Skip to main content

Nginx Secure Headers

in category Linux Support -> Servers -> Nginx Secure Headers. Updated at Tue, 09 Jan 2024 11:51:00 EST

You can help make your Nginx web server more secure by adding a few simple lines to your nginx and vhost configs.

You can make your website more secure by adding these lines to your Nginx vhost configs.

In the main nginx.conf file, within the http{} brackets, you can optionally add:
server_tokens off;
client_body_buffer_size 1k;
client_header_buffer_size 1k;
client_max_body_size 1k;
large_client_header_buffers 2 1k;

You can vary the size of the body and header_buffers depending upon your needs.

In the server{} part of your virtual host config file (or sites-available/default if you have only 1 site), just before the very last brace, add these lines: add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN";
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"; 
add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
add_header X-XSS-Protection "1; mode=block";

In the location{} part of your virtual host config (within the server{} braces) add this: location / {
# your other info for this block
limit_except GET HEAD POST { deny all; }
}

There are more headers you can add depending upon your needs but these will get the basics covered for you and are typically reliable for most sites.

This line -> add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always; does assume you are redirecting all requests to the ssl layer. Don't add that if you are not using ssl.

Keywords
nginx headers, server headers, secure website