Proper Website Content Security nGinx Configuration


Proper Website Content Security nGinx Configuration

Original Article:

Wow!  It’s been a little while since I have had the time to post another article.   Well, here I am again, back at it.

This time, I will show you an optimal way to keep your site secure utilizing a bit of nginx configuration.  You will need to do some work before implementing this, so please do not attempt to simply copy/paste this and expect it to work out of the box.

# Default security headers
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"; # enable, cache, and preload subdomains
add_header X-Frame-Options "SAMEORIGIN" always; # generally only allow SAMEORIGIN frame sources
add_header X-Xss-Protection "1; mode=block"; # protect against Cross-Site Scripting
add_header X-Content-Type-Options "nosniff" always; # no sniffing allowed!
add_header Referrer-Policy "strict-origin"; # protect agains cross-linking
add_header X-Download-Options "noopen"; # force the download, and do not allow direct openning
add_header X-Permitted-Cross-Domain-Policies "none"; # protect agains cross-linking
add_header X-Robots-Tag none; # only allow robots.txt

# Content Security Policy
set $CSP_image         "img-src 'self' 'unsafe-inline' 'unsafe-eval' data:;"; # allowable external image domains
set $CSP_script        "script-src 'self' 'unsafe-inline' 'unsafe-eval';"; # allowable external jaavscript domains
set $CSP_style         "style-src 'self' 'unsafe-inline';"; # allowable external CSS domains
set $CSP_font          "font-src 'self' data:;"; # allowable external font domains
set $CSP_frame         "frame-src 'self';"; # allowable external frames/iframes domains
set $CSP_object        "object-src 'self';"; # allowable external object domains
set $CSP_connect       "connect-src 'self';"; # allowable external connect domains
set $CSP_media         "media-src 'self';"; # allowable external media domains
set $CSP_form          "form-action 'self';"; # allowable external form domains
set $CSP_frame_anc     "frame-ancestors 'self';"; # allowable external frame ancestor domains
set $CSP               "default-src 'self'; ${CSP_image} ${CSP_script} ${CSP_style} ${CSP_font} ${CSP_frame} ${CSP_object}";
add_header Content-Security-Policy $CSP always;
add_header X-Content-Security-Policy $CSP always;

First things first, you need to browse through your site and note every single external call.  By external call I mean everything that is not requested directly from your sites domain.  Items like google fonts, google analytics, etc… all pull their resources from their respective domains.  Your best bet is going to be to note what the domain is, and what type of resource it is.  An image, a font, css, javascript, etc…

Once you have your list, proceed in getting your site an SSL certificate and have it applied.  When you have your list and SSL certificate applied, you will need to add the following configuration to your nginx config inside your site’s “server{}” block, although placing it in your sites “location / {}” will also work.

Please see the comments in the configuration above.  You will need to use the FQDN, and not the URL for each item.  If you do not have the domains for the external resources, or there simply are none, leave well enough alone and block everything that is not allowed 🙂

Important Cookie Information
Our website uses cookies. By continuing to browse the site you are agreeing to our use of cookies. For more details about cookies and their use, please see our Cookie Policy.