improving security on nginx

This commit is contained in:
2025-11-26 12:30:02 +02:00
parent acb6ff7814
commit 0d60e6c636
2 changed files with 71 additions and 0 deletions

View File

@@ -42,6 +42,8 @@ FROM nginx:1.25.2-alpine
# copy the info of the builded web app to nginx # copy the info of the builded web app to nginx
COPY --from=build-env /app/build/web /usr/share/nginx/html COPY --from=build-env /app/build/web /usr/share/nginx/html
# Expose and run nginx # Expose and run nginx
EXPOSE 80 EXPOSE 80
CMD ["nginx", "-g", "daemon off;"] CMD ["nginx", "-g", "daemon off;"]

69
nginx.conf Normal file
View File

@@ -0,0 +1,69 @@
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/*.conf;
# -----------------------------------------------
# SECURITY HEADERS CONFIGURATION FOR NGINX
# -----------------------------------------------
# 1. HTTP Strict Transport Security (HSTS) - CRITICAL FIX
# Forces the browser to use HTTPS for a year after the first successful connection.
# This prevents man-in-the-middle downgrade attacks (SSL Strip).
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
# 2. X-Frame-Options - CRITICAL FIX
# Stops the site from being embedded in an iframe, preventing clickjacking attacks.
# SAMEORIGIN allows framing by pages on the same domain. Use DENY to forbid all framing.
add_header X-Frame-Options "SAMEORIGIN" always;
# 3. X-Content-Type-Options
# Prevents content sniffing, which can stop a browser from executing files it shouldn't.
add_header X-Content-Type-Options "nosniff" always;
# 4. Content Security Policy (CSP) - HIGHLY RECOMMENDED FIX
# A very strong defense against XSS. This is a secure-by-default, moderately restrictive
# policy that only allows content (scripts, styles, images) from your own domain.
# Customize this policy extensively as your application design requires it.
# The 'report-uri' can be used to monitor violations.
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self';" always;
# 5. Referrer-Policy
# Controls how much referrer information is sent along with requests.
# no-referrer-when-downgrade is a common secure default.
add_header Referrer-Policy "no-referrer-when-downgrade" always;
# 6. Permissions-Policy (Feature-Policy)
# Disables potentially dangerous or unnecessary browser features like geolocation, camera, etc.
# Customize the features list to only include what your site needs.
add_header Permissions-Policy "geolocation=(), microphone=(), camera=(), payment=()" always;
# 7. Information Disclosure: Removing the Server Header
# While not a 'vulnerability fix,' it's good practice to remove the server version.
server_tokens off;
}