improving security on nginx
This commit is contained in:
69
nginx.conf
69
nginx.conf
@@ -1,69 +0,0 @@
|
||||
user nginx;
|
||||
worker_processes auto;
|
||||
|
||||
error_log /var/log/nginx/error.log notice;
|
||||
pid /var/run/nginx.pid;
|
||||
|
||||
|
||||
events {
|
||||
worker_connections 1024;
|
||||
}
|
||||
|
||||
http {
|
||||
include /etc/nginx/mime.types;
|
||||
default_type application/octet-stream;
|
||||
|
||||
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
|
||||
'$status $body_bytes_sent "$http_referer" '
|
||||
'"$http_user_agent" "$http_x_forwarded_for"';
|
||||
|
||||
access_log /var/log/nginx/access.log main;
|
||||
|
||||
sendfile on;
|
||||
#tcp_nopush on;
|
||||
|
||||
keepalive_timeout 65;
|
||||
|
||||
#gzip on;
|
||||
|
||||
include /etc/nginx/conf.d/*.conf;
|
||||
|
||||
# -----------------------------------------------
|
||||
# SECURITY HEADERS CONFIGURATION FOR NGINX
|
||||
# -----------------------------------------------
|
||||
|
||||
# 1. HTTP Strict Transport Security (HSTS) - CRITICAL FIX
|
||||
# Forces the browser to use HTTPS for a year after the first successful connection.
|
||||
# This prevents man-in-the-middle downgrade attacks (SSL Strip).
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
|
||||
|
||||
# 2. X-Frame-Options - CRITICAL FIX
|
||||
# Stops the site from being embedded in an iframe, preventing clickjacking attacks.
|
||||
# SAMEORIGIN allows framing by pages on the same domain. Use DENY to forbid all framing.
|
||||
add_header X-Frame-Options "SAMEORIGIN" always;
|
||||
|
||||
# 3. X-Content-Type-Options
|
||||
# Prevents content sniffing, which can stop a browser from executing files it shouldn't.
|
||||
add_header X-Content-Type-Options "nosniff" always;
|
||||
|
||||
# 4. Content Security Policy (CSP) - HIGHLY RECOMMENDED FIX
|
||||
# A very strong defense against XSS. This is a secure-by-default, moderately restrictive
|
||||
# policy that only allows content (scripts, styles, images) from your own domain.
|
||||
# Customize this policy extensively as your application design requires it.
|
||||
# The 'report-uri' can be used to monitor violations.
|
||||
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self';" always;
|
||||
|
||||
# 5. Referrer-Policy
|
||||
# Controls how much referrer information is sent along with requests.
|
||||
# no-referrer-when-downgrade is a common secure default.
|
||||
add_header Referrer-Policy "no-referrer-when-downgrade" always;
|
||||
|
||||
# 6. Permissions-Policy (Feature-Policy)
|
||||
# Disables potentially dangerous or unnecessary browser features like geolocation, camera, etc.
|
||||
# Customize the features list to only include what your site needs.
|
||||
add_header Permissions-Policy "geolocation=(), microphone=(), camera=(), payment=()" always;
|
||||
|
||||
# 7. Information Disclosure: Removing the Server Header
|
||||
# While not a 'vulnerability fix,' it's good practice to remove the server version.
|
||||
server_tokens off;
|
||||
}
|
||||
Reference in New Issue
Block a user