How to Harden your Nginx or Apache Server Configuration

What are HTTP security headers?

Content and HTTP response headers are sent back to the browser whenever a web server responds to a browser request for a page. Headers like Content-Encoding, Cache-Control and Status Codes contain meta data.

1. X-XSS-Protection

The X-XSS-Protection header is designed to enable modern web browsers’ built-in cross-site scripting (XSS) filtering. Usually this is enabled by default. Internet Explorer 8+, Chrome, and Safari all support X-XSS-Protection. The following is an example of how the header looks like: X-XSS-Protection: 1; mode=block

Enable X-XSS-Protection in NGINX

add_header X-XSS-Protection “1; mode=block” always;

Enable X-XSS-Protection in Apache

header always set X-XSS-Protection “1; mode=block”

2. Content Security Policy

Content security policies are currently supported by all major browsers. This won’t cause any issues if the content is delivered to an older browser; it will just be ignored.

  • default-src Define loading policy for all resources type in case of a resource type dedicated directive is not defined (fallback),
  • script-src Define which scripts the protected resource can execute,
  • object-src Define from where the protected resource can load plugins,
  • style-src Define which styles (CSS) the user applies to the protected resource,
  • img-src Define from where the protected resource can load images,
  • media-src Define from where the protected resource can load video and audio,
  • frame-src Define from where the protected resource can embed frames,
  • frame-ancestors Specifies valid parents that may embed a page using <frame>, <iframe>, <object>, <embed>, or <applet>.
  • font-src Define from where the protected resource can load fonts,
  • connect-src Define which URIs the protected resource can load using script interfaces,
  • form-action Define which URIs can be used as the action of HTML form elements,
  • sandbox Specifies an HTML sandbox policy that the user agent applies to the protected resource,
  • script-nonce Define script execution by requiring the presence of the specified nonce on script elements,
  • plugin-types Define the set of plugins that can be invoked by the protected resource by limiting the types of resources that can be embedded,
  • reflected-xss Instructs a user agent to activate or deactivate any heuristics used to filter or block reflected cross-site scripting attacks, equivalent to the effects of the non-standard X-XSS-Protection header,
  • report-uri Specifies a URI to which the user agent sends reports about policy violation

3. X-Frame-Options

The X-Frame-Options header prevents iframes from loading on your website, preventing clickjacking. Browsers that support it include Internet Explorer 8, Google Chrome 4, Mozilla Firefox 3, Apple Safari 4, and Opera 10.5. The following is an example of a X-Frame-Options header: X-Frame-Options: SAMEORIGIN

Enable X-Frame-Options in NGINX

add_header X-Frame-Options “SAMEORIGIN” always;

Enable X-Frame-Options in Apache

header always set X-Frame-Options “SAMEORIGIN”

4. HTTP Strict Transport Security

For extra security, web browsers can only communicate with web servers over HTTPS. This ensures that the connection cannot be established via an insecure HTTP connection that could be vulnerable to attacks.

  • max-age: it specifies the maximum number of seconds for which the web server should only deliver via HTTPS.
  • includeSubDomains: not mandatory; all of the site’s subdomains will also be protected by HSTS as a result of defining this directive
    preload: not mandatory; it is possible for the site owner to add their website to Chrome’s “preload list,” which is a list of HTTPS-only sites that have been hardcoded into the browser

Enable HTTP Strict Transport Security in NGINX

A few simple steps are all that is required to implement HSTS on your server. For information on configuring the web server to use this directive, see the instructions listed below.

Enable HTTP Strict Transport Security in Apache

<VirtualHost 0.0.0.0:443>
Header always set Strict-Transport-Security “max-age=63072000; includeSubdomains; preload”
</VirtualHost>

curl -I https://alexbobes.com/main.css HTTP/1.1 301 Moved Permanently Server: nginx Date: Wednesday, 22 Jul 2022 04:07:45 GMT Content-Type: text/html Content-Length: 178 Connection: keep-alive Location: https://alexbobes.com/main.cssStrict-Transport-Security: max-age=31536000; includeSubdomains; preload

5. Expect-CT

With the Expect-CT header, websites can report and optionally enforce Certificate Transparency requirements, preventing the use of incorrectly issued certificates. Activating this header tells the browser to check the public CT logs for the certificate’s existence. The following is an example of a header:

Enable HTTP Strict Transport Security in NGINX

add_header Expect-CT “max-age=604800, enforce, report-uri=’https://alexbobes.com/learn' always;

Enable HTTP Strict Transport Security in Apache

header always set Expect-CT “max-age=604800, enforce, report-uri=” https://alexbobes.com/learn

6. X-Content-Type-Options

This header prevents browsers like Internet Explorer and Google Chrome from detecting any response other than what is declared in the Content-Type declaration. Drive-by downloads are less likely, and the content is better taken care of as a result. Example of what the header looks like: X-Content-Type-Options: nosniff

Enable X-Content-Type-Options in NGINX

add_header X-Content-Type-Options “nosniff” always;

Enable X-Content-Type-Options in Apache

header always set X-Content-Type-Options “nosniff”

7. Feature-Policy

The Feature-Policy header can be used to allow or deny browser features in its own frame or content or within inline elements like the <iframe>. Feature-Policy headers allows web developers to control how APIs and web features behave in the browser by enabling or disabling them. The header looks like this: Feature-Policy: autoplay ‘none’; camera ‘none’

Enable Feature-Policy in NGINX

add_header Feature-Policy “autoplay ‘none’; camera ‘none’” always;

Enable Feature-Policy in Apache

header always set Feature-Policy “autoplay ‘none’; camera ‘none’”

8. Other Security Improvements for NGINX and Apache

Install ModSecurity for Your Web Server

--

--

Technology expert. I’m writing about Web 3.0, Crypto, Blockchain, AI, and other topics. We’re now living in the age of the algorithm.

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Alex Bobes

Alex Bobes

Technology expert. I’m writing about Web 3.0, Crypto, Blockchain, AI, and other topics. We’re now living in the age of the algorithm.