BASH

Configure Essential Security Headers in Nginx

Enhance web application security by configuring critical HTTP security headers like X-Content-Type-Options and Referrer-Policy directly within your Nginx server block.

server {
    listen 80;
    server_name example.com www.example.com;

    # Redirect HTTP to HTTPS (important for security, often used with HSTS)
    # uncomment the line below in production once HTTPS is fully configured:
    # return 301 https://$host$request_uri;
}

server {
    listen 443 ssl;
    server_name example.com www.example.com;

    ssl_certificate /etc/nginx/ssl/example.com.crt;
    ssl_certificate_key /etc/nginx/ssl/example.com.key;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers 'TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384';
    ssl_prefer_server_ciphers off;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 1d;
    ssl_session_tickets off;
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 10s;

    # Strict-Transport-Security (HSTS): Enforce HTTPS only. Crucial for security.
    # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

    # X-Content-Type-Options: Prevents browsers from MIME-sniffing a response away from the declared content-type. Essential.
    add_header X-Content-Type-Options "nosniff" always;

    # X-XSS-Protection: Mostly obsolete/deprecated, but sometimes used for very old browsers. CSP is preferred.
    # add_header X-XSS-Protection "1; mode=block" always;

    # Referrer-Policy: Controls how much referrer information is included with requests. Enhances privacy.
    add_header Referrer-Policy "no-referrer-when-downgrade" always;

    # Permissions-Policy (formerly Feature-Policy): Control browser features like camera, microphone, geolocation.
    add_header Permissions-Policy "geolocation=(self), microphone=(), camera=()" always;

    # Remove Server header to obscure server info (security by obscurity, but good practice)
    server_tokens off;

    location / {
        root /var/www/html;
        index index.html index.htm;
        try_files $uri $uri/ =404;
    }
}
How it works: This Nginx configuration snippet demonstrates how to set various crucial HTTP security headers. `X-Content-Type-Options: nosniff` prevents browsers from attempting to "mime-sniff" the content type, which can mitigate certain XSS attacks by ensuring content is treated as declared. `Referrer-Policy: no-referrer-when-downgrade` controls how much referrer information is sent with requests, enhancing privacy and security by only sending referrers to same-origin or equally secure destinations. `Permissions-Policy` allows you to explicitly enable or disable browser features like camera or geolocation for your site, preventing malicious scripts from accessing them. The snippet also includes robust SSL configuration as a foundation, and shows a commented-out example of `Strict-Transport-Security` (HSTS) which is vital for enforcing HTTPS. The `server_tokens off;` directive helps obscure server version information.

Need help integrating this into your project?

Our team of expert developers can help you build your custom application from scratch.

Hire DigitalCodeLabs