user nginx; worker_processes auto; error_log /var/log/nginx/error.log notice; pid /var/run/nginx.pid; events { worker_connections 1024; } http { include /etc/nginx/mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; sendfile on; #tcp_nopush on; keepalive_timeout 65; #gzip on; include /etc/nginx/conf.d/*.conf; # ----------------------------------------------- # SECURITY HEADERS CONFIGURATION FOR NGINX # ----------------------------------------------- # 1. HTTP Strict Transport Security (HSTS) - CRITICAL FIX # Forces the browser to use HTTPS for a year after the first successful connection. # This prevents man-in-the-middle downgrade attacks (SSL Strip). add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; # 2. X-Frame-Options - CRITICAL FIX # Stops the site from being embedded in an iframe, preventing clickjacking attacks. # SAMEORIGIN allows framing by pages on the same domain. Use DENY to forbid all framing. add_header X-Frame-Options "SAMEORIGIN" always; # 3. X-Content-Type-Options # Prevents content sniffing, which can stop a browser from executing files it shouldn't. add_header X-Content-Type-Options "nosniff" always; # 4. Content Security Policy (CSP) - HIGHLY RECOMMENDED FIX # A very strong defense against XSS. This is a secure-by-default, moderately restrictive # policy that only allows content (scripts, styles, images) from your own domain. # Customize this policy extensively as your application design requires it. # The 'report-uri' can be used to monitor violations. add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self';" always; # 5. Referrer-Policy # Controls how much referrer information is sent along with requests. # no-referrer-when-downgrade is a common secure default. add_header Referrer-Policy "no-referrer-when-downgrade" always; # 6. Permissions-Policy (Feature-Policy) # Disables potentially dangerous or unnecessary browser features like geolocation, camera, etc. # Customize the features list to only include what your site needs. add_header Permissions-Policy "geolocation=(), microphone=(), camera=(), payment=()" always; # 7. Information Disclosure: Removing the Server Header # While not a 'vulnerability fix,' it's good practice to remove the server version. server_tokens off; }