improving security on nginx
This commit is contained in:
@@ -42,8 +42,6 @@ FROM nginx:1.25.2-alpine
|
|||||||
# copy the info of the builded web app to nginx
|
# copy the info of the builded web app to nginx
|
||||||
COPY --from=build-env /app/build/web /usr/share/nginx/html
|
COPY --from=build-env /app/build/web /usr/share/nginx/html
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
# Expose and run nginx
|
# Expose and run nginx
|
||||||
EXPOSE 80
|
EXPOSE 80
|
||||||
CMD ["nginx", "-g", "daemon off;"]
|
CMD ["nginx", "-g", "daemon off;"]
|
||||||
69
nginx.conf
69
nginx.conf
@@ -1,69 +0,0 @@
|
|||||||
user nginx;
|
|
||||||
worker_processes auto;
|
|
||||||
|
|
||||||
error_log /var/log/nginx/error.log notice;
|
|
||||||
pid /var/run/nginx.pid;
|
|
||||||
|
|
||||||
|
|
||||||
events {
|
|
||||||
worker_connections 1024;
|
|
||||||
}
|
|
||||||
|
|
||||||
http {
|
|
||||||
include /etc/nginx/mime.types;
|
|
||||||
default_type application/octet-stream;
|
|
||||||
|
|
||||||
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
|
|
||||||
'$status $body_bytes_sent "$http_referer" '
|
|
||||||
'"$http_user_agent" "$http_x_forwarded_for"';
|
|
||||||
|
|
||||||
access_log /var/log/nginx/access.log main;
|
|
||||||
|
|
||||||
sendfile on;
|
|
||||||
#tcp_nopush on;
|
|
||||||
|
|
||||||
keepalive_timeout 65;
|
|
||||||
|
|
||||||
#gzip on;
|
|
||||||
|
|
||||||
include /etc/nginx/conf.d/*.conf;
|
|
||||||
|
|
||||||
# -----------------------------------------------
|
|
||||||
# SECURITY HEADERS CONFIGURATION FOR NGINX
|
|
||||||
# -----------------------------------------------
|
|
||||||
|
|
||||||
# 1. HTTP Strict Transport Security (HSTS) - CRITICAL FIX
|
|
||||||
# Forces the browser to use HTTPS for a year after the first successful connection.
|
|
||||||
# This prevents man-in-the-middle downgrade attacks (SSL Strip).
|
|
||||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
|
|
||||||
|
|
||||||
# 2. X-Frame-Options - CRITICAL FIX
|
|
||||||
# Stops the site from being embedded in an iframe, preventing clickjacking attacks.
|
|
||||||
# SAMEORIGIN allows framing by pages on the same domain. Use DENY to forbid all framing.
|
|
||||||
add_header X-Frame-Options "SAMEORIGIN" always;
|
|
||||||
|
|
||||||
# 3. X-Content-Type-Options
|
|
||||||
# Prevents content sniffing, which can stop a browser from executing files it shouldn't.
|
|
||||||
add_header X-Content-Type-Options "nosniff" always;
|
|
||||||
|
|
||||||
# 4. Content Security Policy (CSP) - HIGHLY RECOMMENDED FIX
|
|
||||||
# A very strong defense against XSS. This is a secure-by-default, moderately restrictive
|
|
||||||
# policy that only allows content (scripts, styles, images) from your own domain.
|
|
||||||
# Customize this policy extensively as your application design requires it.
|
|
||||||
# The 'report-uri' can be used to monitor violations.
|
|
||||||
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self';" always;
|
|
||||||
|
|
||||||
# 5. Referrer-Policy
|
|
||||||
# Controls how much referrer information is sent along with requests.
|
|
||||||
# no-referrer-when-downgrade is a common secure default.
|
|
||||||
add_header Referrer-Policy "no-referrer-when-downgrade" always;
|
|
||||||
|
|
||||||
# 6. Permissions-Policy (Feature-Policy)
|
|
||||||
# Disables potentially dangerous or unnecessary browser features like geolocation, camera, etc.
|
|
||||||
# Customize the features list to only include what your site needs.
|
|
||||||
add_header Permissions-Policy "geolocation=(), microphone=(), camera=(), payment=()" always;
|
|
||||||
|
|
||||||
# 7. Information Disclosure: Removing the Server Header
|
|
||||||
# While not a 'vulnerability fix,' it's good practice to remove the server version.
|
|
||||||
server_tokens off;
|
|
||||||
}
|
|
||||||
Reference in New Issue
Block a user