I need some help for NGINX security headers for a 5years old
1) I have this problem i must add to the nginx.conf some security headers like
add_header X-XSS-Protection "1; mode=block";
add_header X-Frame-Options “DENY”;
add_header X-Content-Type-Options nosniff;
I am used to use htaccess to add them but i have nginx running right now
so my question is where i must put the security headers ? In which part ? the place/order matter ? I mean beginning of the nginx.conf , in the middle , on the final etc .
Sorry for the stupid question !
2) I have found this guide , is done correctly ? on the beginning of nginx.conf and without { } ?
https://gist.github.com/plentz/6737338
(github the person knows what is doing but i wish to double check it, just in case )
Dentistry is my passion
Comments
Mine are setup inside the http {} block, but before the server {} blocks.
These should be in the server {} block for the
listen 443 ssl;
server only to avoid sending them on http requests.They're actually in another file that's included by nginx.conf, but they could go direct into nginx.conf
Thanks @Mr_Tom !!! OK so in that case ,which is your recomendatión To use it ? I mean in the nginx.conf or like you in another file? Which is the pro/cons of both methods
Dentistry is my passion
Making another file will be nice I think, in case you plan multiple websites on same server in future.
Webhosting - NVMe SSD, Cloudlinux, Litespeed, SSH Access
KVM VPS Singapore | 256MB NAT VPS - LA, NY, CH, NL, IN, SG, JP starts $7 per year!
Edit - sorry, these should be inside the server {} block for the SSL section only - otherwise you'll be sending them for HTTP requests too.
Either putting them in the block directly, or including another file is fine. I have a security.conf file which has these in and is included in the server {} block as required - but I also have a smaller single site setup which just uses one large nginx.conf file.
Thanks @Abdullah! So in the nginx.conf for 1website and another file if i plan To use it for more websites
Dentistry is my passion
You can do it apache style and create a site config for each site in
/etc/nginx/sites-available
and then create a symlink for each "active" site into sites-enabled. Then in your nginx.conf file just addinclude /etc/nginx/sites-enabled/*;
In each of the sites own config file, you can then include any specific additional files - such as a file with security headers.
I usually add these in the server block itself, for every vhost.
no worries i am going to check it and do it , hopefully it would be working fine.> @Mr_Tom said:
Thanks @Mr_Tom ! I am going To do it tomorrow hopefully everything would be alright
Dentistry is my passion
Thanks for them @SagnikS !
Dentistry is my passion
Something to be aware of, which tripped me up a number of times:
add_header
declarations are generally inherited from enclosing blocks. E.g., if headers are specified in aserver
block, they'll propagate to nestedlocation
blocks. However, if a nested block has anyadd_header
lines of its own, that wipes out any inherited headers, so you'd have to re-declare them.I took to specifying security headers in a little snippet, which gets included in any blocks that need it.
https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/
Thanks @seanho !
Dentistry is my passion