The internet requrires more security – no doubt bout that – but what can we (as loyable server administrators do ?)
For example – we could have a look at the OWASP HEADER PROJECT which gives us some good hints on what to do to become more secure.
The OHP introduces several Headers:
- HTTP Strict Transport Security (HSTS)
- Public Key Pinning Extension for HTTP (HPKP)
If you want to find out what they are doing in particular, i recommend you start reading here.
So what are they doing – how to get them working in nginx AND how to main tain them ?
i’ve created my „secure_headers“ inc file for nginx , which can be included in your vhost configuration
#include /etc/nginx/secure_headers.conf; #HTTP Strict Transport Security (HSTS) #https://scotthelme.co.uk/hardening-your-http-response-headers/#strict-transport-security add_header Strict-Transport-Security "max-age=63072000; includeSubdomains" always; #X-Frame-Options # https://scotthelme.co.uk/hardening-your-http-response-headers/#x-frame-options # recommendation but not realistic: # add_header X-Frame-Options "DENY"; add_header X-Frame-Options "SAMEORIGIN" always; #X-XSS-Protection3 #https://scotthelme.co.uk/hardening-your-http-response-headers/#x-xss-protection add_header X-XSS-Protection "1;mode=block" always; #X-Content-Type-Options #https://scotthelme.co.uk/hardening-your-http-response-headers/#x-content-type-options add_header X-Content-Type-Options "nosniff" always; #Content-Security-Policy #https://scotthelme.co.uk/hardening-your-http-response-headers/#content-security-policy #recommendation but not realistic: #add_header Content-Security-Policy "script-src 'self'"; add_header Content-Security-Policy "default-src https: data: 'unsafe-inline' 'unsafe-eval'" always; #X-Permitted-Cross-Domain-Policies add_header X-Permitted-Cross-Domain-Policies "none" always;
you can find the file in this github project
So you are able to include this file to your vhosts by adding this line to your vhost configuration:
Verify the settings with the webmaster debug tools in your browser
You are missing the HPKP header ?
Since you need some extra knowledge to enable HPKP – we will drill this header down in another blog entry dedicated to hpkp.