Add HTTP Security headers to Nginx server
Numerous dangers to web applications can be seen in the client's web browser. On the server side, we can fight against these, but the client's browser is where the malicious actions are carried out. HTTP security headers can assist alleviate some of the risks by advising the client's browser on how to handle the content of our website and connections to the server.
They alter web browser behavior to prevent security flaws simply to accept one particular type of legitimate server certificate, such as TLS. These headers prevent many types of attacks such as Protocol downgrade attacks like Poodle, Content Injection attacks like XSS and Clickjacking, Cross-Site Request Forgery attack, etc. The eight most crucial security headers are listed below, and if at all possible, you should use them. Also make sure to take care of the blocks in Apache and Nginx server configuration and add these headers globally.
Edit the Nginx configuration file
You must update the configuration file for nginx. In most cases, it may be found at /etc/nginx/nginx.conf, /etc/nginx/sited-enabled/yoursite.com (Debian and Ubuntu), or /etc/nginx/conf.d/nginx.conf (RHEL and CentOS).
Now that you have decided where to keep the configuration file, we can use vi or any other text editor to add/update the config file:
$ sudo vim /etc/nginx/nginx.conf
How to add HTTP Security headers in Nginx Server?
The security headers can be added in the Nginx configuration file with the add header directives, add_header, inside the server block as follows:
server {
....
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self'" always;
add_header Permissions-Policy "interest-cohort=()" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header Access-Control-Allow-Origin "https://domain.com" always;
add_header X-Frame-Options "SAMEORIGIN" always;
....
}
The security headers should be present as shown above but these can be further tweaked according to your preference.
You can easily test the security headers configuration with this website and get a hall of fame for best security headers.
server {
listen [::]:443 ssl ipv6only=on;
listen 443 ssl;
ssl_certificate path/to/fullchain.pem;
ssl_certificate_key path/to/privkey.pem;
include path/to/options-ssl-nginx.conf;
ssl_dhparam path/to/ssl-dhparams.pem;
root /var/www/html/public_html;
index index.php;
server_name domain.com;
return 301 https://$server_name$request_uri;
location / {
try_files $uri $uri.html $uri/ =404;
}
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self' always;
add_header Permissions-Policy "interest-cohort=()" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header Access-Control-Allow-Origin "https://domain.com" always;
}
Now, we are done editing the Nginx configuration and it's time to test and deploy the changes. So, save the file and exit the text editor.
Verify our configuration, then launch Nginx.
It is a recommended practice to test new configurations before loading them to the production server because a single syntax mistake will prevent the Nginx service from running, which will prevent users from accessing your website. You can use the following command to do so.
$ sudo nginx -t -c /etc/nginx/nginx.conf
Finally, Start/Restart/Reload the server to load the changes:
$ sudo systemctl restart nginx
or
$ sudo service nginx restart
