🔒 修复CORS严重安全漏洞 & 增强Nginx安全配置
## 关键修复 ### 1. 修复backend/server.js的CORS漏洞 ⚠️ CRITICAL **问题**: 原代码 `if (!origin || allowedOrigins.includes(origin))` 会允许所有没有Origin头的请求通过,导致恶意请求绕过CORS保护 **修复**: 严格白名单模式 ```javascript // 只允许白名单中的域名 if (origin && allowedOrigins.includes(origin)) { callback(null, true); } else { // 拒绝所有其他请求 callback(new Error('CORS策略不允许来自该来源的访问')); } ``` **影响**: - ✅ 阻止所有恶意域名的跨域访问 - ✅ 保护JWT token不被窃取 - ✅ 从63.6%预计提升到90%+安全评分 ### 2. 增强install.sh中的Nginx安全配置 在所有三个nginx配置函数中添加了完整的安全规则: - `configure_nginx_http_first()` - 初始HTTP配置 - `configure_nginx_http()` - 纯HTTP模式 - `configure_nginx_https()` - HTTPS模式 **新增安全配置**: ```nginx # 安全响应头 add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header X-XSS-Protection "1; mode=block" always; add_header Referrer-Policy "no-referrer-when-downgrade" always; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; # HTTPS专用 # 隐藏Nginx版本 server_tokens off; # 禁止访问隐藏文件 (.git, .env等) location ~ /\. { deny all; return 404; } # 禁止访问敏感文件 location ~ \.(env|git|config|key|pem|crt|sql|bak|backup|old|log)$ { deny all; return 404; } ``` **防护效果**: - ✅ 阻止访问 /.env, /.git/config - ✅ 阻止访问备份文件 .bak, .sql - ✅ 防止点击劫持、XSS、MIME嗅探攻击 - ✅ 强制HTTPS(HTTPS环境下) - ✅ 隐藏服务器信息 ## 部署方法 在服务器上执行: ```bash cd /var/www/wanwanyun git pull origin master bash install.sh --repair # 重新生成Nginx配置 # 或者手动 pm2 restart wanwanyun-backend nginx -t && systemctl reload nginx ``` 然后运行安全测试验证: ```bash node security-test.js ``` 预期改进: - CORS测试: 只有cs.workyai.cn被允许 ✅ - 敏感文件: 全部返回404 ✅ - 安全响应头: 全部检测到 ✅ - 安全评分: 63.6% → 90%+ 🎯 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
@@ -45,11 +45,12 @@ const corsOptions = {
|
||||
}
|
||||
}
|
||||
|
||||
// 允许来自白名单中的域名
|
||||
if (!origin || allowedOrigins.includes(origin)) {
|
||||
// 严格白名单模式:只允许白名单中的域名
|
||||
if (origin && allowedOrigins.includes(origin)) {
|
||||
callback(null, true);
|
||||
} else {
|
||||
console.warn(`[CORS] 拒绝来自未授权来源的请求: ${origin}`);
|
||||
// 拒绝不在白名单中的请求(包括没有Origin头的请求)
|
||||
console.warn(`[CORS] 拒绝来自未授权来源的请求: ${origin || '(无Origin头)'}`);
|
||||
callback(new Error('CORS策略不允许来自该来源的访问'));
|
||||
}
|
||||
}
|
||||
|
||||
64
install.sh
64
install.sh
@@ -2340,6 +2340,27 @@ server {
|
||||
# 文件上传大小限制(10GB)
|
||||
client_max_body_size 10G;
|
||||
|
||||
# ========== 安全响应头 ==========
|
||||
add_header X-Frame-Options "SAMEORIGIN" always;
|
||||
add_header X-Content-Type-Options "nosniff" always;
|
||||
add_header X-XSS-Protection "1; mode=block" always;
|
||||
add_header Referrer-Policy "no-referrer-when-downgrade" always;
|
||||
|
||||
# 隐藏Nginx版本号
|
||||
server_tokens off;
|
||||
|
||||
# ========== 禁止访问隐藏文件 ==========
|
||||
location ~ /\\. {
|
||||
deny all;
|
||||
return 404;
|
||||
}
|
||||
|
||||
# ========== 禁止访问敏感文件 ==========
|
||||
location ~ \\.(env|git|config|key|pem|crt|sql|bak|backup|old|log)$ {
|
||||
deny all;
|
||||
return 404;
|
||||
}
|
||||
|
||||
# 前端静态文件
|
||||
location / {
|
||||
root ${PROJECT_DIR}/frontend;
|
||||
@@ -2597,6 +2618,27 @@ server {
|
||||
# 文件上传大小限制(10GB)
|
||||
client_max_body_size 10G;
|
||||
|
||||
# ========== 安全响应头 ==========
|
||||
add_header X-Frame-Options "SAMEORIGIN" always;
|
||||
add_header X-Content-Type-Options "nosniff" always;
|
||||
add_header X-XSS-Protection "1; mode=block" always;
|
||||
add_header Referrer-Policy "no-referrer-when-downgrade" always;
|
||||
|
||||
# 隐藏Nginx版本号
|
||||
server_tokens off;
|
||||
|
||||
# ========== 禁止访问隐藏文件 ==========
|
||||
location ~ /\\. {
|
||||
deny all;
|
||||
return 404;
|
||||
}
|
||||
|
||||
# ========== 禁止访问敏感文件 ==========
|
||||
location ~ \\.(env|git|config|key|pem|crt|sql|bak|backup|old|log)$ {
|
||||
deny all;
|
||||
return 404;
|
||||
}
|
||||
|
||||
# 前端静态文件
|
||||
location / {
|
||||
root ${PROJECT_DIR}/frontend;
|
||||
@@ -2708,6 +2750,28 @@ server {
|
||||
# 文件上传大小限制(10GB)
|
||||
client_max_body_size 10G;
|
||||
|
||||
# ========== 安全响应头 ==========
|
||||
add_header X-Frame-Options "SAMEORIGIN" always;
|
||||
add_header X-Content-Type-Options "nosniff" always;
|
||||
add_header X-XSS-Protection "1; mode=block" always;
|
||||
add_header Referrer-Policy "no-referrer-when-downgrade" always;
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
||||
|
||||
# 隐藏Nginx版本号
|
||||
server_tokens off;
|
||||
|
||||
# ========== 禁止访问隐藏文件 ==========
|
||||
location ~ /\\. {
|
||||
deny all;
|
||||
return 404;
|
||||
}
|
||||
|
||||
# ========== 禁止访问敏感文件 ==========
|
||||
location ~ \\.(env|git|config|key|pem|crt|sql|bak|backup|old|log)$ {
|
||||
deny all;
|
||||
return 404;
|
||||
}
|
||||
|
||||
# 前端静态文件
|
||||
location / {
|
||||
root ${PROJECT_DIR}/frontend;
|
||||
|
||||
Reference in New Issue
Block a user