# # /usr/local/etc/nginx/security_headers # # Security headers for Nginx/HTTP(s) # # Aaron LI # 2017-11-22 # # Credits # ------- # * Hardening your HTTP response headers # https://scotthelme.co.uk/hardening-your-http-response-headers/ # * Nginx add_header configuration pitfall # https://blog.g3rt.nl/nginx-add_header-pitfall.html # * Nginx - ngx_http_headers_module - add_header # https://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header # # Tools # ----- # * Security Headers Analyzer # https://securityheaders.io/ # # 2017-11-23: Be less paranoid, due to the reverse proxy services ... # # # NOTE: Use "always" for security headers. # # WARNING: The "add_header" directive (and some others) are inherited # from the *previous* level *IF AND ONLY IF* there are NO # "add_header" directives defined on the *current* level. # Such behavior leads to the *pitfall* that the added headers # may get *cleared*! In consequence, this common header # configuration file *must* be included within every context # that has "add_header" directives! # # Instruct the client to force a HTTPS connection to the domain and all # its subdomains for 2 year. # See also: https://hstspreload.org/ #add_header Strict-Transport-Security # "max-age=63072000; includeSubdomains; preload" always; add_header Strict-Transport-Security "max-age=31536000; includeSubdomains" always; # The Content Security Policy (CSP) header allows to define a whitelist # of approved sources of content for the site. By restricting the assets # that a browser can load, CSP can act as an effective countermeasure to # XSS attacks. # # Enforce TLS on all assets and prevent mixed content warnings. add_header Content-Security-Policy "default-src https: data: 'unsafe-inline' 'unsafe-eval'" always; # Only allow to load assets from self! #add_header Content-Security-Policy "default-src 'self'" always; # The X-Frame-Options (XFO) header protects the visitors against # clickjacking attacks. # Only allow yourselves to frame your own site. add_header X-Frame-Options "SAMEORIGIN" always; # Do not allow the site to be framed at all! #add_header X-Frame-Options "DENY" always; # Enable the cross-site scripting filter built into most browsers, and # tell the browser to block the response if it detects an attack rather # than sanitizing the script. add_header X-XSS-Protection "1; mode=block" always; # Prevent a browser from trying to MIME-sniff the content type and forces # it to stick with the declared content-type. add_header X-Content-Type-Options "nosniff" always; # Allow a site to control how much information the browser includes with # navigations away from a document. # # The browser will send the full URL to requests to the same origin, but # only send the origin when requests are cross-origin. No information # allowed to be sent when a scheme downgrade happens. add_header Referrer-Policy "strict-origin-when-cross-origin" always;