listen 443 ssl;
#server_name 证书的域名
server_name 域名;
ssl on;
ssl_certificate /home/###.pem;
ssl_certificate_key /home/###.key;
ssl_session_timeout 5m;
#指定SSL加密算法
#ssl_ciphers HIGH:!ADH:!MD5;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!3DES:!ADH:!RC4:!DH:!DHE;
#指定TLS
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
#内容安全策略CSP
#add_header Content-Security-Policy "upgrade-insecure-requests;connect-src *";
add_header Content-Security-Policy "default-src 'self' apim.stg.starbucks.net 'unsafe-inline' 'unsafe-eval' blob: data: ;";
#防XSS攻击
add_header X-Xss-Protection "1;mode=block";
#禁止服务器自动解析资源类型
add_header X-Content-Type-Options nosniff;
#减少点击劫持
add_header X-Frame-Options DENY;
#设置浏览器缓存
add_header Cache-Control no-cache,no-store;