The „owasp header project“ – a nginx guide to brilliance

The internet requrires more security – no doubt bout that – but what can we (as loyable server administrators do ?)


For example – we could have a look at the OWASP HEADER PROJECT  which gives us some good hints on what to do to become more secure.

The OHP introduces several Headers:

  • HTTP Strict Transport Security (HSTS)
  • Public Key Pinning Extension for HTTP (HPKP)
  • X-Frame-Options
  • X-XSS-Protection
  • X-Content-Type-Options
  • Content-Security-Policy
  • X-Permitted-Cross-Domain-Policies

If you want to find out what they are doing in particular, i recommend you start reading here.


So what are they doing – how to get them working in nginx AND how to main tain them ?

i’ve created my „secure_headers“ inc file for nginx , which can be included in your vhost configuration


file: /etc/nginx/secure_headers.conf

#include /etc/nginx/secure_headers.conf;

#HTTP Strict Transport Security (HSTS)

add_header Strict-Transport-Security "max-age=63072000; includeSubdomains" always;

# recommendation but not realistic: 
# add_header X-Frame-Options "DENY";
add_header X-Frame-Options "SAMEORIGIN" always;

add_header X-XSS-Protection "1;mode=block" always;

add_header X-Content-Type-Options "nosniff" always;

#recommendation but not realistic:
#add_header Content-Security-Policy "script-src 'self'";
add_header Content-Security-Policy "default-src https: data: 'unsafe-inline' 'unsafe-eval'" always;

add_header X-Permitted-Cross-Domain-Policies "none" always;

you can find the file in this github project


So you are able to include this file to your vhosts by adding this line to your vhost configuration:

include /etc/nginx/secure_headers.conf;

Verify the settings with the webmaster debug tools in your browser



You are missing the HPKP header ?

Since you need some extra knowledge to enable HPKP – we will drill this header down in another blog entry dedicated to hpkp.

About the Author

Mike Schiessl

Schreibe einen Kommentar