← Back to all snippets
BASH

Configure Essential HTTP Security Headers

Enhance web application security by configuring critical HTTP headers like Content-Security-Policy (CSP), HSTS, and X-Frame-Options to mitigate common attacks.

# Nginx Configuration Example (add to your server or http block)
server {
    listen 80;
    server_name example.com www.example.com;

    # Redirect HTTP to HTTPS (HSTS Preload)
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl http2;
    server_name example.com www.example.com;

    # ... SSL configuration ...

    # Strict-Transport-Security (HSTS): Enforces HTTPS for a specified duration.
    # max-age: 1 year, includeSubDomains: applies to all subdomains.
    # preload: Allows preloading into browser HSTS lists (requires prior submission).
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

    # X-Frame-Options: Prevents clickjacking by controlling if your site can be embedded in frames.
    # DENY: Site cannot be displayed in a frame, regardless of the site attempting to do so.
    # SAMEORIGIN: Site can be displayed in a frame on the same origin as the page itself.
    add_header X-Frame-Options "DENY" always;

    # X-Content-Type-Options: Prevents browsers from MIME-sniffing a response away from the declared content-type.
    # 'nosniff': Prevents browser from interpreting files as a different MIME type (e.g., script as image).
    add_header X-Content-Type-Options "nosniff" always;

    # Referrer-Policy: Controls how much referrer information is included with requests.
    # 'no-referrer-when-downgrade': Default, sends full URL only on same-protocol requests.
    # 'same-origin': Sends referrer only for same-origin requests.
    # 'no-referrer': Never sends referrer information.
    add_header Referrer-Policy "no-referrer-when-downgrade" always;

    # Content-Security-Policy (CSP): Mitigates XSS and data injection attacks.
    # Specifies allowed sources for various content types (scripts, styles, images, etc.).
    # Example: Allow scripts only from same origin and trusted CDN.
    add_header Content-Security-Policy "default-src 'self'; script-src 'self' https://cdn.example.com; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' https://fonts.gstatic.com;" always;

    # ... other server configurations ...
}
How it works: This snippet provides an Nginx configuration example for setting essential HTTP security headers. These headers instruct web browsers on how to behave when interacting with your site, significantly enhancing security. `Strict-Transport-Security` enforces HTTPS, `X-Frame-Options` prevents clickjacking, `X-Content-Type-Options` stops MIME-sniffing, `Referrer-Policy` manages referrer information leakage, and `Content-Security-Policy` (CSP) is a powerful tool to prevent XSS and data injection by whitelisting trusted content sources.

Need help integrating this into your project?

Our team of expert developers can help you build your custom application from scratch.

Hire DigitalCodeLabs