NGINX

Set Essential Security HTTP Headers for Web Applications

Harden your web server by configuring critical HTTP security headers like HSTS, X-Frame-Options, and X-Content-Type-Options to mitigate various web vulnerabilities.

# Strict-Transport-Security (HSTS) - Enforce HTTPS
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

# X-Frame-Options - Prevent Clickjacking
add_header X-Frame-Options "DENY" always;

# X-Content-Type-Options - Prevent MIME-type sniffing
add_header X-Content-Type-Options "nosniff" always;

# Referrer-Policy - Control referrer information sent with requests
add_header Referrer-Policy "no-referrer-when-downgrade" always;

# X-XSS-Protection (mostly deprecated by CSP, but good for older browsers)
add_header X-XSS-Protection "1; mode=block" always;

How it works: This Nginx configuration snippet demonstrates how to set several crucial HTTP security headers to protect web applications. `Strict-Transport-Security` (HSTS) forces browsers to only communicate via HTTPS, preventing downgrade attacks. `X-Frame-Options` with `DENY` prevents clickjacking by ensuring your content cannot be embedded in an iframe. `X-Content-Type-Options "nosniff"` stops browsers from MIME-sniffing a response away from the declared `Content-Type`, which can prevent XSS attacks. `Referrer-Policy` helps control the information sent in the `Referer` header, protecting user privacy. These headers collectively significantly improve a website's security posture.

Set Essential Security HTTP Headers for Web Applications

Related NGINX Snippets

Configuring a Robust Content Security Policy (CSP) Header in Nginx

Implement HTTP Strict Transport Security (HSTS)

Prevent Clickjacking Attacks with X-Frame-Options Header

Need help integrating this into your project?