How to secure Web application headers with Nginx.
Have you ever wondered how your website/application headers are?
A good step to start is to scan the website:
https://securityheaders.com
After the scan, you can asses the problems. I will explain how to resolve those issues with “Nginx”. If you don’t have HTTPS it’s a good start to use letsencrypt, it’s free and CloudFlare it has a very good support for both.
Add a new configuration section in nginx http:
1 2 3 4 5 6 7 8 9 10 11 12 13 |
add_header "Referrer-Policy" "strict-origin"; add_header Feature-Policy "geolocation none;midi none;notifications none;push none;sync-xhr none;microphone none;camera none;magnetometer none;gyroscope none;speaker self;vibrate none;fullscreen self;payment none;"; # don't send the nginx version number in error pages and Server header server_tokens off; add_header "Strict-Transport-Security" "max-age=31536000"; add_header "X-XSS-Protection" "1; mode=block"; add_header "X-Content-Type-Options" "nosniff" always; add_header "X-Frame-Options" "DENY" always; add_header "X-Content-Type-Options" "nosniff"; add_header "X-Permitted-Cross-Domain-Policies" "master-only"; add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.gstatic.com https://yoast.com https://maps.googleapis.com https://www.google-analytics.com https://connect.facebook.net; img-src 'self' data: https://s.w.org https://stats.g.doubleclick.net https://www.google-analytics.com https://s-static.ak.facebook.com https://media.licdn.com https://secure.gravatar.com https://fonts.gstatic.com; style-src 'self' 'unsafe-inline' https://www.gstatic.com https://fonts.googleapis.com; connect-src 'self' https://yoast.com; font-src 'self' data: https://fonts.gstatic.com https://themes.googleusercontent.com https://fonts.gstatic.com https://themes.googleusercontent.com; frame-src https://player.vimeo.com https://www.youtube.com https://www.facebook.com https://s-static.ak.facebook.com https://media.licdn.com; object-src 'none'"; |
Best to add a file like security.conf in /etc/nginx/conf.d which can be modified later on.
Test nginx configuration & reload!
1 2 |
nginx -t nginx -s reload |
Check
https://securityheaders.com & test again…
NB: Be careful with Content-Security-Policy, this needs to be modified depends on your site and dependencies.
Is security headers enough? That’s a NO… using CloudFlare & Nginx security its an abstract layer over the web application which needs to be scanned and improved periodically to keep it secured.