From ab19958f711929b5c7bb1d537a9e96516f357926 Mon Sep 17 00:00:00 2001 From: Vusumuzi Khoza Date: Wed, 26 Nov 2025 12:34:01 +0200 Subject: [PATCH] improving security on nginx --- Dockerfile | 2 -- nginx.conf | 69 ------------------------------------------------------ 2 files changed, 71 deletions(-) delete mode 100644 nginx.conf diff --git a/Dockerfile b/Dockerfile index 2cb4fee..3ab557d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -42,8 +42,6 @@ FROM nginx:1.25.2-alpine # copy the info of the builded web app to nginx COPY --from=build-env /app/build/web /usr/share/nginx/html - - # Expose and run nginx EXPOSE 80 CMD ["nginx", "-g", "daemon off;"] \ No newline at end of file diff --git a/nginx.conf b/nginx.conf deleted file mode 100644 index cafc65f..0000000 --- a/nginx.conf +++ /dev/null @@ -1,69 +0,0 @@ -user nginx; -worker_processes auto; - -error_log /var/log/nginx/error.log notice; -pid /var/run/nginx.pid; - - -events { - worker_connections 1024; -} - -http { - include /etc/nginx/mime.types; - default_type application/octet-stream; - - log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; - - access_log /var/log/nginx/access.log main; - - sendfile on; - #tcp_nopush on; - - keepalive_timeout 65; - - #gzip on; - - include /etc/nginx/conf.d/*.conf; - - # ----------------------------------------------- - # SECURITY HEADERS CONFIGURATION FOR NGINX - # ----------------------------------------------- - - # 1. HTTP Strict Transport Security (HSTS) - CRITICAL FIX - # Forces the browser to use HTTPS for a year after the first successful connection. - # This prevents man-in-the-middle downgrade attacks (SSL Strip). - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; - - # 2. X-Frame-Options - CRITICAL FIX - # Stops the site from being embedded in an iframe, preventing clickjacking attacks. - # SAMEORIGIN allows framing by pages on the same domain. Use DENY to forbid all framing. - add_header X-Frame-Options "SAMEORIGIN" always; - - # 3. X-Content-Type-Options - # Prevents content sniffing, which can stop a browser from executing files it shouldn't. - add_header X-Content-Type-Options "nosniff" always; - - # 4. Content Security Policy (CSP) - HIGHLY RECOMMENDED FIX - # A very strong defense against XSS. This is a secure-by-default, moderately restrictive - # policy that only allows content (scripts, styles, images) from your own domain. - # Customize this policy extensively as your application design requires it. - # The 'report-uri' can be used to monitor violations. - add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self';" always; - - # 5. Referrer-Policy - # Controls how much referrer information is sent along with requests. - # no-referrer-when-downgrade is a common secure default. - add_header Referrer-Policy "no-referrer-when-downgrade" always; - - # 6. Permissions-Policy (Feature-Policy) - # Disables potentially dangerous or unnecessary browser features like geolocation, camera, etc. - # Customize the features list to only include what your site needs. - add_header Permissions-Policy "geolocation=(), microphone=(), camera=(), payment=()" always; - - # 7. Information Disclosure: Removing the Server Header - # While not a 'vulnerability fix,' it's good practice to remove the server version. - server_tokens off; -} \ No newline at end of file