NGINX
Configuring Essential Security Headers in Nginx for Web Applications
Enhance your web application's security posture by configuring critical HTTP security headers like HSTS, CSP, and X-Frame-Options directly in your Nginx server.
server {
listen 80;
listen [::]:80;
server_name example.com www.example.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name example.com www.example.com;
# SSL Configuration (assuming valid certs are configured)
ssl_certificate /etc/nginx/ssl/example.com.crt;
ssl_certificate_key /etc/nginx/ssl/example.com.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
# Security Headers
# HTTP Strict Transport Security (HSTS) - Force HTTPS
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
# X-Frame-Options - Prevent Clickjacking
add_header X-Frame-Options "DENY" always;
# X-Content-Type-Options - Prevent MIME-sniffing
add_header X-Content-Type-Options "nosniff" always;
# X-XSS-Protection - Enable browser's built-in XSS filter
add_header X-XSS-Protection "1; mode=block" always;
# Referrer-Policy - Control referrer information sent with requests
add_header Referrer-Policy "no-referrer-when-downgrade" always;
# Content Security Policy (CSP) - Mitigate XSS and data injection
# THIS IS AN EXAMPLE, ADJUST CAREFULLY FOR YOUR APPLICATION'S NEEDS!
add_header Content-Security-Policy "default-src 'self';
script-src 'self' 'unsafe-inline' https://cdn.example.com;
style-src 'self' 'unsafe-inline' https://fonts.googleapis.com;
img-src 'self' data: https://cdn.example.com;
font-src 'self' https://fonts.gstatic.com;
object-src 'none';
base-uri 'self';
form-action 'self';" always;
location / {
# Proxy pass to your application server (e.g., Node.js, PHP-FPM, Python Gunicorn)
# proxy_pass http://localhost:3000;
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Forwarded-Proto $scheme;
root /var/www/html; # Example for static files
index index.html index.htm;
}
}
How it works: This Nginx configuration snippet demonstrates how to implement crucial HTTP security headers to protect web applications. It enforces HTTPS with HSTS, prevents clickjacking with `X-Frame-Options: DENY`, thwarts MIME-sniffing with `X-Content-Type-Options: nosniff`, and activates browser XSS protection. Most notably, it includes a `Content-Security-Policy` (CSP) example that severely restricts the sources from which content can be loaded, significantly reducing the risk of XSS and injection attacks. These headers, applied server-side, provide a strong first line of defense against common web vulnerabilities.