kosinix/details.md

## details.md

      
    Raw
  

              details.md
            
          
    Securing NGINX

Hide nginx version

server_tokens off;

HTTP Strict Transport Security (HSTS) policy

HSTS is a security feature that ensures connections to your server occur only over HTTPS, thereby mitigating risks associated with protocol downgrade attacks and improving overall security by enforcing secure connections.
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";

X-Frame-Options

Tells the browser whether you want to allow your site to be framed or not. By preventing a browser from framing your site you can defend against attacks like clickjacking.
SAMEORIGIN - means that the page can only be embedded in a frame on a page with the same origin as itself.
add_header X-Frame-Options SAMEORIGIN;

X-Content-Type-Options

Stops a browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type. The only valid value for this header is "X-Content-Type-Options: nosniff".
add_header X-Content-Type-Options nosniff;

Referrer-Policy

Allows a site to control how much information the browser includes with navigations away from a document and should be set by all sites.
add_header Referrer-Policy same-origin;

Disable weak encryption (including RC4 and 3DES encryption)

See https://www.ssllabs.com/ssltest/
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';

Content Security Policy

Allows all kind of content as long as its origin is self, inline, eval
add_header Content-Security-Policy "default-src 'self'; frame-src 'self' *.google.com; frame-ancestors 'self' *.google.com; media-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.jsdelivr.net *.cloudflare.com *.jquery.com *.gstatic.com; style-src 'self' 'unsafe-inline' *.googleapis.com; img-src 'self' data: ; font-src 'self' *.gstatic.com *.cloudflare.com; connect-src 'self';";

Permissions Policy

Allows all device perms as long as its origin is self
add_header Permissions-Policy "accelerometer=(self), autoplay=(self), camera=(self), encrypted-media=(self), fullscreen=(self), geolocation=(self), gyroscope=(self), magnetometer=(self), microphone=(self), midi=(self), payment=(self), picture-in-picture=(self), speaker=(self), usb=(self), vibrate=(self), vr=(self)";

Testing


https://securityheaders.com
https://report-uri.com/home/generate
https://www.ssllabs.com/ssltest/


## nginx.conf
user  www-data;
worker_processes  auto;

error_log  /var/log/nginx/error.log notice;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    server_tokens off;

    keepalive_timeout  65;

    #gzip  on;

    #Security
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
    add_header X-Frame-Options SAMEORIGIN;
    add_header X-Content-Type-Options nosniff;
    add_header Referrer-Policy same-origin;
    add_header Content-Security-Policy "default-src 'self'; frame-src 'self'; media-src 'self'; script-src 'self'; style-src 'self'; img-src 'self'; font-src 'self'; connect-src 'self';";
    add_header Permissions-Policy "accelerometer=(self), autoplay=(self), camera=(self), encrypted-media=(self), fullscreen=(self), geolocation=(self), gyroscope=(self), magnetometer=(self), microphone=(self), midi=(self), payment=(self), picture-in-picture=(self), speaker=(self), usb=(self), vibrate=(self), vr=(self)";

    #Disable weak encryption (including RC4 and 3DES encryption)
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';

    #include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;
}
	user www-data;
	worker_processes auto;

	error_log /var/log/nginx/error.log notice;
	pid /var/run/nginx.pid;


	events {
	worker_connections 1024;
	}


	http {
	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	log_format main '$remote_addr - $remote_user [$time_local] "$request" '
	'$status $body_bytes_sent "$http_referer" '
	'"$http_user_agent" "$http_x_forwarded_for"';

	access_log /var/log/nginx/access.log main;

	sendfile on;
	#tcp_nopush on;

	server_tokens off;

	keepalive_timeout 65;

	#gzip on;

	#Security
	add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
	add_header X-Frame-Options SAMEORIGIN;
	add_header X-Content-Type-Options nosniff;
	add_header Referrer-Policy same-origin;
	add_header Content-Security-Policy "default-src 'self'; frame-src 'self'; media-src 'self'; script-src 'self'; style-src 'self'; img-src 'self'; font-src 'self'; connect-src 'self';";
	add_header Permissions-Policy "accelerometer=(self), autoplay=(self), camera=(self), encrypted-media=(self), fullscreen=(self), geolocation=(self), gyroscope=(self), magnetometer=(self), microphone=(self), midi=(self), payment=(self), picture-in-picture=(self), speaker=(self), usb=(self), vibrate=(self), vr=(self)";

	#Disable weak encryption (including RC4 and 3DES encryption)
	ssl_protocols TLSv1.2 TLSv1.3;
	ssl_prefer_server_ciphers on;
	ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';

	#include /etc/nginx/conf.d/*.conf;
	include /etc/nginx/sites-enabled/*;
	}