NginX Security HTTP Headers to Prevent Vulnerabilities

Looking at the following websites:

The Mozilla Observatory

https://observatory.mozilla.org/

HTTP Headers That Protect Your Users

Hardening your HTTP response headers

That the following are advisable to be implemented:

Content Security Policy (CSP)

#add_header Content-Security-Policy “default-src https: data: ‘unsafe-inline’ ‘unsafe-eval’” always;
add_header Content-Security-Policy “default-src https:” always;

HTTP Strict Transport Security (HSTS)

#add_header Strict-Transport-Security “max-age=31536000; includeSubdomains” always;
add_header Strict-Transport-Security “max-age=31536000; includeSubDomains; preload;” always;

HTTP Public Key Pinning

add_header Public-Key-Pins “pin-sha256=‘X3pGTSOuJeEVw989IJ/cEtXUEmy52zs1TZQrU06KUKg=’; pin-sha256=‘MHJYVThihUrJcxW6wcqyOISTXIsInsdj3xK8QrZbHec=’; pin-sha256=‘isi41AizREkLvvft0IRW4u3XMFR2Yg7bvrF7padyCJg=’; includeSubdomains; max-age=2592000” always;

X-Frame-Options

add_header X-Frame-Options “SAMEORIGIN” always;

X-Xss-Protection

#add_header X-Xss-Protection “1; mode=block” always;
add_header X-XSS-Protection “0” always;

X-Content-Type-Options

add_header X-Content-Type-Options “nosniff” always;

Removing “Server” Header

server {

server_tokens off;
}

Referrer-Policy

add_header Referrer-Policy “no-referrer” always;

Permissions-Policy (Feature-Policy)

#add_header Feature-Policy “camera ‘none’; microphone ‘none’; geolocation ‘none’” always;
add_header Permissions-Policy “camera=(), microphone=(), geolocation=()” always;

Federated Learning of Cohorts (FLoC)

add_header Permissions-Policy “interest-cohort=()” always;

Expect-CT (SSL Certificate Transparency )

add_header Expect-CT “max-age=86400, enforce, report-uri=“https://www.example.com/ct_report”” always;

Would it be wise to have them implemented in the next MIAB release in NginX config file?

I have tried adding on the above:

#Edit the Config
sudo nano +32 /etc/nginx/nginx.conf

#Check the config
sudo nginx -t

#Reload
sudo systemctl reload nginx

But still scoring D on

The headers used change based on what is being requested.

I just use curl to check headers.

$ curl -I https://box.example.com

You can see different headers with /admin, /mail/, and /cloud/index.php/login.

Should the “headers” for WWW side be set to prevent HTTP Security Vulnerabilities for all http services?