如何阻止 nginx 发送 Strict-Transport-Security 标头?

如何阻止 nginx 发送 Strict-Transport-Security 标头?

我最近使用 nginx 反向代理为我的网站添加了 https 支持。

我的配置中没有该add_header Strict-Transport-Security ...行。即便如此,我也可以Strict-Transport-Security: max-age=86400在响应标头中看到。

如果我添加add_header Strict-Transport-Security "max-age=0; includeSubDomains";我的配置,我会得到响应中的标题!!:

HTTP/1.1 200 OK
* Server nginx/1.11.12 is not blacklisted
Server: nginx/1.11.12
Date: Fri, 07 Apr 2017 11:46:50 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 37
Connection: keep-alive
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET,PUT,POST,DELETE,OPTIONS
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept, Authorization, Content-Length, X-Requested-With
X-DNS-Prefetch-Control: off
X-Frame-Options: DENY
Strict-Transport-Security: max-age=86400
X-Download-Options: noopen
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Surrogate-Control: no-store
Cache-Control: no-store, no-cache, must-revalidate, proxy-revalidate
Pragma: no-cache
Expires: 0
Vary: Accept-Encoding
Strict-Transport-Security: max-age=0; includeSubDomains

我该如何解决?

答案1

哦,当我的应用服务器发现自己处于安全连接时,它发出了第一个标头。

任何使用helmet插件的人,请参考在您的应用程序中进行管理。

相关内容