Skip to main content

How to Strengthening Nginx Security and Website Security Headers with SSL?

Using a SSL certificate that doesn't mean you are secure, but there is a lot more to Strengthening Web Site Security. Whilst most people are happy with just having their site running under SSL after successfully figuring out how certbot and Let’s Encrypt works.


Strengthening Web Site Security is very easy as it only requires you to set up what is called a Content Security Policy (CSP).

What a Content Security Policy does is tell a browser what external resources can be loaded within your site without being regarded and Non-Secure Origins. It’s an essential part of good security especially when it comes to SSL.

But Strengthening Web Site Security does not stop there as there are additional server headers that need to be implemented to prevent cross browser sniffing, people loading parts of your site with a frame in their site and what is called an XSS header which prevents cross scripting attacks from browsers and then also a strict transport security header called HSTS.

To check the current status of your site’s security headers simply visit a very great tool called https://securityheaders.com/ type in your domain name including https:// and see the result. You will probably initially see a big nasty red F … don’t shit yourself because with the CSP and the following Nginx rules it will take you a few minutes to score an A.

For Nginx you simply add the following lines within a server {} block on your site’s conf file, reload nginx and your are done. Go and retest and you will see a much nicer message.

Just add the below code after # Mime Settings, The entire code will looks like:
# vi /etc/nginx/nginx.conf

# Mime settings
include             /etc/nginx/mime.types;
default_type        application/octet-stream;

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
add_header X-Frame-Options "SAMEORIGIN"  always;
add_header X-Content-Type-Options "nosniff"  always;
add_header X-XSS-Protection "1; mode=block";
add_header Content-Security-Policy "frame-ancestors https://mail.datahead.biz/;";
add_header Referrer-Policy strict-origin-when-cross-origin;
add_header Feature-Policy "accelerometer 'none'; ";

QUESTION?

Does this make my web site ultra secure?
Well yes it does add some very necessary security headers to your web site’s configuration but security does not stop here

Security Scan & Recommendation:

https://observatory.mozilla.org/
https://app.upguard.com/
https://securityheaders.com/
https://hstspreload.org
https://tls.imirhil.fr
https://csp-evaluator.withgoogle.com/

Content Security Policy (CSP)

https://developers.google.com/web/fundamentals/security/csp/
https://support.google.com/webmasters/answer/6073543?hl=en
https://blog.codeship.com/how-to-get-started-with-a-content-security-policy/
https://stackoverflow.com/questions/34669075/can-content-security-policy-be-made-compatible-with-google-analytics-and-adsense

Mozilla Security Guide:

https://infosec.mozilla.org/guidelines/web_security
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security

Comments