From 0d60e6c636c5692dede5a9204be02e8af90b01a3 Mon Sep 17 00:00:00 2001 From: Vusumuzi Khoza Date: Wed, 26 Nov 2025 12:30:02 +0200 Subject: [PATCH] improving security on nginx --- Dockerfile | 2 ++ nginx.conf | 69 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 71 insertions(+) create mode 100644 nginx.conf diff --git a/Dockerfile b/Dockerfile index 3ab557d..2cb4fee 100644 --- a/Dockerfile +++ b/Dockerfile @@ -42,6 +42,8 @@ FROM nginx:1.25.2-alpine # copy the info of the builded web app to nginx COPY --from=build-env /app/build/web /usr/share/nginx/html + + # Expose and run nginx EXPOSE 80 CMD ["nginx", "-g", "daemon off;"] \ No newline at end of file diff --git a/nginx.conf b/nginx.conf new file mode 100644 index 0000000..cafc65f --- /dev/null +++ b/nginx.conf @@ -0,0 +1,69 @@ +user nginx; +worker_processes auto; + +error_log /var/log/nginx/error.log notice; +pid /var/run/nginx.pid; + + +events { + worker_connections 1024; +} + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log main; + + sendfile on; + #tcp_nopush on; + + keepalive_timeout 65; + + #gzip on; + + include /etc/nginx/conf.d/*.conf; + + # ----------------------------------------------- + # SECURITY HEADERS CONFIGURATION FOR NGINX + # ----------------------------------------------- + + # 1. HTTP Strict Transport Security (HSTS) - CRITICAL FIX + # Forces the browser to use HTTPS for a year after the first successful connection. + # This prevents man-in-the-middle downgrade attacks (SSL Strip). + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + + # 2. X-Frame-Options - CRITICAL FIX + # Stops the site from being embedded in an iframe, preventing clickjacking attacks. + # SAMEORIGIN allows framing by pages on the same domain. Use DENY to forbid all framing. + add_header X-Frame-Options "SAMEORIGIN" always; + + # 3. X-Content-Type-Options + # Prevents content sniffing, which can stop a browser from executing files it shouldn't. + add_header X-Content-Type-Options "nosniff" always; + + # 4. Content Security Policy (CSP) - HIGHLY RECOMMENDED FIX + # A very strong defense against XSS. This is a secure-by-default, moderately restrictive + # policy that only allows content (scripts, styles, images) from your own domain. + # Customize this policy extensively as your application design requires it. + # The 'report-uri' can be used to monitor violations. + add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self';" always; + + # 5. Referrer-Policy + # Controls how much referrer information is sent along with requests. + # no-referrer-when-downgrade is a common secure default. + add_header Referrer-Policy "no-referrer-when-downgrade" always; + + # 6. Permissions-Policy (Feature-Policy) + # Disables potentially dangerous or unnecessary browser features like geolocation, camera, etc. + # Customize the features list to only include what your site needs. + add_header Permissions-Policy "geolocation=(), microphone=(), camera=(), payment=()" always; + + # 7. Information Disclosure: Removing the Server Header + # While not a 'vulnerability fix,' it's good practice to remove the server version. + server_tokens off; +} \ No newline at end of file