Nginx Nginx configuration for improved security

Sunka · Feb 2, 2016

This lines are disabled in nginx domain conf by default. For first and last I understand why, but why other three are disabled too?
I am just asking, trying to learn something new for nginx
Code:
####add_header Alternate-Protocol  443:npn-spdy/3;
  #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
  #add_header  X-Content-Type-Options "nosniff";
  #add_header X-Frame-Options DENY;
  ####spdy_headers_comp 5;
add_header Alternate-Protocol 443:npn-spdy/3;
is not used if not using spdy (aka using http2)

add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
Why is disabled?

HSTS - HTTP Strict Transport Security (HSTS) is a security policy which is necessary to protect secure HTTPS websites against downgrade attacks. It also aids protection against cookie hijacking. It allows web servers to declare that web browsers should only interact with it using secure HTTPS connections, and never via the insecure HTTP protocol.
Click to expand...

add_header X-Content-Type-Options "nosniff";
Why is disabled?

X-Content-Type-Options
Nice and easy to configure, this header only has one valid value, nosniff. It prevents Google Chrome and Internet Explorer from trying to mime-sniff the content-type of a response away from the one being declared by the server. It reduces exposure to drive-by downloads and the risks of user uploaded content that, with clever naming, could be treated as a different content-type, like an executable.
Click to expand...

add_header X-Frame-Options DENY;
Why is disabled?

he page cannot be displayed in a frame, regardless of the site attempting to do so.
Click to expand...

spdy_headers_comp 5;
This module was superseded by the ngx_http_v2_module module in 1.9.5.

eva2000 · Feb 2, 2016

For HSTS read centminmod.com/nginx_domain_dns_setup.html#hsts and precautions as you can mess up your site if you do not understand what enabling HSTS means for your visitors and any other subdomain web site you run off the same *.domain.com

Sunka said: ↑

add_header Alternate-Protocol 443:npn-spdy/3;
####spdy_headers_comp 5;
Click to expand...

these 2 are still there as nginx 1.9.3-1.9.5 versions were where disabling HTTP/2 mean using SPDY/3.1 so Centmin Mod can actually auto detect if your Nginx version is using SPDY or HTTP/2 module and auto uncomment or comment out these 2 values depending on if Nginx used HTTP/2 or SPDY/3.1. If you removed those commented out settings, Centmin Mod won't be able to auto switch between them. Nginx 1.9.5+ now removed SPDY so no fall back just either with or without HTTP/2.

The rest need revising as I really should have these 3 setup not just for HTTPS but HTTP if you know what you're doing
Code:
  add_header X-Frame-Options SAMEORIGIN;
  add_header X-Xss-Protection "1; mode=block" always;
  add_header X-Content-Type-Options "nosniff" always;

ModeltogTossen · Feb 2, 2016

eva2000 said: ↑

The rest need revising as I really should have these 3 setup not just for HTTPS but HTTP if you know what you're doing
Click to expand...

I do not know what I'm doing - yes, your read it right.. But your statement tells me - should have - so do I just add the following 3 lines in both the ssl.conf and .conf files of my site?
Code:
  add_header X-Frame-Options SAMEORIGIN;
  add_header X-Xss-Protection "1; mode=block" always;
  add_header X-Content-Type-Options "nosniff" always;

eva2000 · Feb 2, 2016

I updated Centmin Mod 123.09beta01 vhost templates with those 3 settings commented out so you can check at update nginx vhost templates · centminmod/centminmod@e7a2c90 · GitHub to get an idea of where to insert them in your http and https vhosts

Sunka · Feb 2, 2016

And that is way I am just asking

I had to put
Code:
add_header X-Frame-Options SAMEORIGIN;
        add_header X-Content-Type-Options nosniff;
into conf (location internal_data), but denay all setting clashed... then another aproach wth another addon, but there was more complicated solution for me cause this part was enigma for me (I think that I do not use fastcgi at all)
Code:
location ~ [^/]*\.php$ {
        try_files $fastcgi_script_name =404;
        include fastcgi.conf;
        fastcgi_pass_header Etag;
    }

Log in / Register

Forums

Learn about Centmin Mod LEMP Stack today

Nginx Nginx configuration for improved security

Sunka Well-Known Member

eva2000 Administrator Staff Member

ModeltogTossen I wish I could??

eva2000 Administrator Staff Member

Sunka Well-Known Member

.

Log in / Register

Useful Searches

Learn about Centmin Mod LEMP Stack today

Nginx Nginx configuration for improved security

Sunka Well-Known Member

eva2000 Administrator Staff Member

ModeltogTossen I wish I could??

eva2000 Administrator Staff Member

Sunka Well-Known Member

.