大家好。 我有以下问题:
是否可以删除或更改之前几行添加的标题的值?
整个场景如下:
设置
我的网站.com.conf
...
server {
...
# security
include security.conf;
...
location / {
try_files $uri $uri/ /index.html;
}
...
}
...
安全配置文件
# security headers
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
add_header Content-Security-Policy "default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline'; frame-ancestors 'self';" always;
add_header Permissions-Policy "interest-cohort=()" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# . files
location ~ /\.(?!well-known) {
deny all;
}
问题
我想完全删除或者更改添加的-headermy-website.com.conf的值。
Content-Security-Policysecurity.conf具体来说,需要更改/删除的部分frame-ansestors 'self';因为我希望能够将我的网站嵌入其中<iframe>。
该security.conf文件包含在其他几个站点配置中,因此我宁愿保持其原样。
我已经尝试过
我尝试进行以下更改,但这些更改均未给我想要的结果。
我的网站.com.conf
...
server {
...
# security
include security.conf;
# 1. Add header again with the correct value:
add_header Content-Security-Policy "default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline';" always;
# Result: The header is set but this doesn't remove the original one, which means that
# now there are two headers that are contradicting each other which doesn't solve the problem.
# 2. using proxy_hide_header
proxy_hide_header Content-Security-Policy;
# Result: Does literally nothing (I assume this only works in combination with proxy_pass)
# 3. using more_clear_headers (from headers-more-nginx-module)
more_clear_headers Content-Security-Policy;
# Result: Also does literally nothing
...
location / {
try_files $uri $uri/ /index.html;
}
}
...
问题
现在问题又来了:
- 是否可以删除或更改之前几行添加的标题的值?
- 若是:怎么办?
- 如果不是:为什么?是技术问题吗?与安全有关吗?还是只是没有实施?
抱歉我的英语不好,提前谢谢您 :)
编辑:整个设置在 Ubuntu 22.04 上运行,Nginx 版本为 1.18.0