Adding proper security headers to NGINX
Posted Monday, Oct 12, 2020
Add the right security headers to nginx because we all like to get an “A” in securityheaders.com
After auditing quite a few sites, I tested my own site for security headers. And guess what happened?
Wow, this had to be fixed :D
I just added:
# Set security headers
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Content-Security-Policy "default-src 'self'";
add_header Referrer-Policy "no-referrer";
# Set HSTS to 365 days
add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload' always;
I will add the new Permissions-Policy later, once I read about -and hopefully understand- it.