外部js + integrity
+Content-Security-Policy头
target _blank 外部 加 rel="noopener noreferrer"
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: : 1; mode=block
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' blob: data: *.conac.cn *.baidu.com *.gov.cn; frame-ancestors 'self'
-Server 头
隐藏php版本号expose_php = Off
disable_functions
disable_classes
隐藏session的cookie头
session的cookie +samesite 和 httponly
apache iis mysql sql 降权
上传文件夹权限 禁止访问意外后缀
上传大小
cookie,header,querystring,form,upload 检查
mime设置
AcceptPathInfo Off
关闭不不要的method
TraceEnable Off ,只开get post
php fix_pathinfo =0
expose_php=Off