Avatar
Nikola Lakic

Structural engineering student

Belgrade, Republic of Serbia

nikola@lakic.one


Social networks

@nikolal@social.privacytools.io

codeberg.org/nikolal


Interests

Structural enigeering

90%

GNU/Linux

90%

Point of existence

100%

Python in structural engineering

90%

Links to my writings:

Homepage
#MyPrivacyTools
SecurityHeaders


Securing your NGINX server with security headers

About:

In this article I will present configuration files for hardening your NGINX webserver and some rationale behind it. This headers are for static website which servers .html, .css and fonts from local storage, no javascript and cookies included which in my humble opinion is how simple static websites which purpose is to serve some formated text should be done.
Don't be lazy, if fonts and css are available for download serve them from local storage, for that purpose there is simple header which ensures that all files are loaded locally and not from some malicious domain.

Websites for checking your webserver hardening:

There are websites which rate your header configuration just by entering your domain name, for lakic.one these are ratings from respective websites:

For page speed responce I've tested from Google page speed, and these are results: There may be better websites for checkup, if there are see homepage for contact, I will read your suggestions.

Config files:

I like to keep additional config files in separate folder and just load them into nginx. You can do this by adding headers.conf and compression.conf files into /etc/nginx/conf.d folder. You would include these config files in your NGINX site config file (e.g mywebsite) by adding these lines in /etc/nginx/sites-available/mywebsite:
include /etc/nginx/conf.d/headers.conf
include /etc/nginx/conf.d/compression.conf

For my website these are loaded headers (lines in /etc/nginx/conf.d/headers.conf):

add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options nosniff;
add_header X-Robots-Tag none;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Permissions-Policy "geolocation =();midi =();notifications =();push =();sync-xhr =();microphone =();camera =();magnetometer =();gyroscope =();speaker =();vibrate =();fullscreen =();payment =();";
add_header Content-Security-Policy "script-src 'none'; object-src 'none'; style-src-elem 'self';";
add_header 'Referrer-Policy' 'no-referrer';
add_header Onion-Location http://u5rv2ihmttpcltholr6b7k77jyomaq2jmaozmaq326id7j6jqjoofmqd.onion$request_uri;
add_header 'Cache-Control' 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=31536000';

Short explanation of headers, click on links to see more detailed ones:

X-XSS-Protection: Prevent cross site scripting attacks.
X-Content-Type-Options: Prevent modifying and following MIME file types.
X-Robots-Tag: Specify which part of website should bot search engine explore and index.
X-Frame-Options: Prevent click-jacking attacks.
Permission-Policy : Control permissions which browser uses when visiting your website.
Content-Security-Policy: Control loaded resources from your website when someone visits it.
Referrer-Policy: Remove previous website "content" when visiting yours, such are caching, analytics etc.
Onion-Location: If someone visits your "clearweb" website with Tor browser, offer redirection to .onion version of website.
Cache-Control: I can't explain this in few words, better read it yourself. Setting Cache-Control header only with max-age makes your website unavailable from Chromium based browsers. This is maybe feature?

For Onion-Location and how to set up your .onion mirror of website I might write another post.

For overall compression these are lines which are in /etc/nginx/conf.d/compression.conf

gzip_disable "msie6";
gzip_comp_level 6;
gzip_min_length 1100;
gzip_buffers 16 8k;
gzip_proxied any;
gzip_types
text/plain
text/css
text/js
text/xml
text/javascript
application/javascript
application/json
application/xml
application/rss+xml
image/svg+xml;

Closing words:

These are config files which should help you to if not to secure your website then at least give you some insight where to dig to learn more on how to better secure your server/website.
I'm not privacy/security expert but I'm willing to learn on how to improve my setup. Feel free to contact me if you have any suggestions.