I need some help for NGINX security headers for a 5years old

Chievo · May 2020

1) I have this problem i must add to the nginx.conf some security headers like

add_header X-XSS-Protection "1; mode=block";
add_header X-Frame-Options “DENY”;
add_header X-Content-Type-Options nosniff;

I am used to use htaccess to add them but i have nginx running right now

so my question is where i must put the security headers ? In which part ? the place/order matter ? I mean beginning of the nginx.conf , in the middle , on the final etc .

Sorry for the stupid question !

2) I have found this guide , is done correctly ? on the beginning of nginx.conf and without { } ?
https://gist.github.com/plentz/6737338
(github the person knows what is doing but i wish to double check it, just in case )

Mr_Tom · May 2020

Mine are setup inside the http {} block, but before the server {} blocks.

These should be in the server {} block for the listen 443 ssl; server only to avoid sending them on http requests.

They're actually in another file that's included by nginx.conf, but they could go direct into nginx.conf

Chievo · May 2020

Thanks @Mr_Tom !!! OK so in that case ,which is your recomendatión To use it ? I mean in the nginx.conf or like you in another file? Which is the pro/cons of both methods

Abdullah · May 2020

Making another file will be nice I think, in case you plan multiple websites on same server in future.

Mr_Tom · May 2020

Edit - sorry, these should be inside the server {} block for the SSL section only - otherwise you'll be sending them for HTTP requests too.

Either putting them in the block directly, or including another file is fine. I have a security.conf file which has these in and is included in the server {} block as required - but I also have a smaller single site setup which just uses one large nginx.conf file.

Chievo · May 2020

@Abdullah said:
Making another file will be nice I think, in case you plan multiple websites on same server in future.

Thanks @Abdullah! So in the nginx.conf for 1website and another file if i plan To use it for more websites

Mr_Tom · May 2020

@Chievo said: o in the nginx.conf for 1website and another file if i plan To use it for more websites

You can do it apache style and create a site config for each site in /etc/nginx/sites-available and then create a symlink for each "active" site into sites-enabled. Then in your nginx.conf file just add include /etc/nginx/sites-enabled/*;

In each of the sites own config file, you can then include any specific additional files - such as a file with security headers.

SagnikS · May 2020

I usually add these in the server block itself, for every vhost.

    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Robots-Tag none;
    add_header Content-Security-Policy "frame-ancestors 'self'";
    add_header X-Frame-Options DENY;
    add_header Referrer-Policy same-origin;

Chievo · May 2020

@Mr_Tom said:
Edit - sorry, these should be inside the server {} block for the SSL section only - otherwise you'll be sending them for HTTP requests too.

Either putting them in the block directly, or including another file is fine. I have a security.conf file which has these in and is included in the server {} block as required - but I also have a smaller single site setup which just uses one large nginx.conf file.

no worries i am going to check it and do it , hopefully it would be working fine.> @Mr_Tom said:

Edit - sorry, these should be inside the server {} block for the SSL section only - otherwise you'll be sending them for HTTP requests too.

Either putting them in the block directly, or including another file is fine. I have a security.conf file which has these in and is included in the server {} block as required - but I also have a smaller single site setup which just uses one large nginx.conf file.

Thanks @Mr_Tom ! I am going To do it tomorrow hopefully everything would be alright

Chievo · May 2020

@SagnikS said:
I usually add these in the server block itself, for every vhost.

    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Robots-Tag none;
    add_header Content-Security-Policy "frame-ancestors 'self'";
    add_header X-Frame-Options DENY;
    add_header Referrer-Policy same-origin;

Thanks for them @SagnikS !

seanho · May 2020

Something to be aware of, which tripped me up a number of times: add_header declarations are generally inherited from enclosing blocks. E.g., if headers are specified in a server block, they'll propagate to nested location blocks. However, if a nested block has any add_header lines of its own, that wipes out any inherited headers, so you'd have to re-declare them.

I took to specifying security headers in a little snippet, which gets included in any blocks that need it.

https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/

Chievo · June 2020

@seanho said:
Something to be aware of, which tripped me up a number of times: add_header declarations are generally inherited from enclosing blocks. E.g., if headers are specified in a server block, they'll propagate to nested location blocks. However, if a nested block has any add_header lines of its own, that wipes out any inherited headers, so you'd have to re-declare them.

I took to specifying security headers in a little snippet, which gets included in any blocks that need it.

https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/

Thanks @seanho !

I need some help for NGINX security headers for a 5years old

Comments