enable-php-73.conf;
#PHP-INFO-END
#REWRITE-START URL重写规则引用,修改后将导致面板设置的伪静态规则失效
include /www/server/panel/vhost/rewrite/swhswl.com.conf;
#REWRITE-END
# 禁止访问的敏感文件
location ~* (\.user\.ini|\.htaccess|\.htpasswd|\.env|\.svn|\.git|\.bash_profile|\.bash_logout|\.DS_Store|\.gitignore\.md|\.CLAUDE\.md|\.CHANGELOG\.md|\.CHANGELOG|\.CONTRIBUTING\.json|\.composer\.lock|package(-lock)?\.json|\.yarn\.lock) {
return 403;
}
}© 版权声明
THE END
暂无评论内容