BASH

Configure Essential Security HTTP Headers in Nginx

Enhance your web application's security by configuring critical HTTP headers like HSTS, X-Frame-Options, X-Content-Type-Options, and CSP directly in your Nginx server block.

# Add these directives inside your 'server' block or 'location' block

# HTTP Strict Transport Security (HSTS) - Enforce HTTPS
# max-age: how long the browser should remember to only access the site using HTTPS
# includeSubDomains: applies HSTS to all subdomains
# preload: opt-in to include your domain in browser's HSTS preload list (requires submission)
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

# X-Frame-Options - Prevent Clickjacking attacks
# DENY: page cannot be displayed in a frame
# SAMEORIGIN: page can only be displayed in a frame on the same origin as the page itself
add_header X-Frame-Options "SAMEORIGIN" always;

# X-Content-Type-Options - Prevent MIME-type sniffing
# nosniff: prevents browsers from trying to guess ("sniff") the content type, mitigating XSS
add_header X-Content-Type-Options "nosniff" always;

# X-XSS-Protection - Enable built-in browser XSS filter (deprecated, CSP is preferred)
# Still useful for older browsers that don't support CSP fully.
# "1; mode=block": enables XSS filter, blocks entire page if XSS attack detected
add_header X-XSS-Protection "1; mode=block" always;

# Referrer-Policy - Control how much referrer information is sent
# no-referrer-when-downgrade: Send referrer for same-origin, but not cross-origin HTTPS to HTTP
add_header Referrer-Policy "no-referrer-when-downgrade" always;

# Content Security Policy (CSP) - Most powerful XSS mitigation
# This is a complex header, this is a basic example.
# default-src 'self': Only allow resources from the same origin.
# script-src 'self' 'unsafe-inline' 'unsafe-eval' (unsafe options should be avoided if possible and replaced with nonces/hashes)
# In a real application, replace 'unsafe-inline' and 'unsafe-eval' with specific sources or hashes/nonces.
add_header Content-Security-Policy "default-src 'self';
                                            script-src 'self';
                                            style-src 'self' 'unsafe-inline';
                                            img-src 'self' data:;
                                            font-src 'self';
                                            connect-src 'self';" always;
How it works: This Nginx configuration snippet demonstrates how to add essential security HTTP headers to responses, significantly enhancing web application security. It includes `Strict-Transport-Security` for enforcing HTTPS, `X-Frame-Options` to prevent clickjacking, `X-Content-Type-Options` to prevent MIME-type sniffing, `X-XSS-Protection` for legacy browser XSS filtering, `Referrer-Policy` for controlling referrer information, and a basic `Content-Security-Policy` (CSP) to mitigate various injection attacks like XSS by restricting allowed content sources.

Related BASH Snippets

BASH

Parse JSON Output with JQ

A bash script demonstrating how to parse and extract specific values from a JSON string or file usin...

View Snippet →

Need help integrating this into your project?

Our team of expert developers can help you build your custom application from scratch.

Hire DigitalCodeLabs