Proper Website Content Security nGinx Configuration

Proper Website Content Security nGinx Configuration

Wow!  It’s been a little while since I have had the time to post another article.   Well, here I am again, back at it.

This time, I will show you an optimal way to keep your site secure utilizing a bit of nginx configuration.  You will need to do some work before implementing this, so please do not attempt to simply copy/paste this and expect it to work out of the box.

First things first, you need to browse through your site and note every single external call.  By external call I mean everything that is not requested directly from your sites domain.  Items like google fonts, google analytics, etc… all pull their resources from their respective domains.  Your best bet is going to be to note what the domain is, and what type of resource it is.  An image, a font, css, javascript, etc…

Once you have your list, proceed in getting your site an SSL certificate and have it applied.  When you have your list and SSL certificate applied, you will need to add the following configuration to your nginx config inside your site’s “server{}” block, although placing it in your sites “location / {}” will also work.

# Default security headers
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"; # enable, cache, and preload subdomains
add_header X-Frame-Options "SAMEORIGIN" always; # generally only allow SAMEORIGIN frame sources
add_header X-Xss-Protection "1; mode=block"; # protect against Cross-Site Scripting
add_header X-Content-Type-Options "nosniff" always; # no sniffing allowed!
add_header Referrer-Policy "strict-origin"; # protect agains cross-linking
add_header X-Download-Options "noopen"; # force the download, and do not allow direct openning
add_header X-Permitted-Cross-Domain-Policies "none"; # protect agains cross-linking
add_header X-Robots-Tag none; # only allow robots.txt

# Content Security Policy
set $CSP_image         "img-src 'self' 'unsafe-inline' 'unsafe-eval' data:;"; # allowable external image domains
set $CSP_script        "script-src 'self' 'unsafe-inline' 'unsafe-eval';"; # allowable external jaavscript domains
set $CSP_style         "style-src 'self' 'unsafe-inline';"; # allowable external CSS domains
set $CSP_font          "font-src 'self' data:;"; # allowable external font domains
set $CSP_frame         "frame-src 'self';"; # allowable external frames/iframes domains
set $CSP_object        "object-src 'self';"; # allowable external object domains
set $CSP_connect       "connect-src 'self';"; # allowable external connect domains
set $CSP_media         "media-src 'self';"; # allowable external media domains
set $CSP_form          "form-action 'self';"; # allowable external form domains
set $CSP_frame_anc     "frame-ancestors 'self';"; # allowable external frame ancestor domains
set $CSP               "default-src 'self'; ${CSP_image} ${CSP_script} ${CSP_style} ${CSP_font} ${CSP_frame} ${CSP_object}";
add_header Content-Security-Policy $CSP always;
add_header X-Content-Security-Policy $CSP always;

Please see the comments in the configuration above.  You will need to use the FQDN, and not the URL for each item.  If you do not have the domains for the external resources, or there simply are none, leave well enough alone and block everything that is not allowed 🙂

Kevin Pirnie
22 Years of PC and server maintenance & over 17 years of web development/design experience; you can rest assured that I take every measure possible to ensure your computers are running to their peak potentials. I treat them as if they were mine, and I am quite a stickler about keeping my machines up to date and optimized to run as well as they can.