Last active
February 12, 2022 21:22
-
-
Save jonas-haeusler/9aaeed4f32bba4d0c22227fac62b57f2 to your computer and use it in GitHub Desktop.
A modern security configuration for nginx
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# TLS configuration is based on Mozillas `modern` config: | |
# https://ssl-config.mozilla.org/ | |
# https://wiki.mozilla.org/Security/Server_Side_TLS | |
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; | |
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; | |
# improve TSL performance by enabling session reuse | |
ssl_session_timeout 1d; | |
ssl_session_cache shared:SSL:10m; # about 40000 sessions | |
ssl_session_tickets off; | |
# only enable TLS 1.3 for best security | |
ssl_protocols TLSv1.3; | |
# the cipher suites for TLS 1.3 are all strong, so we allow the client to choose, as they will know best if they have support for hardware-accelerated AES | |
ssl_prefer_server_ciphers off; | |
# enable OCSP stapling to convey certificate revocation information to visitors in a privacy-preserving, scalable manner | |
# https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/ | |
ssl_stapling on; | |
ssl_stapling_verify on; | |
ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem; | |
# disable nginx version in header | |
server_tokens off; | |
# TODO: adapt CSP header to the sites need | |
# only allow content that comes from the site's own origin (this excludes subdomains) | |
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy | |
# https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP | |
# https://content-security-policy.com/ | |
add_header Content-Security-Policy "default-src 'self';" always; | |
# disallow other sites to load this page inside a frame. prevents click jacking | |
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options | |
add_header X-Frame-Options "SAMEORIGIN" always; | |
# prevent site from loading when XSS attacks are detected | |
# WARN: in some cases, XSS protection can create XSS vulnerabilities in otherwise safe websites. a strong CSP policy is the recommended approach to prevent XSS attacks | |
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection | |
add_header X-Xss-Protection "1; mode=block" always; | |
# MIME types advertised in the `Content-Type` headers should be followed and not changed. prevents MIME type sniffing. | |
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options | |
add_header X-Content-Type-Options "nosniff" always; | |
# don't send the Referer header for cross-origin requests | |
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy | |
add_header Referrer-Policy "same-origin" always; | |
# tell the browser to automatically upgrade all HTTP requests to HTTPS | |
# register for preloading at https://hstspreload.org/ | |
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security | |
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; | |
# deny the use of browser features | |
# https://github.com/w3c/webappsec-permissions-policy/blob/main/permissions-policy-explainer.md | |
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy | |
# https://www.permissionspolicy.com/ | |
add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=()" always; | |
# block unknonwn hostsnames, i.e. when server accessed by IP | |
# requires nginx >= 1.19.4 and openssl >= 1.1.1j | |
server { | |
listen 80 default_server; | |
listen [::]:80 default_server; | |
listen 443 ssl http2 default_server; | |
listen [::]:443 ssl http2 default_server; | |
ssl_reject_handshake on; | |
return 444; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment