一、基线头集合Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Content-Security-Policy: default-src 'none'; script-src 'self' 'strict-dynamic'; connect-src 'self'; img-src 'self'; style-src 'self'; frame-ancestors 'none'

Referrer-Policy: no-referrer

X-Content-Type-Options: nosniff

Permissions-Policy: camera=(), microphone=(), geolocation=()

Cross-Origin-Opener-Policy: same-origin

Cross-Origin-Embedder-Policy: require-corp

二、灰度切换中间件type Res = { setHeader: (k: string, v: string) => void }

function applyBaseline(res: Res) {

res.setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains; preload')

res.setHeader('Content-Security-Policy', "default-src 'none'; script-src 'self' 'strict-dynamic'; connect-src 'self'; img-src 'self'; style-src 'self'; frame-ancestors 'none'")

res.setHeader('Referrer-Policy', 'no-referrer')

res.setHeader('X-Content-Type-Options', 'nosniff')

res.setHeader('Permissions-Policy', 'camera=(), microphone=(), geolocation=()')

res.setHeader('Cross-Origin-Opener-Policy', 'same-origin')

res.setHeader('Cross-Origin-Embedder-Policy', 'require-corp')

}

function applyStrict(res: Res) {

res.setHeader('Strict-Transport-Security', 'max-age=63072000; includeSubDomains; preload')

res.setHeader('Content-Security-Policy', "default-src 'none'; script-src 'self' 'strict-dynamic'; connect-src 'self'; img-src 'self'; style-src 'self'; frame-ancestors 'none'; report-to csp-endpoint")

res.setHeader('Referrer-Policy', 'no-referrer')

res.setHeader('X-Content-Type-Options', 'nosniff')

res.setHeader('Permissions-Policy', 'camera=(), microphone=(), geolocation=()')

res.setHeader('Cross-Origin-Opener-Policy', 'same-origin')

res.setHeader('Cross-Origin-Embedder-Policy', 'require-corp')

}

function headersMiddleware(stage: 'baseline' | 'strict') {

return function (_req: any, res: Res, next: Function) {

if (stage === 'baseline') applyBaseline(res)

else applyStrict(res)

next()

}

}

三、验收清单HSTS开启并包含`includeSubDomains; preload`,仅在HTTPS环境发布;CSP语法正确且默认拒绝。`nosniff`与`no-referrer`设置一致;Permissions-Policy最小化权限集合。灰度切换生效并带`report-to`;COOP/COEP组合提升跨源隔离。

点赞(0) 打赏

评论列表 共有 0 条评论

暂无评论
立即
投稿

微信公众账号

微信扫一扫加关注

发表
评论
返回
顶部