Skip to content

Commit

Permalink
Enhance security in NGINX configuration by adding and updating securi…
Browse files Browse the repository at this point in the history 
…ty headers, removing server information, and refining Content Security Policy.
  • Loading branch information
@Kseen715
Kseen715 committed Dec 1, 2024
1 parent d921bee commit b8a9320
Showing 1 changed file with 42 additions and 19 deletions.
61 changes: 42 additions & 19 deletions nginx/nginx.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,48 @@ upstream client {
}

server {
# Remove server information headers
server_tokens off;
proxy_hide_header X-Powered-By;
# more_clear_headers Server;
# more_clear_headers X-Powered-By;

# Add security headers
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN";
# add_header X-Frame-Options "DENY" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;

proxy_hide_header Content-Security-Policy;
# Add Content Security Policy headers
add_header Content-Security-Policy "
default-src 'self';
script-src 'self' 'unsafe-inline' 'unsafe-eval'
https://cdn.jsdelivr.net;
style-src 'self' 'unsafe-inline'
https://cdn.jsdelivr.net
https://fonts.googleapis.com;
img-src 'self' data:
https://cdn.jsdelivr.net
https://avatars.mds.yandex.net;
font-src 'self' data:
https://fonts.gstatic.com;
connect-src 'self'
ws://localhost:3000/ws
wss://localhost:3000/ws
ws://localhost:3000/socket
wss://localhost:3000/socket
http://127.0.0.1:8000
https://127.0.0.1:8000;
frame-ancestors 'none';
base-uri 'self';
form-action 'self';
object-src 'none';
media-src 'self';
" always;

# Block access to metadata
location ~ ^/latest/meta-data/ {
deny all;
Expand All @@ -20,25 +62,6 @@ server {

listen 80;

# Add Content Security Policy headers
add_header Content-Security-Policy "
default-src 'self';
img-src 'self' data: https:;
script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.jsdelivr.net;
style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net;
font-src 'self' data:;
connect-src 'self' ws: wss:;
frame-ancestors 'none';
base-uri 'self';
form-action 'self';
" always;

# Add other security headers
add_header X-Frame-Options "DENY" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;

location / {
# Add security headers
proxy_set_header X-Real-IP $remote_addr;
Expand Down

0 comments on commit b8a9320

Please sign in to comment.