HTTP security headers are a set of directives that can be added to an NGINX configuration file to enhance the security and protection of your web application. These headers provide additional security features, such as content security policy (CSP), frameguard, and X-Frame-Options.
Here’s how you can implement HTTP Security Headers on your NGINX webserver:
Step 1: Enable the http module
The http module provides support for HTTP security headers. To enable it, add the following line to your NGINX configuration file (usually nginx.conf or default.conf):
load_module http.so;Step 2: Configure Content Security Policy (CSP)
Content Security Policy is a feature that helps prevent cross-site scripting (XSS) attacks. To configure CSP, add the following directives to your NGINX configuration file:
http {
...
server {
listen 80;
server_name example.com;
location / {
add_header Content-Security-Policy "default-src 'self'; script-src 'self' https://example.com; style-src 'self' https://fonts.googleapis.com;";
}
}
}In this example, we’re configuring a basic CSP policy that allows scripts and styles from the same origin ('self') and specifies https://example.com as an allowed source for scripts.
Step 3: Configure Frameguard
Frameguard is a feature that helps prevent clickjacking attacks. To configure Frameguard, add the following directives to your NGINX configuration file:
http {
...
server {
listen 80;
server_name example.com;
location / {
add_header X-Frame-Options "SAMEORIGIN";
}
}
}In this example, we’re configuring Frameguard to allow framing only from the same origin ("SAMEORIGIN").
Step 4: Configure X-XSS-Protection
X-XSS-Protection is a feature that helps prevent XSS attacks. To configure it, add the following directives to your NGINX configuration file:
http {
...
server {
listen 80;
server_name example.com;
location / {
add_header X-XSS-Protection "1; mode=block";
}
}
}In this example, we’re configuring X-XSS-Protection to enable protection and block any malicious scripts.
Step 5: Configure the Referrer Policy
Referrer policy is a feature that helps prevent open redirect attacks. To configure it, add the following directives to your NGINX configuration file:
http {
...
server {
listen 80;
server_name example.com;
location / {
add_header Referrer-Policy "same-origin";
}
}
}In this example, we’re configuring the referrer policy to allow only referrals from the same origin ("same-origin").
Step 6: Restart NGINX
After configuring your HTTP security headers, restart your NGINX service to apply the changes:
sudo service nginx restartBy following these steps, you can implement HTTP security headers on your NGINX webserver and enhance the protection of your application.
Tips and Variations:
- Use the
httpmodule’s directives (add_header) to add custom HTTP headers. - Configure different values for the HTTP security headers based on your specific requirements.
- Consider implementing additional security measures, such as rate limiting or IP blocking, to protect your web application further.