NginX Security HTTP Headers to Prevent Vulnerabilities

Looking at the following websites:

The Mozilla Observatory

HTTP Headers That Protect Your Users

Hardening your HTTP response headers

That the following are advisable to be implemented:

Content Security Policy (CSP)

#add_header Content-Security-Policy “default-src https: data: ‘unsafe-inline’ ‘unsafe-eval’” always;
add_header Content-Security-Policy “default-src https:” always;

HTTP Strict Transport Security (HSTS)

#add_header Strict-Transport-Security “max-age=31536000; includeSubdomains” always;
add_header Strict-Transport-Security “max-age=31536000; includeSubDomains; preload;” always;

HTTP Public Key Pinning

add_header Public-Key-Pins “pin-sha256=‘X3pGTSOuJeEVw989IJ/cEtXUEmy52zs1TZQrU06KUKg=’; pin-sha256=‘MHJYVThihUrJcxW6wcqyOISTXIsInsdj3xK8QrZbHec=’; pin-sha256=‘isi41AizREkLvvft0IRW4u3XMFR2Yg7bvrF7padyCJg=’; includeSubdomains; max-age=2592000” always;


add_header X-Frame-Options “SAMEORIGIN” always;


#add_header X-Xss-Protection “1; mode=block” always;
add_header X-XSS-Protection “0” always;


add_header X-Content-Type-Options “nosniff” always;

Removing “Server” Header

server {

server_tokens off;


add_header Referrer-Policy “no-referrer” always;

Permissions-Policy (Feature-Policy)

#add_header Feature-Policy “camera ‘none’; microphone ‘none’; geolocation ‘none’” always;
add_header Permissions-Policy “camera=(), microphone=(), geolocation=()” always;

Federated Learning of Cohorts (FLoC)

add_header Permissions-Policy “interest-cohort=()” always;

Expect-CT (SSL Certificate Transparency )

add_header Expect-CT “max-age=86400, enforce, report-uri=“”” always;

Would it be wise to have them implemented in the next MIAB release in NginX config file?

I have tried adding on the above:

#Edit the Config
sudo nano +32 /etc/nginx/nginx.conf

#Check the config
sudo nginx -t

sudo systemctl reload nginx

But still scoring D on

The headers used change based on what is being requested.

I just use curl to check headers.

$ curl -I

You can see different headers with /admin, /mail/, and /cloud/index.php/login.

Should the “headers” for WWW side be set to prevent HTTP Security Vulnerabilities for all http services?

This topic was automatically closed after 61 days. New replies are no longer allowed.