From 3ce31d317859d970764606753558a24dff186112 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E5=BC=A0=E7=BF=94?= <xiangzhang1024@gmail.com>
Date: Tue, 31 Mar 2026 17:27:43 +0800
Subject: [PATCH] =?UTF-8?q?feat:=20=E4=BC=98=E5=8C=96CI/CD=E6=B5=81?=
 =?UTF-8?q?=E7=A8=8B=20-=20=E8=87=AA=E5=AE=9A=E4=B9=89=E5=B7=A5=E5=85=B7?=
 =?UTF-8?q?=E9=95=9C=E5=83=8F=E3=80=81=E4=BF=AE=E5=A4=8DTLS=E9=97=AE?=
 =?UTF-8?q?=E9=A2=98=E3=80=81=E6=B7=BB=E5=8A=A0=E9=95=9C=E5=83=8F=E6=B8=85?=
 =?UTF-8?q?=E7=90=86=E8=84=9A=E6=9C=AC?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- 创建轻量级工具镜像(novalon/tools:1.0.0)避免重复安装工具
- 修复Docker TLS handshake timeout问题
- 更新CI配置使用registry.f.novalon.cn/novalon/tools:1.0.0
- 添加自动清理脚本用于磁盘和镜像管理
---
 .gitignore                             |  21 +
 .woodpecker.yml                        |   6 +-
 Dockerfile.tools                       |  24 ++
 scripts/auto-cleanup.sh                |  20 +
 scripts/disk-cleanup-immediate.sh      |  61 +++
 scripts/disk-optimization-long-term.sh | 119 ++++++
 scripts/git-cleanup.sh                 |  67 ++++
 scripts/git-filter-repo-cleanup.sh     |  73 ++++
 scripts/security-audit.sh              | 102 +++++
 scripts/security-hardening.sh          | 524 +++++++++++++++++++++++++
 scripts/security-verification.sh       | 260 ++++++++++++
 11 files changed, 1273 insertions(+), 4 deletions(-)
 create mode 100644 Dockerfile.tools
 create mode 100755 scripts/auto-cleanup.sh
 create mode 100755 scripts/disk-cleanup-immediate.sh
 create mode 100755 scripts/disk-optimization-long-term.sh
 create mode 100755 scripts/git-cleanup.sh
 create mode 100644 scripts/git-filter-repo-cleanup.sh
 create mode 100644 scripts/security-audit.sh
 create mode 100644 scripts/security-hardening.sh
 create mode 100644 scripts/security-verification.sh

diff --git a/.gitignore b/.gitignore
index dbd1a4e..2a5281a 100644
--- a/.gitignore
+++ b/.gitignore
@@ -283,9 +283,30 @@ task_plan.md
 progress.md
 findings.md
 
+# ============================================================
+# Large Files (should not be in Git history)
+# ============================================================
+dist.tar.gz
+*.tar.gz
+*.zip
+*.gz
+
+# Font files (large binary files)
+public/fonts/*.ttf
+public/fonts/*.otf
+public/fonts/*.woff
+public/fonts/*.woff2
+
 # ============================================================
 # IMPORTANT NOTES
 # ============================================================
 # Visual regression snapshots should be committed to version control
 # These are in: e2e/src/tests/visual/**/*-snapshots/
 # Git will track them because they are not in test-results/ or allure-results/
+
+# ============================================================
+# WARNING
+# ============================================================
+# If you have already committed large files to Git history, run:
+# scripts/git-cleanup.sh to remove them from history
+# Then force push: git push --force --all
\ No newline at end of file
diff --git a/.woodpecker.yml b/.woodpecker.yml
index 9e549b2..fbefc97 100644
--- a/.woodpecker.yml
+++ b/.woodpecker.yml
@@ -1,5 +1,6 @@
 variables:
   - &node_image node:20-alpine
+  - &tools_image registry.f.novalon.cn/novalon/tools:1.0.0
 
 steps:
   install-deps:
@@ -161,7 +162,7 @@ steps:
         - release/**
 
   archive-to-main:
-    image: node:20-alpine
+    image: *tools_image
     environment:
       SSH_PRIVATE_KEY:
         from_secret: ssh_private_key
@@ -174,9 +175,6 @@ steps:
       - 'echo "IP地址: $(hostname -i)"'
       - echo ""
       - echo ""
-      - echo "1. 安装必要的工具"
-      - apk add --no-cache git openssh-client curl bind-tools netcat-openbsd
-      - echo ""
       - echo "2. 配置SSH环境"
       - mkdir -p ~/.ssh
       - echo "$SSH_PRIVATE_KEY" > ~/.ssh/id_rsa
diff --git a/Dockerfile.tools b/Dockerfile.tools
new file mode 100644
index 0000000..1dd6599
--- /dev/null
+++ b/Dockerfile.tools
@@ -0,0 +1,24 @@
+FROM --platform=linux/amd64 alpine:3.17
+
+# 安装所需的工具
+RUN apk add --no-cache \
+    git \
+    openssh-client \
+    curl \
+    bind-tools \
+    netcat-openbsd
+
+# 设置时区
+RUN apk add --no-cache tzdata && \
+    cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime && \
+    echo "Asia/Shanghai" > /etc/timezone
+
+# 创建非root用户
+RUN addgroup -g 1001 -S appgroup && \
+    adduser -u 1001 -S appuser -G appgroup
+
+USER appuser
+
+WORKDIR /home/appuser
+
+CMD ["sh"]
diff --git a/scripts/auto-cleanup.sh b/scripts/auto-cleanup.sh
new file mode 100755
index 0000000..b77a83d
--- /dev/null
+++ b/scripts/auto-cleanup.sh
@@ -0,0 +1,20 @@
+#!/bin/bash
+# 自动化磁盘清理脚本（可加入crontab）
+
+LOG_FILE="./logs/cleanup-$(date +%Y%m%d).log"
+
+echo "[$(date)] 开始自动化清理" >> "$LOG_FILE"
+
+# 清理构建缓存
+find . -name "*.tsbuildinfo" -delete 2>/dev/null
+find . -name "build.log" -delete 2>/dev/null
+
+# 清理测试报告（保留最近3天）
+find . -name "playwright-report" -type d -mtime +3 -exec rm -rf {} \; 2>/dev/null
+find . -name "coverage" -type d -mtime +3 -exec rm -rf {} \; 2>/dev/null
+find . -name "test-results" -type d -mtime +3 -exec rm -rf {} \; 2>/dev/null
+
+# 清理日志文件（保留最近7天）
+find ./logs -name "*.log" -type f -mtime +7 -delete 2>/dev/null
+
+echo "[$(date)] 清理完成" >> "$LOG_FILE"
diff --git a/scripts/disk-cleanup-immediate.sh b/scripts/disk-cleanup-immediate.sh
new file mode 100755
index 0000000..7e70264
--- /dev/null
+++ b/scripts/disk-cleanup-immediate.sh
@@ -0,0 +1,61 @@
+#!/bin/bash
+
+# 生产环境磁盘立即清理脚本
+# 作者：张翔
+# 日期：2026-03-30
+
+echo "🚀 开始执行生产环境磁盘立即清理..."
+
+# 1. 清理构建缓存
+echo "📦 清理构建缓存..."
+if [ -d "./dist/dev/cache" ]; then
+    rm -rf ./dist/dev/cache
+    echo "✅ 已清理Turbopack构建缓存"
+fi
+
+# 2. 清理测试报告
+echo "🧪 清理测试报告..."
+if [ -d "./playwright-report" ]; then
+    rm -rf ./playwright-report
+    echo "✅ 已清理Playwright测试报告"
+fi
+
+if [ -d "./coverage" ]; then
+    rm -rf ./coverage
+    echo "✅ 已清理测试覆盖率报告"
+fi
+
+if [ -d "./test-results" ]; then
+    rm -rf ./test-results
+    echo "✅ 已清理测试结果"
+fi
+
+# 3. 清理日志文件
+echo "📋 清理日志文件..."
+if [ -d "./logs" ]; then
+    rm -rf ./logs
+    mkdir -p ./logs
+    echo "✅ 已清理日志文件"
+fi
+
+# 4. 清理临时构建文件
+echo "🔧 清理临时构建文件..."
+find . -name "*.tsbuildinfo" -delete
+find . -name "build.log" -delete
+find . -name "*.tmp" -delete
+
+# 5. 清理Docker缓存（如果存在）
+echo "🐳 清理Docker缓存..."
+docker system prune -f 2>/dev/null || echo "⚠️ Docker未安装或无法清理"
+
+# 6. 显示清理结果
+echo ""
+echo "📊 清理完成，当前磁盘占用情况："
+du -sh ./* | sort -hr | head -10
+
+echo ""
+echo "✅ 磁盘立即清理完成！"
+echo "💡 建议：定期运行此脚本，并考虑实施以下长期优化措施："
+echo "   - 配置.gitignore排除大文件"
+echo "   - 优化依赖包管理"
+echo "   - 设置自动化清理机制"
\ No newline at end of file
diff --git a/scripts/disk-optimization-long-term.sh b/scripts/disk-optimization-long-term.sh
new file mode 100755
index 0000000..945237b
--- /dev/null
+++ b/scripts/disk-optimization-long-term.sh
@@ -0,0 +1,119 @@
+#!/bin/bash
+
+# 生产环境磁盘长期优化脚本
+# 作者：张翔
+# 日期：2026-03-30
+
+echo "🚀 开始执行生产环境磁盘长期优化..."
+
+# 1. 优化Git仓库（清理大文件历史）
+echo "🔍 优化Git仓库..."
+if [ -d ".git" ]; then
+    # 查找Git历史中的大文件
+    echo "📊 Git历史大文件分析："
+    git rev-list --objects --all | \
+        git cat-file --batch-check='%(objecttype) %(objectname) %(objectsize) %(rest)' | \
+        sed -n 's/^blob //p' | \
+        sort --numeric-sort --key=2 | \
+        tail -10 | \
+        cut -c 1-12,41- | \
+        $(command -v gnumfmt || echo numfmt) --field=2 --to=iec-i --suffix=B --padding=7 --round=nearest
+    
+    echo "💡 如需清理Git历史大文件，请运行："
+    echo "   git filter-branch --tree-filter 'rm -f 大文件路径' HEAD"
+    echo "   git reflog expire --expire=now --all && git gc --prune=now --aggressive"
+fi
+
+# 2. 优化依赖包管理
+echo "📦 优化依赖包管理..."
+if [ -f "package.json" ]; then
+    # 检查是否有未使用的依赖
+    echo "🔍 检查未使用的依赖..."
+    npx depcheck 2>/dev/null || echo "⚠️ depcheck未安装，跳过依赖检查"
+    
+    # 检查是否有重复依赖
+    echo "🔍 检查重复依赖..."
+    npm ls 2>/dev/null | grep "deduped" || echo "✅ 依赖包已优化"
+    
+    # 建议：使用pnpm或yarn进行依赖管理以减少磁盘占用
+    echo "💡 建议使用pnpm替代npm，可节省40-50%磁盘空间"
+fi
+
+# 3. 配置构建优化
+echo "🔧 配置构建优化..."
+if [ -f "next.config.ts" ]; then
+    echo "💡 Next.js构建优化建议："
+    echo "   - 启用构建缓存：配置experimental.turbo.buildCaching"
+    echo "   - 优化图片处理：使用next/image的优化配置"
+    echo "   - 启用代码分割：合理配置dynamic imports"
+fi
+
+# 4. 设置自动化清理机制
+echo "🤖 设置自动化清理机制..."
+
+# 创建定时清理脚本
+cat > /tmp/cleanup-cron.sh << 'EOF'
+#!/bin/bash
+# 自动化磁盘清理脚本（可加入crontab）
+
+LOG_FILE="./logs/cleanup-$(date +%Y%m%d).log"
+
+echo "[$(date)] 开始自动化清理" >> "$LOG_FILE"
+
+# 清理构建缓存
+find . -name "*.tsbuildinfo" -delete 2>/dev/null
+find . -name "build.log" -delete 2>/dev/null
+
+# 清理测试报告（保留最近3天）
+find . -name "playwright-report" -type d -mtime +3 -exec rm -rf {} \; 2>/dev/null
+find . -name "coverage" -type d -mtime +3 -exec rm -rf {} \; 2>/dev/null
+find . -name "test-results" -type d -mtime +3 -exec rm -rf {} \; 2>/dev/null
+
+# 清理日志文件（保留最近7天）
+find ./logs -name "*.log" -type f -mtime +7 -delete 2>/dev/null
+
+echo "[$(date)] 清理完成" >> "$LOG_FILE"
+EOF
+
+chmod +x /tmp/cleanup-cron.sh
+mv /tmp/cleanup-cron.sh ./scripts/auto-cleanup.sh
+
+echo "✅ 自动化清理脚本已创建：./scripts/auto-cleanup.sh"
+
+# 5. 配置.gitignore优化
+echo "📋 优化.gitignore配置..."
+if [ -f ".gitignore" ]; then
+    # 检查是否已包含必要的忽略规则
+    if ! grep -q "playwright-report" .gitignore; then
+        echo "playwright-report" >> .gitignore
+        echo "✅ 已添加playwright-report到.gitignore"
+    fi
+    
+    if ! grep -q "coverage" .gitignore; then
+        echo "coverage" >> .gitignore
+        echo "✅ 已添加coverage到.gitignore"
+    fi
+    
+    if ! grep -q "test-results" .gitignore; then
+        echo "test-results" >> .gitignore
+        echo "✅ 已添加test-results到.gitignore"
+    fi
+    
+    if ! grep -q "*.tsbuildinfo" .gitignore; then
+        echo "*.tsbuildinfo" >> .gitignore
+        echo "✅ 已添加*.tsbuildinfo到.gitignore"
+    fi
+fi
+
+# 6. 显示优化建议
+echo ""
+echo "📊 长期优化建议汇总："
+echo "✅ 1. Git优化：清理历史大文件，使用git filter-branch"
+echo "✅ 2. 依赖管理：使用pnpm替代npm，定期检查未使用依赖"
+echo "✅ 3. 构建优化：配置Next.js构建缓存和代码分割"
+echo "✅ 4. 自动化：设置定时清理脚本，避免磁盘占用累积"
+echo "✅ 5. 配置优化：完善.gitignore，避免提交大文件"
+
+echo ""
+echo "🚀 长期优化方案已配置完成！"
+echo "💡 下一步：运行立即清理脚本，然后实施长期优化措施"
\ No newline at end of file
diff --git a/scripts/git-cleanup.sh b/scripts/git-cleanup.sh
new file mode 100755
index 0000000..9bfff75
--- /dev/null
+++ b/scripts/git-cleanup.sh
@@ -0,0 +1,67 @@
+#!/bin/bash
+
+# Git仓库清理脚本 - 清理历史大文件
+# 作者：张翔
+# 日期：2026-03-31
+
+echo "🚀 开始执行Git仓库清理..."
+
+# 备份当前分支
+echo "📋 备份当前分支..."
+git branch git-cleanup-backup 2>/dev/null || echo "⚠️ 备份分支已存在"
+
+# 1. 清理dist.tar.gz文件（1GB大文件）
+echo "🗑️  清理dist.tar.gz文件..."
+git filter-branch --force --index-filter 'git rm -rf --cached --ignore-unmatch dist.tar.gz' --prune-empty HEAD
+
+# 2. 清理package-lock.json大文件
+echo "🗑️  清理package-lock.json大文件..."
+git filter-branch --force --index-filter 'git rm -rf --cached --ignore-unmatch package-lock.json' --prune-empty HEAD
+
+# 3. 清理.next目录
+echo "🗑️  清理.next目录..."
+git filter-branch --force --index-filter 'git rm -rf --cached --ignore-unmatch .next' --prune-empty HEAD
+
+# 4. 清理e2e快照文件
+echo "🗑️  清理e2e快照文件..."
+git filter-branch --force --index-filter 'git rm -rf --cached --ignore-unmatch e2e/src/tests/visual' --prune-empty HEAD
+
+# 5. 清理test-framework报告
+echo "🗑️  清理test-framework报告..."
+git filter-branch --force --index-filter 'git rm -rf --cached --ignore-unmatch test-framework' --prune-empty HEAD
+
+# 6. 清理大字体文件
+echo "🗑️  清理大字体文件..."
+git filter-branch --force --index-filter 'git rm -rf --cached --ignore-unmatch public/fonts/AoyagiReisho.ttf' --prune-empty HEAD
+
+# 7. 清理Git引用日志
+echo "🧹 清理Git引用日志..."
+git reflog expire --expire=now --all
+
+# 8. 强制垃圾回收
+echo "🗑️  强制垃圾回收..."
+git gc --prune=now --aggressive
+
+# 9. 清理临时备份
+echo "🗑️  清理临时备份..."
+rm -rf .git/refs/original/
+rm -rf .git/logs/
+
+# 10. 显示清理结果
+echo ""
+echo "📊 Git仓库清理完成！"
+echo "📦 当前Git仓库大小："
+du -sh .git
+
+echo ""
+echo "✅ Git仓库清理完成！"
+echo "💡 建议："
+echo "   1. 将清理后的仓库推送到远程：git push --force --all"
+echo "   2. 更新远程origin：git push --force --tags"
+echo "   3. 在.gitignore中添加以下规则："
+echo "      dist.tar.gz"
+echo "      package-lock.json"
+echo "      .next/"
+echo "      e2e/src/tests/visual/"
+echo "      test-framework/"
+echo "      public/fonts/*.ttf"
\ No newline at end of file
diff --git a/scripts/git-filter-repo-cleanup.sh b/scripts/git-filter-repo-cleanup.sh
new file mode 100644
index 0000000..1ae6db0
--- /dev/null
+++ b/scripts/git-filter-repo-cleanup.sh
@@ -0,0 +1,73 @@
+#!/bin/bash
+
+# Git仓库清理脚本 - 使用git filter-repo（推荐方法）
+# 作者：张翔
+# 日期：2026-03-31
+
+echo "🚀 开始执行Git仓库清理（使用git filter-repo）..."
+
+# 检查是否已安装git-filter-repo
+if ! command -v git-filter-repo &> /dev/null; then
+    echo "❌ git-filter-repo未安装，正在尝试安装..."
+    echo "💡 请先安装：pip install git-filter-repo"
+    echo "   或者：brew install git-filter-repo"
+    exit 1
+fi
+
+echo "✅ git-filter-repo已安装，开始清理..."
+
+# 1. 备份当前分支
+echo "📋 创建备份分支..."
+git branch git-cleanup-backup-$(date +%Y%m%d-%H%M%S)
+
+# 2. 清理大文件
+echo "🗑️  清理Git历史中的大文件..."
+git filter-repo --path dist.tar.gz --invert-paths
+git filter-repo --path .next/ --invert-paths
+git filter-repo --path test-framework/ --invert-paths
+git filter-repo --path e2e/src/tests/visual/ --invert-paths
+git filter-repo --path public/fonts/AoyagiReisho.ttf --invert-paths
+
+# 3. 清理package-lock.json（保留最新版本，删除历史版本）
+echo "🗑️  清理package-lock.json历史版本..."
+# 首先添加当前的package-lock.json到暂存区
+git add package-lock.json
+git commit -m "chore: retain current package-lock.json" --no-verify
+
+# 4. 再次运行filter-repo以移除之前的package-lock.json历史
+git filter-repo --path package-lock.json --invert-paths
+
+# 5. 添加当前package-lock.json回来
+git add package-lock.json
+git commit -m "chore: add current package-lock.json after cleanup" --no-verify
+
+# 6. 清理Git引用日志和强制垃圾回收
+echo "🧹 执行深度清理..."
+git reflog expire --expire=now --all
+git gc --prune=now --aggressive
+
+# 7. 显示清理结果
+echo ""
+echo "📊 Git仓库清理完成！"
+echo "📦 当前Git仓库大小："
+du -sh .git
+
+# 8. 提供后续操作建议
+echo ""
+echo "✅ Git仓库清理完成！"
+echo "💡 重要后续操作："
+echo "   1. 推送清理后的仓库："
+echo "      git push --force --all origin"
+echo "      git push --force --tags origin"
+echo ""
+echo "   2. 通知团队成员重新克隆仓库（历史已被改写）"
+echo "   3. 确保.gitignore已配置正确规则，防止大文件再次提交"
+
+# 9. 显示清理统计
+echo ""
+echo "📈 清理统计："
+echo "- 移除了1GB+的dist.tar.gz文件"
+echo "- 移除了.next构建目录的历史"
+echo "- 移除了test-framework目录的历史"
+echo "- 移除了e2e视觉测试快照的历史"
+echo "- 移除了大型字体文件的历史"
\ No newline at end of file
diff --git a/scripts/security-audit.sh b/scripts/security-audit.sh
new file mode 100644
index 0000000..3dd971c
--- /dev/null
+++ b/scripts/security-audit.sh
@@ -0,0 +1,102 @@
+#!/bin/bash
+
+# 生产环境安全加固脚本 - Next.js服务安全审计与加固
+# 作者：张翔
+# 日期：2026-03-31
+
+echo "🚀 开始执行生产环境安全加固..."
+
+# 颜色定义
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+NC='\033[0m' # No Color
+
+# 检查是否在生产环境
+echo "📋 检查生产环境配置..."
+
+# 1. 检查Docker容器状态
+echo "🐳 检查Docker容器状态..."
+docker ps -a --filter "name=novalon" 2>/dev/null || echo "⚠️ Docker未运行或无法访问"
+
+# 2. 检查端口暴露情况
+echo "🔌 检查端口暴露情况..."
+docker port novalon-website 2>/dev/null || echo "⚠️ 无法获取novalon-website容器端口信息"
+docker port novalon-nginx 2>/dev/null || echo "⚠️ 无法获取novalon-nginx容器端口信息"
+
+# 3. 检查防火墙配置
+echo "🛡️  检查防火墙配置..."
+if command -v ufw &> /dev/null; then
+    echo "UFW防火墙状态："
+    ufw status 2>/dev/null || echo "UFW未启用"
+elif command -v firewalld &> /dev/null; then
+    echo "firewalld状态："
+    firewall-cmd --list-all 2>/dev/null || echo "firewalld未运行"
+else
+    echo "⚠️ 未检测到防火墙管理工具"
+fi
+
+# 4. 检查Nginx配置
+echo "⚙️  检查Nginx配置..."
+if [ -f "/home/novalon/docker-app/novalon-nginx/nginx.conf" ]; then
+    echo "✅ 找到Nginx配置文件"
+    echo "📊 Nginx配置内容："
+    cat /home/novalon/docker-app/novalon-nginx/nginx.conf 2>/dev/null | head -100
+else
+    echo "❌ 未找到Nginx配置文件"
+    echo "💡 建议：创建安全的Nginx配置文件"
+fi
+
+# 5. 检查SSL证书
+echo "🔒 检查SSL证书..."
+if [ -d "/home/novalon/docker-app/novalon-nginx/ssl" ]; then
+    echo "✅ SSL目录存在"
+    ls -la /home/novalon/docker-app/novalon-nginx/ssl 2>/dev/null
+else
+    echo "⚠️ SSL目录不存在"
+    echo "💡 建议：配置SSL证书以启用HTTPS"
+fi
+
+# 6. 检查环境变量
+echo "🔑 检查环境变量..."
+if [ -f "/home/novalon/docker-app/.env" ]; then
+    echo "✅ .env文件存在"
+    echo "⚠️ 请确保.env文件中不包含敏感信息"
+    grep -v "^#" /home/novalon/docker-app/.env 2>/dev/null | head -20
+else
+    echo "⚠️ 未找到.env文件"
+fi
+
+# 7. 安全加固建议
+echo ""
+echo "=========================================="
+echo "🛡️  安全加固建议"
+echo "=========================================="
+echo ""
+echo "${YELLOW}1. 立即措施（高优先级）${NC}"
+echo "   - [ ] 确保Next.js服务不直接暴露80/443端口"
+echo "   - [ ] 配置Nginx作为反向代理，隐藏后端服务"
+echo "   - [ ] 启用HTTPS，配置SSL证书"
+echo "   - [ ] 限制80端口只允许HTTP到HTTPS重定向"
+echo ""
+echo "${YELLOW}2. 中期措施（中优先级）${NC}"
+echo "   - [ ] 配置WAF（Web应用防火墙）"
+echo "   - [ ] 启用请求频率限制"
+echo "   - [ ] 配置安全头（CSP、HSTS等）"
+echo "   - [ ] 启用访问日志和监控"
+echo ""
+echo "${YELLOW}3. 长期措施（低优先级）${NC}"
+echo "   - [ ] 配置CDN加速和DDoS防护"
+echo "   - [ ] 实施IP白名单策略"
+echo "   - [ ] 定期安全扫描和漏洞修复"
+echo "   - [ ] 建立安全监控告警机制"
+echo ""
+echo "=========================================="
+echo "💡 下一步操作"
+echo "=========================================="
+echo ""
+echo "请根据以上建议，逐步实施安全加固措施。"
+echo "建议优先处理高优先级项目，确保服务安全。"
+echo ""
+echo "如需自动化加固脚本，请运行："
+echo "  ./scripts/security-hardening.sh"
\ No newline at end of file
diff --git a/scripts/security-hardening.sh b/scripts/security-hardening.sh
new file mode 100644
index 0000000..0a78406
--- /dev/null
+++ b/scripts/security-hardening.sh
@@ -0,0 +1,524 @@
+#!/bin/bash
+
+# 生产环境安全加固自动化脚本
+# 作者：张翔
+# 日期：2026-03-31
+
+echo "🚀 开始执行生产环境安全加固..."
+
+# 颜色定义
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+NC='\033[0m'
+
+# 配置参数
+PROD_DIR="/home/novalon/docker-app"
+NGINX_DIR="$PROD_DIR/novalon-nginx"
+APP_DIR="$PROD_DIR/novalon-website"
+
+echo "📁 检查生产环境目录..."
+if [ ! -d "$PROD_DIR" ]; then
+    echo "❌ 生产环境目录不存在：$PROD_DIR"
+    exit 1
+fi
+
+echo "✅ 生产环境目录存在"
+
+# 1. 创建安全的Nginx配置
+echo "⚙️  创建安全的Nginx配置..."
+
+mkdir -p "$NGINX_DIR"
+
+cat > "$NGINX_DIR/nginx.conf" << 'NGINX_EOF'
+# ============================================================
+# 安全的Nginx配置 - Next.js生产环境
+# 作者：张翔
+# 日期：2026-03-31
+# ============================================================
+
+worker_processes auto;
+error_log /var/log/nginx/error.log warn;
+pid /var/run/nginx.pid;
+
+events {
+    worker_connections 1024;
+    use epoll;
+    multi_accept on;
+}
+
+http {
+    # ============================================================
+    # 基础配置
+    # ============================================================
+    include /etc/nginx/mime.types;
+    default_type application/octet-stream;
+    
+    # 日志格式
+    log_format main '$remote_addr - $remote_user [$time_local] "$request" '
+                    '$status $body_bytes_sent "$http_referer" '
+                    '"$http_user_agent" "$http_x_forwarded_for" '
+                    'rt=$request_time uct="$upstream_connect_time" '
+                    'uht="$upstream_header_time" urt="$upstream_response_time"';
+
+    access_log /var/log/nginx/access.log main;
+
+    # 性能优化
+    sendfile on;
+    tcp_nopush on;
+    tcp_nodelay on;
+    keepalive_timeout 65;
+    types_hash_max_size 2048;
+
+    # ============================================================
+    # 安全配置
+    # ============================================================
+    
+    # 隐藏Nginx版本号
+    server_tokens off;
+    
+    # 安全响应头
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+    add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' https:; frame-ancestors 'self'; base-uri 'self'; form-action 'self';" always;
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+    add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
+
+    # 限制请求大小
+    client_max_body_size 10m;
+    client_body_timeout 10s;
+    client_header_timeout 10s;
+    send_timeout 10s;
+
+    # ============================================================
+    # 防止DDoS攻击
+    # ============================================================
+    limit_req_zone $binary_remote_addr zone=req_limit:10m rate=10r/s;
+    limit_conn_zone $binary_remote_addr zone=conn_limit:10m;
+    limit_conn conn_limit 10;
+
+    # ============================================================
+    # Gzip压缩
+    # ============================================================
+    gzip on;
+    gzip_vary on;
+    gzip_proxied any;
+    gzip_comp_level 6;
+    gzip_min_length 1000;
+    gzip_types text/plain text/css text/xml application/json application/javascript application/xml+rss application/atom+xml image/svg+xml;
+
+    # ============================================================
+    # 上游服务器配置
+    # ============================================================
+    upstream nextjs_backend {
+        server 127.0.0.1:3000;
+        keepalive 64;
+    }
+
+    # ============================================================
+    # HTTP到HTTPS重定向
+    # ============================================================
+    server {
+        listen 80;
+        listen [::]:80;
+        server_name your-domain.com www.your-domain.com;
+
+        # 重定向到HTTPS
+        return 301 https://$server_name$request_uri;
+    }
+
+    # ============================================================
+    # HTTPS服务器
+    # ============================================================
+    server {
+        listen 443 ssl http2;
+        listen [::]:443 ssl http2;
+        server_name your-domain.com www.your-domain.com;
+
+        # SSL证书配置
+        ssl_certificate /etc/nginx/ssl/fullchain.pem;
+        ssl_certificate_key /etc/nginx/ssl/privkey.pem;
+
+        # SSL配置
+        ssl_protocols TLSv1.2 TLSv1.3;
+        ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
+        ssl_prefer_server_ciphers off;
+        ssl_session_cache shared:SSL:10m;
+        ssl_session_timeout 1d;
+        ssl_session_tickets off;
+
+        # OCSP Stapling
+        ssl_stapling on;
+        ssl_stapling_verify on;
+
+        # ========================================================
+        # 位置块配置
+        # ========================================================
+        
+        # Next.js静态文件
+        location /_next/ {
+            proxy_pass http://nextjs_backend;
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection 'upgrade';
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_cache_valid 200 302 10m;
+            proxy_cache_valid 404 1m;
+            proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
+            add_header X-Cache-Status $upstream_cache_status;
+            proxy_cache off;
+        }
+
+        # API路由
+        location /api/ {
+            limit_req zone=req_limit burst=20 nodelay;
+            
+            proxy_pass http://nextjs_backend;
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection 'upgrade';
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_read_timeout 86400;
+        }
+
+        # 管理后台（可选IP限制）
+        location /admin {
+            limit_req zone=req_limit burst=10 nodelay;
+            
+            # 如果需要IP白名单，取消下面的注释
+            # allow 192.168.1.0/24;
+            # allow 10.0.0.0/8;
+            # deny all;
+            
+            proxy_pass http://nextjs_backend;
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection 'upgrade';
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+        }
+
+        # 根路径
+        location / {
+            limit_req zone=req_limit burst=20 nodelay;
+            
+            proxy_pass http://nextjs_backend;
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection 'upgrade';
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+        }
+
+        # 健康检查
+        location /health {
+            access_log off;
+            return 200 "healthy\n";
+            add_header Content-Type text/plain;
+        }
+
+        # 错误页面
+        error_page 500 502 503 504 /50x.html;
+        location = /50x.html {
+            root /usr/share/nginx/html;
+            internal;
+        }
+    }
+}
+NGINX_EOF
+
+echo "✅ 安全的Nginx配置已创建"
+
+# 2. 创建Docker Compose配置
+echo "🐳 创建Docker Compose配置..."
+
+cat > "$NGINX_DIR/docker-compose.yml" << 'COMPOSE_EOF'
+version: "3.8"
+
+services:
+  nginx:
+    image: nginx:alpine
+    container_name: novalon-nginx
+    restart: unless-stopped
+    ports:
+      - "80:80"
+      - "443:443"
+    volumes:
+      - ./nginx.conf:/etc/nginx/nginx.conf:ro
+      - ./ssl:/etc/nginx/ssl:ro
+      - ./logs:/var/log/nginx
+    networks:
+      - novalon-network
+    # 限制容器资源
+    deploy:
+      resources:
+        limits:
+          cpus: '1'
+          memory: 512M
+        reservations:
+          cpus: '0.5'
+          memory: 256M
+
+networks:
+  novalon-network:
+    driver: bridge
+    external: true
+COMPOSE_EOF
+
+echo "✅ Docker Compose配置已创建"
+
+# 3. 创建SSL目录
+echo "🔒 创建SSL目录..."
+mkdir -p "$NGINX_DIR/ssl"
+echo "✅ SSL目录已创建"
+
+# 4. 创建健康检查脚本
+echo "🩺 创建健康检查脚本..."
+mkdir -p "$PROD_DIR/scripts"
+
+cat > "$PROD_DIR/scripts/health-check.sh" << 'HEALTH_EOF'
+#!/bin/bash
+
+# 健康检查脚本
+echo "[$(date)] 开始健康检查..."
+
+# 检查Nginx容器
+if docker ps --filter "name=novalon-nginx" --format "{{.Names}}" | grep -q "novalon-nginx"; then
+    echo "✅ Nginx容器运行正常"
+else
+    echo "❌ Nginx容器未运行"
+    exit 1
+fi
+
+# 检查应用容器
+if docker ps --filter "name=novalon-website" --format "{{.Names}}" | grep -q "novalon-website"; then
+    echo "✅ 应用容器运行正常"
+else
+    echo "❌ 应用容器未运行"
+    exit 1
+fi
+
+# 检查80端口
+if curl -s -o /dev/null -w "%{http_code}" http://localhost:80 | grep -q "301"; then
+    echo "✅ 80端口HTTP重定向正常"
+else
+    echo "❌ 80端口配置异常"
+    exit 1
+fi
+
+# 检查443端口
+if curl -s -o /dev/null -w "%{http_code}" -k https://localhost:443 | grep -q "200"; then
+    echo "✅ 443端口HTTPS正常"
+else
+    echo "⚠️  443端口HTTPS可能异常（检查SSL证书）"
+fi
+
+# 检查健康检查端点
+if curl -s http://localhost:80/health | grep -q "healthy"; then
+    echo "✅ 健康检查端点正常"
+else
+    echo "❌ 健康检查端点异常"
+    exit 1
+fi
+
+echo "✅ 所有健康检查通过"
+HEALTH_EOF
+
+chmod +x "$PROD_DIR/scripts/health-check.sh"
+echo "✅ 健康检查脚本已创建"
+
+# 5. 创建安全加固说明文档
+echo "📄 创建安全加固说明文档..."
+
+cat > "$PROD_DIR/SECURITY_GUIDE.md" << 'SECURITY_EOF'
+# 生产环境安全加固指南
+
+## 作者：张翔
+## 日期：2026-03-31
+
+## 概述
+
+本文档描述了生产环境的安全加固措施，包括Nginx配置、SSL设置、安全头配置等。
+
+## 安全配置清单
+
+### ✅ 已完成配置
+
+1. **Nginx反向代理**
+   - 隐藏后端服务信息
+   - 隐藏Nginx版本号
+   - 配置安全响应头
+
+2. **HTTPS配置**
+   - 启用HTTP/2
+   - 配置强加密套件
+   - 启用OCSP Stapling
+
+3. **安全响应头**
+   - X-Frame-Options: SAMEORIGIN
+   - X-Content-Type-Options: nosniff
+   - X-XSS-Protection: 1; mode=block
+   - Content-Security-Policy: 严格策略
+   - Strict-Transport-Security: HSTS
+
+4. **DDoS防护**
+   - 请求频率限制
+   - 连接数限制
+   - 请求体大小限制
+
+5. **资源限制**
+   - 容器CPU限制
+   - 容器内存限制
+
+### 🔧 待完成配置
+
+1. **SSL证书**
+   - 获取SSL证书
+   - 配置证书路径
+   - 启用HTTPS
+
+2. **IP白名单**
+   - 配置管理后台IP白名单
+   - 限制敏感接口访问
+
+3. **WAF配置**
+   - 集成ModSecurity
+   - 配置规则集
+
+4. **监控告警**
+   - 配置日志分析
+   - 设置告警规则
+
+## SSL证书配置
+
+### 使用Let's Encrypt
+
+```bash
+# 安装certbot
+apt-get update && apt-get install certbot python3-certbot-nginx
+
+# 获取证书
+certbot --nginx -d your-domain.com -d www.your-domain.com
+
+# 自动续期
+certbot renew --dry-run
+```
+
+### 手动配置证书
+
+将证书文件放置到：
+- `/home/novalon/docker-app/novalon-nginx/ssl/fullchain.pem`
+- `/home/novalon/docker-app/novalon-nginx/ssl/privkey.pem`
+
+然后重启Nginx：
+```bash
+docker-compose -f /home/novalon/docker-app/novalon-nginx/docker-compose.yml restart
+```
+
+## 安全检查命令
+
+```bash
+# 检查Nginx配置
+docker exec novalon-nginx nginx -t
+
+# 重新加载Nginx配置
+docker exec novalon-nginx nginx -s reload
+
+# 查看访问日志
+docker logs -f novalon-nginx
+
+# 检查SSL配置
+openssl s_client -connect your-domain.com:443 -servername your-domain.com
+
+# 测试安全头
+curl -I https://your-domain.com
+```
+
+## 应急响应
+
+### 如何应对DDoS攻击
+
+1. **临时限制IP**
+   ```bash
+   # 在nginx.conf中添加
+   deny 192.168.1.1;
+   ```
+
+2. **启用CDN**
+   - 使用Cloudflare等CDN服务
+   - 隐藏源站IP
+
+3. **联系云服务商**
+   - 启用DDoS防护
+   - 增加带宽限制
+
+### 如何应对SQL注入
+
+1. **启用WAF规则**
+2. **检查应用代码**
+3. **更新依赖包**
+4. **启用数据库审计**
+
+## 定期安全审计
+
+### 每日
+- 检查访问日志
+- 监控异常流量
+- 检查健康状态
+
+### 每周
+- 审计SSL证书有效期
+- 检查安全头配置
+- 更新依赖包
+
+### 每月
+- 全面安全扫描
+- 渗透测试
+- 安全策略审查
+
+## 联系方式
+
+如有安全问题，请联系：
+- 邮箱：security@your-domain.com
+- 电话：400-xxx-xxxx
+SECURITY_EOF
+
+echo "✅ 安全加固说明文档已创建"
+
+# 6. 显示加固结果
+echo ""
+echo "=========================================="
+echo "🛡️  安全加固完成！"
+echo "=========================================="
+echo ""
+echo "✅ 已完成的配置："
+echo "   1. 安全的Nginx配置"
+echo "   2. Docker Compose配置"
+echo "   3. SSL目录创建"
+echo "   4. 健康检查脚本"
+echo "   5. 安全加固文档"
+echo ""
+echo "📋 下一步操作："
+echo "   1. 配置SSL证书"
+echo "   2. 重启Nginx服务"
+echo "   3. 验证安全配置"
+echo "   4. 启用监控告警"
+echo ""
+echo "💡 建议操作："
+echo "   cd $PROD_DIR/novalon-nginx"
+echo "   docker-compose up -d"
+echo "   curl -I http://localhost  # 检查HTTP重定向"
+echo "   curl -k -I https://localhost  # 检查HTTPS"
+echo ""
\ No newline at end of file
diff --git a/scripts/security-verification.sh b/scripts/security-verification.sh
new file mode 100644
index 0000000..931e1e6
--- /dev/null
+++ b/scripts/security-verification.sh
@@ -0,0 +1,260 @@
+#!/bin/bash
+
+# 生产环境安全配置验证脚本
+# 作者：张翔
+# 日期：2026-03-31
+
+echo "🔍 开始执行安全配置验证..."
+
+# 颜色定义
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+NC='\033[0m'
+
+PROD_DIR="/home/novalon/docker-app"
+NGINX_DIR="$PROD_DIR/novalon-nginx"
+PASS_COUNT=0
+FAIL_COUNT=0
+
+# 检查函数
+check_pass() {
+    echo -e "${GREEN}✅ $1${NC}"
+    ((PASS_COUNT++))
+}
+
+check_fail() {
+    echo -e "${RED}❌ $1${NC}"
+    ((FAIL_COUNT++))
+}
+
+check_warn() {
+    echo -e "${YELLOW}⚠️  $1${NC}"
+}
+
+echo ""
+echo "=========================================="
+echo "1. Nginx配置验证"
+echo "=========================================="
+
+# 检查nginx.conf是否存在
+if [ -f "$NGINX_DIR/nginx.conf" ]; then
+    check_pass "Nginx配置文件存在"
+    
+    # 检查安全头配置
+    if grep -q "X-Frame-Options" "$NGINX_DIR/nginx.conf"; then
+        check_pass "X-Frame-Options安全头已配置"
+    else
+        check_fail "X-Frame-Options安全头未配置"
+    fi
+    
+    if grep -q "X-Content-Type-Options" "$NGINX_DIR/nginx.conf"; then
+        check_pass "X-Content-Type-Options安全头已配置"
+    else
+        check_fail "X-Content-Type-Options安全头未配置"
+    fi
+    
+    if grep -q "Content-Security-Policy" "$NGINX_DIR/nginx.conf"; then
+        check_pass "Content-Security-Policy安全头已配置"
+    else
+        check_fail "Content-Security-Policy安全头未配置"
+    fi
+    
+    if grep -q "Strict-Transport-Security" "$NGINX_DIR/nginx.conf"; then
+        check_pass "Strict-Transport-Security安全头已配置"
+    else
+        check_fail "Strict-Transport-Security安全头未配置"
+    fi
+    
+    # 检查server_tokens
+    if grep -q "server_tokens off" "$NGINX_DIR/nginx.conf"; then
+        check_pass "Nginx版本号已隐藏"
+    else
+        check_fail "Nginx版本号未隐藏"
+    fi
+    
+    # 检查SSL配置
+    if grep -q "ssl_certificate" "$NGINX_DIR/nginx.conf"; then
+        check_pass "SSL证书配置已存在"
+    else
+        check_fail "SSL证书配置缺失"
+    fi
+    
+    # 检查DDoS防护
+    if grep -q "limit_req_zone" "$NGINX_DIR/nginx.conf"; then
+        check_pass "请求频率限制已配置"
+    else
+        check_fail "请求频率限制未配置"
+    fi
+    
+    if grep -q "limit_conn_zone" "$NGINX_DIR/nginx.conf"; then
+        check_pass "连接数限制已配置"
+    else
+        check_fail "连接数限制未配置"
+    fi
+else
+    check_fail "Nginx配置文件不存在"
+fi
+
+echo ""
+echo "=========================================="
+echo "2. SSL配置验证"
+echo "=========================================="
+
+# 检查SSL目录
+if [ -d "$NGINX_DIR/ssl" ]; then
+    check_pass "SSL目录存在"
+    
+    # 检查证书文件
+    if [ -f "$NGINX_DIR/ssl/fullchain.pem" ] && [ -f "$NGINX_DIR/ssl/privkey.pem" ]; then
+        check_pass "SSL证书文件存在"
+        
+        # 检查证书有效期
+        if command -v openssl &> /dev/null; then
+            EXPIRY=$(openssl x509 -in "$NGINX_DIR/ssl/fullchain.pem" -noout -enddate 2>/dev/null)
+            if [ -n "$EXPIRY" ]; then
+                check_pass "SSL证书有效：$EXPIRY"
+            else
+                check_fail "SSL证书无效或已过期"
+            fi
+        fi
+    else
+        check_fail "SSL证书文件缺失"
+        check_warn "请配置SSL证书以启用HTTPS"
+    fi
+else
+    check_fail "SSL目录不存在"
+fi
+
+echo ""
+echo "=========================================="
+echo "3. Docker配置验证"
+echo "=========================================="
+
+# 检查docker-compose.yml
+if [ -f "$NGINX_DIR/docker-compose.yml" ]; then
+    check_pass "Docker Compose配置文件存在"
+    
+    # 检查资源限制
+    if grep -q "deploy:" "$NGINX_DIR/docker-compose.yml"; then
+        check_pass "容器资源限制已配置"
+    else
+        check_fail "容器资源限制未配置"
+    fi
+else
+    check_fail "Docker Compose配置文件不存在"
+fi
+
+echo ""
+echo "=========================================="
+echo "4. 服务状态验证"
+echo "=========================================="
+
+# 检查Docker服务
+if command -v docker &> /dev/null; then
+    check_pass "Docker已安装"
+    
+    # 检查Nginx容器
+    if docker ps --filter "name=novalon-nginx" --format "{{.Names}}" | grep -q "novalon-nginx"; then
+        check_pass "Nginx容器运行中"
+    else
+        check_fail "Nginx容器未运行"
+    fi
+    
+    # 检查应用容器
+    if docker ps --filter "name=novalon-website" --format "{{.Names}}" | grep -q "novalon-website"; then
+        check_pass "应用容器运行中"
+    else
+        check_fail "应用容器未运行"
+    fi
+else
+    check_fail "Docker未安装"
+fi
+
+echo ""
+echo "=========================================="
+echo "5. 端口配置验证"
+echo "=========================================="
+
+# 检查80端口
+if command -v curl &> /dev/null; then
+    HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" http://localhost:80 2>/dev/null)
+    if [ "$HTTP_CODE" = "301" ]; then
+        check_pass "80端口HTTP重定向正常（$HTTP_CODE）"
+    elif [ "$HTTP_CODE" = "200" ]; then
+        check_warn "80端口返回200，请确认是否需要重定向到HTTPS"
+    else
+        check_fail "80端口异常（$HTTP_CODE）"
+    fi
+    
+    # 检查443端口
+    HTTPS_CODE=$(curl -s -o /dev/null -w "%{http_code}" -k https://localhost:443 2>/dev/null)
+    if [ "$HTTPS_CODE" = "200" ]; then
+        check_pass "443端口HTTPS正常（$HTTPS_CODE）"
+    elif [ "$HTTPS_CODE" = "301" ] || [ "$HTTPS_CODE" = "302" ]; then
+        check_pass "443端口HTTPS重定向正常（$HTTPS_CODE）"
+    else
+        check_warn "443端口可能未配置（$HTTPS_CODE）"
+    fi
+else
+    check_fail "curl未安装，无法验证端口"
+fi
+
+echo ""
+echo "=========================================="
+echo "6. 安全头验证"
+echo "=========================================="
+
+if command -v curl &> /dev/null; then
+    HEADERS=$(curl -I -k https://localhost:443 2>/dev/null)
+    
+    if echo "$HEADERS" | grep -qi "x-frame-options"; then
+        check_pass "X-Frame-Options响应头存在"
+    else
+        check_fail "X-Frame-Options响应头缺失"
+    fi
+    
+    if echo "$HEADERS" | grep -qi "x-content-type-options"; then
+        check_pass "X-Content-Type-Options响应头存在"
+    else
+        check_fail "X-Content-Type-Options响应头缺失"
+    fi
+    
+    if echo "$HEADERS" | grep -qi "strict-transport-security"; then
+        check_pass "Strict-Transport-Security响应头存在"
+    else
+        check_fail "Strict-Transport-Security响应头缺失"
+    fi
+    
+    if echo "$HEADERS" | grep -qi "content-security-policy"; then
+        check_pass "Content-Security-Policy响应头存在"
+    else
+        check_fail "Content-Security-Policy响应头缺失"
+    fi
+else
+    check_fail "curl未安装，无法验证安全头"
+fi
+
+echo ""
+echo "=========================================="
+echo "📊 验证结果汇总"
+echo "=========================================="
+echo ""
+echo -e "${GREEN}通过：$PASS_COUNT${NC}"
+echo -e "${RED}失败：$FAIL_COUNT${NC}"
+echo ""
+
+if [ $FAIL_COUNT -eq 0 ]; then
+    echo -e "${GREEN}✅ 所有安全配置验证通过！${NC}"
+    echo "您的生产环境安全配置符合最佳实践。"
+else
+    echo -e "${RED}❌ 存在安全配置问题，请根据上述建议进行修复。${NC}"
+fi
+
+echo ""
+echo "💡 建议："
+echo "   1. 确保SSL证书已配置并有效"
+echo "   2. 定期更新Nginx和Docker"
+echo "   3. 启用安全监控告警"
+echo "   4. 定期进行安全审计"
+echo ""
\ No newline at end of file