Kubernetes Nginx Ingress设定HSTS & CSP

HSTS的原理讲解
https://zhuanlan.zhihu.com/p/130946490

在ingress annotation当中添加以下代码

annotations:    
nginx.ingress.kubernetes.io/configuration-snippet: |
      more_set_headers "Strict-Transport-Security: max-age=31536000; includeSubDomains; preload";

使用以下的网址测试HSTS的max age

https://domsignal.com/hsts-test

参考帖子：https://stackoverflow.com/questions/49761430/kubernetes-ingress-not-enforcing-inserting-hsts-into-headers

Content Security Policy原理讲解
https://juejin.cn/post/7125310494855921700

使用以下的网址工具生成CSP
https://report-uri.com/home/generate

在ingress annotation当中添加以下代码

annotations:    
nginx.ingress.kubernetes.io/configuration-snippet: |
      more_set_headers "server: hide";
	  more_set_headers "X-Content-Type-Options: nosniff";
	  more_set_headers "X-Frame-Options: DENY";
	  more_set_headers "X-Xss-Protection: 0";
	  more_set_headers "Content-Security-Policy: default-src * 'self' 'unsafe-inline' 'unsafe-hashes' 'unsafe-eval' yourdomain.com,googleapis.com,tapfiliate.com";
	  more_set_headers "Cross-Origin-Resource-Policy: cross-origin";

使用以下的网址测试CSP
https://domsignal.com/csp-test

参考文章：https://medium.com/@muhammadjameeghauri/enhancing-kubernetes-ingress-security-with-nginx-and-content-security-policy-fd22dbf3a004

Facebook评论

Related Posts

AWS 为已有的EKS部署PrivateCluster和配置NAT

AWS 为已有的EKS安装Karpenter

Kubernetes 部署python flask应用