In scenarios like Deloitte, in order to ensure the security of the website and pass strict security review, more detailed and professional parameters need to be configured for these security heads.
Here are suggestions for each option and detailed instructions for setting values:
1. Strict-Transport-Security (HSTS)
Ensure that all communications are forced through HTTPS and prevent downgrade attacks.
Recommended value:
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
Parameter explanation:
-
max-age=31536000: The HSTS cache validity period is set to 1 year (in seconds) to ensure long-term validity. -
includeSubDomains: Extend the HSTS policy to all subdomains to avoid the risk of attacks between the primary domain and the subdomain. -
preload: Submit the domain name to the HSTS preload list to prevent downgrade attacks on first access. Need to be inHSTS Preload ListSubmit the domain name.
2. Content-Security-Policy (CSP)
Defines the source of content that is allowed to load, preventing cross-site scripting (XSS) and data injection attacks.
Recommended value (need to be customized according to business needs):
add_header Content-Security-Policy "default-src 'none'; script-src 'self'; style-src 'self'; img-src 'self' data:; font-src 'self'; object-src 'none'; frame-ancestors 'none'; base-uri 'self'; form-action 'self';" always;
Parameter explanation:
-
default-src 'none': By default, any external resources are prohibited from loading. -
script-src 'self': Only scripts for this domain are allowed to be loaded. -
style-src 'self': Only the styles that are allowed to load in this domain. -
img-src 'self' data:: Only pictures in this domain and pictures embedded in Base64 are allowed to load. -
font-src 'self': Only fonts for this domain are allowed to be loaded. -
object-src 'none': Disable the loading of plug-in content (such as Flash). -
frame-ancestors 'none': Prevent the website from being embedded in the iframe and prevent click hijacking attacks. -
base-uri 'self':limit<base>The URL of the tag. -
form-action 'self': Only allow forms to be submitted to this site to prevent CSRF attacks.
Notice:
- The CSP policy needs to be matched with the actual needs of the website to avoid disrupting normal functions.
- If the website requires third-party resources (such as Google Fonts or CDN), you need to specify the source clearly, for example:
script-src 'self' ; style-src 'self' ;.
3. X-Content-Type-Options
Prevent MIME type confusion attacks and force browsers to followContent-TypeResponse header.
Recommended value:
add_header X-Content-Type-Options "nosniff" always;
Parameter explanation:
-
nosniff: Prohibit content type sniffing of browsers and prevent unintended content (such as script files).
4. X-XSS-Protection
Enables the browser's built-in XSS protection mechanism (which has been disabled by default by some modern browsers).
Recommended value:
add_header X-XSS-Protection "1; mode=block" always;
Parameter explanation:
-
1: Enable XSS protection. -
mode=block: When a potential attack is detected, prevent the page from loading, rather than just cleaning up malicious content.
Notice:
- Currently browsers such as Chrome and Edge no longer support XSS protection headers, and it is recommended to use CSP as the preferred protection solution.
- If there are still scenarios in the target user that use the older browser, you can enable this header.
Other security head suggestions (optional):
1. Referrer-Policy
Controls the reference information sent by the browser when it jumps.
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
2. Permissions-Policy (formerly Feature-Policy)
Restrict access to browser functions (such as geolocation, camera, microphone, etc.).
add_header Permissions-Policy "geolocation=(), camera=(), microphone=()" always;
Check the effectiveness of the safety head:
-
Tool recommendations: Verify the header configuration using the following tools:
- Security Headers
- Mozilla Observatory
curlView the response header:curl -I
This is the end of this article about adding several key security options to Nginx HttpHeader. For more information about Nginx HttpHeader security options, please search for my previous articles or continue browsing the related articles below. I hope everyone will support me in the future!