Don't be lazy, if fonts and css are available for download serve them from local storage, for that purpose there is simple header which ensures that all files are loaded locally and not from some malicious domain.
Websites for checking your webserver hardening:
There are websites which rate your header configuration just by entering your domain name, for lakic.one these are ratings from respective websites:
For page speed responce I've tested from Google page speed, and these are results:
There may be better websites for checkup, if there are see homepage
for contact, I will read your suggestions.
I like to keep additional config files in separate folder and just load them into nginx. You can do this by adding
folder. You would include these config files in your NGINX site config file (e.g mywebsite) by adding these lines in
For my website these are loaded headers (lines in
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options nosniff;
add_header X-Robots-Tag none;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Permissions-Policy "geolocation =();midi =();notifications =();push =();sync-xhr =();microphone =();camera =();magnetometer =();gyroscope =();speaker =();vibrate =();fullscreen =();payment =();";
add_header Content-Security-Policy "script-src 'none'; object-src 'none'; style-src-elem 'self';";
add_header 'Referrer-Policy' 'no-referrer';
add_header Onion-Location http://u5rv2ihmttpcltholr6b7k77jyomaq2jmaozmaq326id7j6jqjoofmqd.onion$request_uri;
add_header 'Cache-Control' 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=31536000';
Short explanation of headers, click on links to see more detailed ones:
X-XSS-Protection: Prevent cross site scripting attacks.
X-Content-Type-Options: Prevent modifying and following MIME file types.
X-Robots-Tag: Specify which part of website should bot search engine explore and index.
X-Frame-Options: Prevent click-jacking attacks.
Permission-Policy : Control permissions which browser uses when visiting your website.
Content-Security-Policy: Control loaded resources from your website when someone visits it.
Referrer-Policy: Remove previous website "content" when visiting yours, such are caching, analytics etc.
Onion-Location: If someone visits your "clearweb" website with Tor browser, offer redirection to .onion version of website.
Cache-Control: I can't explain this in few words, better read it yourself. Setting Cache-Control header only with max-age makes your website unavailable from Chromium based browsers. This is maybe feature?
For Onion-Location and how to set up your .onion mirror of website I might write another post.
For overall compression these are lines which are in
gzip_buffers 16 8k;
These are config files which should help you to if not to secure your website then at least give you some insight where to dig to learn more on how to better secure your server/website.
I'm not privacy/security expert but I'm willing to learn on how to improve my setup. Feel free to contact me if you have any suggestions.