I need some help for NGINX security headers for a 5years old

1) I have this problem i must add to the nginx.conf some security headers like

add_header X-XSS-Protection "1; mode=block";
add_header X-Frame-Options “DENY”;
add_header X-Content-Type-Options nosniff;

I am used to use htaccess to add them but i have nginx running right now

so my question is where i must put the security headers ? In which part ? the place/order matter ? I mean beginning of the nginx.conf , in the middle , on the final etc .

Sorry for the stupid question !

2) I have found this guide , is done correctly ? on the beginning of nginx.conf and without { } ?
https://gist.github.com/plentz/6737338
(github the person knows what is doing but i wish to double check it, just in case )

Dentistry is my passion

Comments

  • Mr_TomMr_Tom Hosting ProviderOG
    edited May 31

    Mine are setup inside the http {} block, but before the server {} blocks.

    These should be in the server {} block for the listen 443 ssl; server only to avoid sending them on http requests.

    They're actually in another file that's included by nginx.conf, but they could go direct into nginx.conf

  • ChievoChievo OG
    edited May 31

    Thanks @Mr_Tom !!! OK so in that case ,which is your recomendatión To use it ? I mean in the nginx.conf or like you in another file? Which is the pro/cons of both methods

    Dentistry is my passion

  • AbdullahAbdullah Hosting ProviderOG

    Making another file will be nice I think, in case you plan multiple websites on same server in future.

    Thanked by (1)Chievo
  • Mr_TomMr_Tom Hosting ProviderOG

    Edit - sorry, these should be inside the server {} block for the SSL section only - otherwise you'll be sending them for HTTP requests too.

    Either putting them in the block directly, or including another file is fine. I have a security.conf file which has these in and is included in the server {} block as required - but I also have a smaller single site setup which just uses one large nginx.conf file.

    Thanked by (1)Chievo
  • @Abdullah said:
    Making another file will be nice I think, in case you plan multiple websites on same server in future.

    Thanks @Abdullah! So in the nginx.conf for 1website and another file if i plan To use it for more websites

    Dentistry is my passion

  • Mr_TomMr_Tom Hosting ProviderOG

    @Chievo said: o in the nginx.conf for 1website and another file if i plan To use it for more websites

    You can do it apache style and create a site config for each site in /etc/nginx/sites-available and then create a symlink for each "active" site into sites-enabled. Then in your nginx.conf file just add include /etc/nginx/sites-enabled/*;

    In each of the sites own config file, you can then include any specific additional files - such as a file with security headers.

    Thanked by (2)Abdullah Chievo
  • SagnikSSagnikS Hosting ProviderOG

    I usually add these in the server block itself, for every vhost.

        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";
        add_header X-Robots-Tag none;
        add_header Content-Security-Policy "frame-ancestors 'self'";
        add_header X-Frame-Options DENY;
        add_header Referrer-Policy same-origin;
    
    Thanked by (1)Chievo
  • @Mr_Tom said:
    Edit - sorry, these should be inside the server {} block for the SSL section only - otherwise you'll be sending them for HTTP requests too.

    Either putting them in the block directly, or including another file is fine. I have a security.conf file which has these in and is included in the server {} block as required - but I also have a smaller single site setup which just uses one large nginx.conf file.

    no worries i am going to check it and do it , hopefully it would be working fine.> @Mr_Tom said:

    Edit - sorry, these should be inside the server {} block for the SSL section only - otherwise you'll be sending them for HTTP requests too.

    Either putting them in the block directly, or including another file is fine. I have a security.conf file which has these in and is included in the server {} block as required - but I also have a smaller single site setup which just uses one large nginx.conf file.

    Thanks @Mr_Tom ! I am going To do it tomorrow hopefully everything would be alright

    Dentistry is my passion

  • @SagnikS said:
    I usually add these in the server block itself, for every vhost.

        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";
        add_header X-Robots-Tag none;
        add_header Content-Security-Policy "frame-ancestors 'self'";
        add_header X-Frame-Options DENY;
        add_header Referrer-Policy same-origin;
    

    Thanks for them @SagnikS !

    Dentistry is my passion

  • Something to be aware of, which tripped me up a number of times: add_header declarations are generally inherited from enclosing blocks. E.g., if headers are specified in a server block, they'll propagate to nested location blocks. However, if a nested block has any add_header lines of its own, that wipes out any inherited headers, so you'd have to re-declare them.

    I took to specifying security headers in a little snippet, which gets included in any blocks that need it.

    https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/

    Thanked by (1)Chievo
  • @seanho said:
    Something to be aware of, which tripped me up a number of times: add_header declarations are generally inherited from enclosing blocks. E.g., if headers are specified in a server block, they'll propagate to nested location blocks. However, if a nested block has any add_header lines of its own, that wipes out any inherited headers, so you'd have to re-declare them.

    I took to specifying security headers in a little snippet, which gets included in any blocks that need it.

    https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/

    Thanks @seanho !

    Dentistry is my passion

Sign In or Register to comment.