我的web程序在使用AppScan扫描的时候出现了中度风险,提示的内容为:
CORS 策略根据任意初始头进行设置
URL
http://192.168.200.128/ >> 192.168.200.128
AppScan 在测试请求中更改了哪些内容?
已添加 HTTP 头“Origin”:“http://bogus.hcl.com” (变体 ID:167)
AppScan 为何报告该问题?
AppScan 检测到“Access-Control-Allow-Origin”头的许可权太多
HTTP/1.1 200
Date: Thu, 09 May 2024 05:03:25 GMT
Content-Type: application/json
Transfer-Encoding: chunked
Connection: keep-alive
nonce: 1231231231231231232
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Access-Control-Allow-Origin: http://bogus.hcl.com
Access-Control-Allow-Origin: http://192.168.200.128/
Access-Control-Allow-Credentials: true
X-Content-Type-Options: nosniff
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-XSS-Protection: 1;mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
Content-Security-Policy: object-src 'self';img-src 'self' http://www.w3.org/2000/svg data:;font-src 'self' 'unsafe-inline' ;script-src 'strict-dynamic' 'unsafe-eval' 'nonce-a674350383b389c586569f7a79a6112a';style-src 'strict-dynamic' 'unsafe-eval' 'nonce-a674350383b389c586569f7a79a6112a'
我的nginx.conf配置为:
server {
listen 80;
server_name localhost;
#add_header Content-Security-Policy "default-src 'none';script-src 'self' 'nonce-$ssl_session_id';style-src 'self' 'nonce-lkj9087v2d3u9d'";
add_header Content-Security-Policy "object-src 'self';img-src 'self' http://www.w3.org/2000/svg data:;font-src 'self' 'unsafe-inline' ;script-src 'strict-dynamic' 'unsafe-eval' 'nonce-$request_id';style-src 'strict-dynamic' 'unsafe-eval' 'nonce-$request_id'";
add_header X-Xss-Protection "1;mode=block";
add_header X-Content-Type-Options "nosniff";
add_header X-Frame-Options "SAMEORIGIN";
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header Referrer-Policy "origin";
add_header X-Download-Options "noopen";
add_header X-Permitted-Cross-Domain-Policies "none";
add_header 'Access-Control-Allow-Origin' 'http://192.168.200.128/';
#add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,web-token,app-token,Authorization,Accept,Origin,Keep-Alive,User-Agent,X-Mx-ReqToken,X-Data-Type,X-Auth-Token,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
server_tokens off;
more_clear_headers 'Server';
location / {
if ($request_uri ~* \.(php|zip|arj|lzma|wim|war|ear|ar|gz|rac|tar|txt|arc|ARC)$) {
return 403;
}
root /home/dist;
try_files $uri $uri/ /index.html;
index index.html index.htm;
}
}
请问,我应该如何修改